Gray Hat Security (GHS) logo

Incident Response · Ransomware · Saudi Arabia

Ransomware Response Playbook: What to Do in the First 24 Hours

June 24, 2026 · 11 min read · GHS Security Team Ransomware Incident Response PDPL

Quick Answer

If ransomware hits your organization: do not power down affected systems — isolate them from the network instead. The correct sequence is: Confirm → Isolate → Activate IR team → Preserve evidence → Map blast radius → Check backups → Assess PDPL / SAMA CSF notification obligations → Recover from clean backups.

In Saudi Arabia, ransomware incidents that involve personal data exfiltration trigger PDPL notification obligations to the NDMO. Modern ransomware groups routinely exfiltrate data before encrypting — meaning most ransomware attacks are also data breaches under PDPL.