Langley, BC
(604) 800-9060
Teradrive Forensics

Use case

Ransomware response and forensic investigation.

When the encryption is contained, the lawyers and the regulator both need a defensible answer about what was accessed and what was exfiltrated. We build that record.

Book a consultation about a ransomware matter See all services
Ransomware Response — editorial illustration

Signs you may need this

Common indicators we hear from counsel and corporate clients.

  • Files encrypted with an unfamiliar extension
  • Ransom note found on systems or printers
  • Servers or shares offline unexpectedly
  • Backup systems also encrypted or deleted
  • Threat actor demanding payment

Scope of this work

What we cover and what we typically find.

  • The attacker's path through the environment: initial access vector, persistence mechanisms, lateral movement, and privilege escalation.
  • Data accessed versus data exfiltrated as separate determinations, each with its own evidence threshold.
  • Volume and content of exfiltration through firewall logs, EDR telemetry, cloud audit logs, and where available, leak-site monitoring.
  • Actor attribution where tradecraft, infrastructure, or ransomware variant ties back to a known group or campaign.
  • Failure modes that allowed the attack: unpatched systems, weak credentials, missing MFA, exposed services.

How we approach it

A defensible, repeatable process.

1. Triage and scoping with counsel and the panel firm. We agree on the matter, the scope of forensic work, and the deliverable. Engagements taken through counsel are structured to support a litigation-privilege claim.

2. Evidence preservation. We preserve all relevant endpoints, servers, cloud audit logs, email archives, and network logs immediately. Speed matters because audit-log retention is short.

3. Scope of compromise analysis. We reconstruct the attacker's path through the environment using the preserved evidence and document each stage with cited artifacts.

4. Exfiltration analysis. We separate access from exfiltration. The PIPEDA "real risk of significant harm" determination depends on this distinction.

5. Regulator-ready report. The deliverable is a written report structured for OPC notification and any provincial filing, with counsel review.

What we deliver

Concrete outputs from a typical engagement.

  1. 01

    Immediate scoping and containment guidance

  2. 02

    Forensic preservation of affected systems

  3. 03

    Initial-access and lateral-movement timeline

  4. 04

    Breach notification and regulator-ready report

  • A preserved evidence set covering all in-scope endpoints and logs.
  • A written incident report covering scope, timeline, exfiltration assessment, and attribution where supportable.
  • A regulator-ready summary suitable for OPC and OIPC notification.
  • Affidavit support if the matter moves to litigation or regulatory enforcement.
  • A chain-of-custody record from intake through archive.

Services typically engaged

Forensic services we draw on for this scenario.

Data Breach Investigation

Defensible breach investigation built for PIPEDA, BC PIPA, and OPC or OIPC interface.

Learn more

Computer Forensics

Forensic imaging and analysis of Windows, macOS, and Linux systems for litigation, internal investigations, and expert witness work.

Learn more

Common questions

Ransomware Response questions we hear most.

Should we pay the ransom?

That is a decision for counsel, the insurer, and the executive team, not for the forensic team. We provide the forensic record that informs the decision (what was actually exfiltrated, whether the actor's leak-site claims appear credible, what the regulatory exposure looks like).

How do you separate access from exfiltration?

Through firewall and proxy logs, EDR telemetry, cloud audit logs, and direct evidence on endpoints (large outbound transfers, archive creation, staging directories). Each piece of evidence carries different weight, and the report distinguishes high-confidence findings from inferred ones.

Does PIPEDA require notification for every ransomware event?

Only when personal information was involved and the breach poses a "real risk of significant harm" to affected individuals. Many ransomware events involve personal information, but not every event meets the harm threshold. The forensic determination is what supports the decision either way.

How quickly can you start?

Within hours of engagement during business days. Cloud log retention windows are short, so we begin preservation immediately and scope in parallel.

Can you work with our existing cyber insurance panel firm?

Yes. We have worked alongside panel firms on multiple ransomware matters. Roles are complementary: panel firm focuses on containment and recovery, we focus on the defensible forensic record.

Related scenarios

Other use cases that often arise alongside this one.

Damaged or Locked Device

Chip-off, JTAG, and ISP recovery for damaged, locked, or encrypted devices.

Explore

Litigation Hold

Defensible preservation of devices, mailboxes, and cloud accounts once litigation is anticipated.

Explore

Need a defensible forensic record after a ransomware event?

Tell us about the incident and the existing IR setup. Our team will reach out as soon as possible.

Book a consultation Call (604) 800-9060