Originally Posted By: haertig
I meant those as a sequence of steps to remedy the current problem. e.g., "(1) Take everything offline" is a limited duration step to allow restoring from backups and fixing of security flaws before going back online in step "(5) Carefully open minimal external networking".

I apologize for not being clear; I did understand your meaning.

For many organizations, it's safe to say that they do not believe that they can do this without suffering catastrophic financial losses, losses far greater than those caused directly by the ransomware attack. Whether or not that's actually true is a different story. The reputational hit that comes from a shutdown can also be perceived as being too expensive.