An employee from your organization $($not within IT Security$)$ has reached out to you specifically via Microsoft Teams, they have indicated that they are seeing a suspicious prompt and cannot currently access anything on their computer. The prompt is in the form of a text file named RyukReadMe.txt Download RyukReadMe.txt $-$ it appears to be a ransomware note pictured below.

Ransome email says:

Gentleman!

Your business is at serious risk.

There is a significant hole in your companies security system$($s$).$

We have easily penetrated your network.

You should thank the lord for being hacked by serious people and not some schoolboys or dangerous punks.

They can damage all your important data just for fun.

Now your files are encrypted with the stronges military algorythms RSA$4096$ and AES$-256.$

No one can help you to restore files without our special decoder.

Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.

If you want to restore your files write to emails $($contacts are at the bottom of the sheet$)$ and attach $2-3$ encrypted files.

$($less than $5$mb each, non$-$archived and your files should not contain valuable information $($databases$,$ backups, large excel sheets, etc.$)).$

You will receive decrypted samples and our conditions on how to get the decoder.

Please don't forget to write the name of your company in the subject of yoru e$-$mail.

You have to pay for decryption in Bitcoins.

The final price depends on how fast you write to us$.$

Every day of delay will cost you an additional $+0\mathrm{.}5$ BTC$.$

Nothing personal just business.

As soon as we get Bitcoins you'll get your decrypted data back.

Moreover you will get instructions how to close the hole in security and how to avoid problems in the future.

$+$ we will recommend you special software that makes the most problems to hackers.

Attention! One more time!

Do not rename encrypted files.

Do not try to decrypt your data using $3$rd party software.

P$.$S$.$ Remember, we are not scammers.

We don't need yoru files and your information.

But after $2$ weeks all your files and keys will be deleted automatically.

just send a request immediately after infection.

All data will be restored absolutely$.$

Your warranty $-$ decrypted samples.

contact emails

eliasmarco@tutanota.com

BTC wallet:

$15$RLWDVnY$5$n$1$n$7$mTvU$1$zjg$67$w$86$dhYqNj

RYUK

No system is safe

As the Senior Specialist, you know that your job is to protect the organization, you are also concerned that this incident may impact any upcoming promotion or move to management. Thus, you are faced with an ethical consideration:

Do you instruct the employee to agree to pay the ransom?

Do you instruct the employee to reboot their computer?

Do you escalate to your manager?

Do you go straight to legal?

What policies or procedures might you refer to$?$