If you're going to offer a reward, I suggest making it conditional on revealing how they got in.

(This also assumes you're able to contact the person who sent the e-mail.)

You agree with your parent comment. Making A conditional on B means B is required (though, depending on exact semantics, not necessarily sufficient) for A. A requires at least B.

So: B would be obligatory, given A.

I mean don't pay someone for breaking into your system and not telling you how they did it. Pay them only if they provide you with some useful information that can help you fix the problem.

In this case, the payment is conditional on revealing the method: that is, unless the method is revealed (condition met) the payment will not be made.

Didn't you read the LastPass thread? If the hacker can take down your company, you have to offer them a reward equal to the value of your company.

Apparently not, since I'm not sure what you are referring to (which means I also can't tell if it's sarcasm, which it looks like it might be?).

That said, I only mentioned payment in the case where the anonymous sender seemed to be helpful, in that they provided the way the server was infiltrated (presumably in an effort to allow it to be fixed). I didn't mention how much money to offer, or what to do at all in the case where it appears to be the beginning of a shakedown, other than to note that it's naive to assume you can rid yourself of them by just dealing with the one server referenced.

Edit: Ah, found the LastPass submission. Definitely sarcasm. ;)

You are forgetting some externalities re: value of being legitimate vs. criminal (e.g. contracts vs. ransom, legit money vs. tainted money, morality, fame, etc).

Not really. The hacker wants to get the most money from you possible, but also an amount that you are realistically able to provide otherwise he/she gets nothing. The maximum amount a company can realistically pay is probably much less than the total value of the company.

Unfortunately, it's the later - no details of exploit, just a proof.

If this comes to ransom, rather than unethical/unexperienced gray hat thing, are there any good steps to take? Or hiring an expert consultancy is probably the only good option here?

I can't comment on the correct approach in that case, I'm under qualified. I would urge you to make sure you have good backups in a location that can't be compromised (as in, you won't wake up tomorrow to fine them all deleted). If your system already supports this, all the better. Keep in mind the worst case scenario here is that every production server is wiped, which is essentially close to the situation of a natural disaster at the site they are housed. If you don't have a plan on how to deal with a situation like this (disaster recovery/business continuity plans), such as redeploying to the cloud or to a different cloud, or a different datacenter, then that's a thought for the future (and the present if you have time).

I assume a professional computer security firm could help, but I don't know enough about the incentives at play to know whether that's good in practice (if they often deal with situations like this and not just hardening/forensics, I assume they would have good advice). I have no idea what that costs, and whether your business can afford it.

Total data loss isn't the worst case scenario, in my opinion. Quietly interacting with your site, contacting your customers to abuse their trust in you, etc.

I would recommend taking your oldest backup offline and storing it indefinitely, in case later backups are corrupted. Make sure you turn on verbose firewall logging as well.

Actually it's reasonable that this person haven't given you the details. If he disclosed specific way he got in you'd probably patch it and carry on. Then he'd probably find another way to get in, disclosed it too, you'd patch it and it could turn into full-time (low/un)paid job for him. Not to mention that all of the holes found by him could earlier be exploited by someone else who could left something on your server.

By sending just the proof he forces you to reconsider your approach to security and start from clean state.

Does the e-mail (appear to) give you a way to contact the person who sent it?

I'm not saying you should or shouldn't, but several comments have suggested contacting this person; it's not clear that that's even possible.

Please listen to this advise. Having the proof or maybe only some hints is very important. That might sound far etched but this anonymous person could very well be an insider employee trying to blackmail your company for personal reasons.

"or, if you prefer to remain anonymous, to your chosen 501(c)3 charity."

If it's blackmail then I doubt paying them would effectivly deal with the problem. Hire an expert / contact authorities depending on the circumstances.

Key here is that you need to figure out how they got in. Then negotiate terms to have them back off. Either way, they're probably being nice about it if they haven't simply 'rm -rf /'d you.

> if they haven't simply 'rm -rf /'d you.

Or dd if=/dev/urandom of=/dev/sda1 bs=8M

Side topic: Have you ever done this just for fun on an old system or vm? It actually stops pretty early on once it starts into /dev - removing everything actually takes a little more work.