Ransomware Incident Response Playbook
Last Updated:
Preparation Phase
Required Incident Response Team Roles
- Incident Commander
- Technical Lead
- Communications Lead
- Legal/Compliance Representative
- Executive Sponsor
- External Relations (if needed)
Essential Tools and Resources
- Offline copies of the playbook
- Secure communication channels
- Forensic investigation tools
- System restoration resources
- Contact information for all stakeholders
- Relationship with law enforcement
Detection and Analysis
Initial Indicators of Compromise
- Encrypted files with unusual extensions
- Ransom notes on desktop or as text files
- Unusual system behavior or performance
- Unexpected network traffic
- Antivirus/EDR alerts
- User reports of inaccessible files
Immediate Assessment Steps
- Confirm the Incident: Verify ransomware presence through file samples and system behavior
- Identify Ransomware Variant: Use samples to determine specific strain
- Assess Scope: Determine affected systems, networks, and data
- Document Initial Findings: Record all observations and evidence
- Estimate Business Impact: Evaluate critical systems affected and operational impact
Containment Strategies
Immediate Containment Actions
- Isolate affected systems from the network
- Disable affected user accounts
- Block relevant IOCs at network boundaries
- Preserve forensic evidence before containment
- Take system memory dumps where possible
- Capture network traffic for analysis
Decision Points
- Criteria for system isolation
- Thresholds for broader network segmentation
- Conditions for complete network shutdown (extreme cases)
- Authorization requirements for containment actions
Eradication and Recovery
Malware Removal Process
- Identify persistence mechanisms
- Remove malware from affected systems
- Verify removal through scanning and monitoring
- Document all removed components for future reference
Recovery Strategy Options
- Clean Rebuild: Wipe and rebuild affected systems
- Restoration from Backups: Verify backup integrity before restoration
- Partial Recovery: Prioritize critical systems first
- Data Reconstruction: When backups are unavailable or compromised
Ransom Payment Considerations
- Legal and regulatory implications
- No guarantee of recovery
- Encourages future attacks
- May fund criminal or terrorist organizations
- Alternative recovery options should be exhausted first
- If considered, involve law enforcement and legal counsel
Post-Incident Activities
Forensic Investigation
- Determine initial access vector
- Identify lateral movement techniques
- Document data exfiltration evidence
- Establish complete timeline of the attack
- Preserve evidence for potential legal proceedings
Lessons Learned Process
- Conduct formal post-incident review
- Document gaps in detection and response
- Update security controls based on findings
- Enhance monitoring for similar attacks
- Revise incident response procedures
- Conduct additional training if needed
Reporting Requirements
- Internal executive briefing
- Customer/partner notifications
- Regulatory reporting obligations
- Law enforcement reporting
- Insurance notification
Communication Templates
Internal Communication
- Initial incident notification
- Status update template
- Recovery progress reports
- Post-incident summary
External Communication
- Customer notification
- Media statement (if required)
- Regulatory disclosure
- Law enforcement engagement