Playbook: Ransomware Response
ID: PB-02
Severity: Critical | Category: Malware / Impact
MITRE ATT&CK: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)
Trigger: EDR alert, User report (ransom note), SIEM (mass file rename/encrypt pattern)
⚠️ CRITICAL: Do NOT pay the ransom. Do NOT negotiate without Legal/CISO approval. Time is critical — every minute counts.
Recovery Priority Order
graph LR
A["1️⃣ AD/DC"] --> B["2️⃣ DNS/DHCP"]
B --> C["3️⃣ Critical Servers"]
C --> D["4️⃣ Business Apps"]
D --> E["5️⃣ Workstations"]
style A fill:#ff4444,color:#fff
style B fill:#ff6600,color:#fff
style C fill:#ff9900,color:#fff
style D fill:#ffcc00,color:#000
style E fill:#88cc00,color:#000
Incident Communication Flow
sequenceDiagram
participant SOC
participant CISO
participant Legal
participant PR
participant CEO
SOC->>CISO: 🚨 Ransomware confirmed
CISO->>Legal: Assess PDPA / regulatory
CISO->>CEO: BCP activation
Legal->>CISO: Ransom / notification advice
CISO->>PR: Prepare statement (if needed)
PR->>CEO: Approve statement
SOC->>CISO: Status update every 2h
Decision Flow
graph TD
Alert["🚨 Ransomware Detected"] --> Isolate{"🔌 Isolate IMMEDIATELY"}
Isolate -->|EDR Available| NetworkIso["Network Isolation via EDR"]
Isolate -->|EDR Unavailable| Physical["Physically Disconnect"]
NetworkIso --> Scope["📊 Determine Scope"]
Physical --> Scope
Scope --> Single{"Single Host?"}
Single -->|Yes| Contain["Standard Containment"]
Single -->|No, Spreading| Activate["🚨 Activate Major IR"]
Activate --> Segment["Segment Network"]
Segment --> Shutdown["Shutdown Unaffected Critical Systems"]
Contain --> Identify["🔍 Identify Strain"]
Shutdown --> Identify
Identify --> Decrypt{"Decryptor Available?"}
Decrypt -->|Yes| DecryptFiles["Attempt Decryption"]
Decrypt -->|No| Wipe["Wipe & Re-image"]
DecryptFiles --> Restore["Restore & Validate"]
Wipe --> Restore
Restore --> Patch["Patch Entry Vector"]
Patch --> Reconnect["Reconnect to Network"]
1. Analysis (First 15 Minutes)
| Check |
How |
Done |
| Ransom note present? |
Check Desktop, affected folders |
☐ |
| File extensions changed? |
Look for .encrypted, .locked, .crypt |
☐ |
| Shadow copies deleted? |
Check vssadmin list shadows |
☐ |
| Encryption still active? |
Monitor file system activity |
☐ |
1.2 Scope Assessment
| Check |
How |
Done |
| Number of affected hosts |
SIEM query for similar alerts |
☐ |
| Network shares encrypted? |
Check SMB/CIFS share status |
☐ |
| Lateral movement evidence? |
RDP/SMB/WMI/PsExec logs from affected host |
☐ |
| Data exfiltrated before encryption? |
Firewall/DLP logs for large outbound transfers |
☐ |
| Backup integrity |
Verify offline/immutable backups are intact |
☐ |
1.3 Strain Identification
| Method |
Tool |
| Ransom note text |
ID Ransomware |
| Encrypted file sample |
No More Ransom |
| File hash (malware binary) |
VirusTotal, ThreatFox |
| C2 domain/IP |
TI feeds, OSINT |
2. Containment
| # |
Action |
Tool |
Done |
| 1 |
Network isolate all affected hosts |
EDR |
☐ |
| 2 |
Disable affected user accounts |
AD / IdP |
☐ |
| 3 |
Block C2 IPs/domains at firewall |
Firewall |
☐ |
| 4 |
Block malware hash across all endpoints |
EDR |
☐ |
| 5 |
Disable RDP/SMB if spreading laterally |
GPO / Firewall |
☐ |
2.2 If Spreading (Major Incident)
| # |
Action |
Done |
| 1 |
Activate Major Incident Response plan |
☐ |
| 2 |
Segment network (isolate affected VLAN) |
☐ |
| 3 |
Shut down critical servers pre-emptively |
☐ |
| 4 |
Disable domain-wide SMBv1 |
☐ |
| 5 |
Notify CISO, Legal, and executive team |
☐ |
3. Eradication & Recovery
3.1 Eradication
| # |
Action |
Done |
| 1 |
Wipe & re-image — do NOT attempt to clean |
☐ |
| 2 |
Remove persistence mechanisms (scheduled tasks, services, registry) |
☐ |
| 3 |
Scan all connected systems for dormant payloads |
☐ |
| 4 |
Reset all potentially compromised credentials |
☐ |
3.2 Recovery
| # |
Action |
Done |
| 1 |
Restore from last known good backup (offline/immutable) |
☐ |
| 2 |
Validate restored data integrity (hash comparison) |
☐ |
| 3 |
Patch the entry vector (RDP, VPN, phishing gap) |
☐ |
| 4 |
Re-enable network connectivity in stages |
☐ |
| 5 |
Monitor recovered systems for 72 hours |
☐ |
4. Notification & Legal
| Stakeholder |
When |
Channel |
| SOC Lead / Manager |
Immediately |
Chat + Phone |
| CISO |
Within 30 minutes |
Phone |
| Legal / Compliance |
Within 1 hour |
Email + Phone |
| CEO / Board (if major) |
Within 4 hours |
Briefing |
| Regulatory (PDPA/GDPR) |
Within 72 hours if data breach |
Official notification |
| Law enforcement |
As directed by Legal |
Official channels |
⚠️ Do NOT communicate details on potentially compromised channels (email may be monitored by attacker).
5. IoC Collection
| Type |
Value |
Source |
| Malware Binary Hash |
|
EDR / Forensics |
| Ransom Note Filename |
|
Affected host |
| Encrypted File Extension |
|
Affected host |
| C2 IP/Domain |
|
Network logs |
| Initial Access Vector |
|
Investigation |
| Lateral Movement Tool |
|
EDR logs |
6. Post-Incident
3-2-1 Backup Strategy
graph TD
Backup["💾 3-2-1 Backup"] --> Three["📋 3 copies"]
Three --> Two["🗄️ 2 media types"]
Two --> One["☁️ 1 offsite/air-gapped"]
One --> Test["🧪 Test restore monthly"]
Test --> Immutable["🔒 Immutable backup"]
style Backup fill:#3498db,color:#fff
style Immutable fill:#27ae60,color:#fff
Ransom Payment Decision
graph TD
Pay{"💰 Pay ransom?"} -.->|⚠️ Not recommended| Risks["❌ Risks"]
Pay --> Legal["⚖️ Legal consult"]
Risks --> R1["No decryption guarantee"]
Risks --> R2["Funds criminal operations"]
Risks --> R3["May be targeted again"]
Legal --> CISO["🧑💼 CISO decides"]
CISO --> Recovery["♻️ Recovery Plan"]
style Pay fill:#e74c3c,color:#fff
style Risks fill:#c0392b,color:#fff
style Recovery fill:#27ae60,color:#fff
Detection Rules (Sigma)
References