Incident Response Playbook: Ransomware

┌────────────────────────────────────────────────────────────────────┐
│                    NIST IR Lifecycle                                │
├────────────────────────────────────────────────────────────────────┤
│                                                                    │
│  ┌──────────────┐    ┌──────────────┐    ┌──────────────┐         │
│  │  Preparation │───▶│  Detection & │───▶│ Containment, │         │
│  │              │    │   Analysis   │    │ Eradication, │         │
│  │              │    │              │    │  & Recovery  │         │
│  └──────────────┘    └──────────────┘    └──────┬───────┘         │
│         ▲                                        │                 │
│         │         ┌──────────────┐               │                 │
│         └─────────│Post-Incident │◀──────────────┘                 │
│                   │  Activity    │                                 │
│                   └──────────────┘                                 │
│                                                                    │
└────────────────────────────────────────────────────────────────────┘

□ Confirm this is ransomware (not false positive)
□ Identify affected systems (hostname, IP, user)
□ Determine ransomware variant if possible
□ Assess current scope (endpoints, servers, segments)
□ Check if attack is active or completed
□ Identify any ransom notes or communications
□ Document initial timeline of events

# Search for common ransom note filenames
$ransomNotes = @(
    "*README*.txt", "*DECRYPT*.txt", "*RESTORE*.txt",
    "*HOW_TO*.txt", "*HELP*.txt", "*.hta"
)
 
foreach ($pattern in $ransomNotes) {
    Get-ChildItem -Path "C:\" -Filter $pattern -Recurse -ErrorAction SilentlyContinue |
    Select-Object FullName, LastWriteTime | Format-Table
}

# Find recently modified encrypted files
Get-ChildItem -Path "C:\Users" -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
Where-Object { $_.Extension -match "\.(encrypted|locked|crypt|enc)$" } |
Select-Object -First 5 FullName, Extension, LastWriteTime

┌─────────────────────────────────────────────────────────────────┐
│              IMMEDIATE CONTAINMENT ACTIONS                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. ISOLATE affected systems from network                       │
│     - Disable network adapter (don't power off)                 │
│     - Block at switch port / firewall                          │
│     - Quarantine in EDR                                         │
│                                                                 │
│  2. PRESERVE evidence                                           │
│     - Do NOT shut down systems (memory forensics)              │
│     - Take screenshots of ransom notes                         │
│     - Document all actions with timestamps                     │
│                                                                 │
│  3. PROTECT backup systems                                      │
│     - Disconnect backup infrastructure                          │
│     - Verify backup integrity                                   │
│     - Air-gap critical backups                                  │
│                                                                 │
│  4. ALERT key stakeholders                                      │
│     - IR team lead                                              │
│     - IT management                                             │
│     - Legal/Compliance (if required)                           │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

# PowerShell - Disable network adapters (preserves memory)
Get-NetAdapter | Disable-NetAdapter -Confirm:$false
 
# Windows - Isolate via Windows Firewall
netsh advfirewall set allprofiles state on
netsh advfirewall firewall add rule name="IR-Block-All" dir=out action=block
netsh advfirewall firewall add rule name="IR-Block-In" dir=in action=block

# Microsoft Defender for Endpoint
# Via Security Center: Device page → Isolate device
 
# SentinelOne
# Console: Sentinels → Select agent → Actions → Network Quarantine
 
# CrowdStrike Falcon
# Console: Hosts → Select host → Network Contain

# Block specific IP at firewall
config firewall address
    edit "Quarantine-<Hostname>"
        set type ipmask
        set subnet <IP> 255.255.255.255
    next
end
 
config firewall policy
    edit 0
        set name "Block-Quarantine"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "Quarantine-<Hostname>"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
    next
end

# Check for lateral movement indicators
# Recent RDP connections
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 50 |
Where-Object { $_.Id -eq 21 -or $_.Id -eq 25 } |
Select-Object TimeCreated, Message
 
# Recent SMB connections
Get-SmbConnection | Select-Object ServerName, ShareName, UserName
 
# Check scheduled tasks for persistence
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } |
Select-Object TaskName, TaskPath, Date

# FortiGate - Block SMB/RDP between segments during incident
config firewall policy
    edit 0
        set name "IR-Block-Lateral"
        set srcintf "internal"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "SMB" "RDP"
        set schedule "always"
    next
end

# Reset compromised accounts
Set-ADAccountPassword -Identity "<compromised-user>" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempP@ss123!" -Force)
Disable-ADAccount -Identity "<compromised-user>"
 
# Reset KRBTGT (twice, 10+ hours apart for full rotation)
# WARNING: This will invalidate all Kerberos tickets
# Only do this if AD compromise is confirmed
# Reset-KrbtgtPassword -DomainName "domain.local"

# Using WinPMEM (download from GitHub)
.\winpmem_mini_x64.exe memory.raw
 
# Using DumpIt
.\DumpIt.exe
 
# Output location: Document and preserve chain of custody

# Create collection directory
$collectionPath = "C:\IR-Collection-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
New-Item -ItemType Directory -Path $collectionPath
 
# Running processes
Get-Process | Select-Object Id, ProcessName, Path, StartTime |
Export-Csv "$collectionPath\processes.csv" -NoTypeInformation
 
# Network connections
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess |
Export-Csv "$collectionPath\network-connections.csv" -NoTypeInformation
 
# DNS cache
Get-DnsClientCache | Export-Csv "$collectionPath\dns-cache.csv" -NoTypeInformation
 
# Scheduled tasks
Get-ScheduledTask | Export-Csv "$collectionPath\scheduled-tasks.csv" -NoTypeInformation
 
# Services
Get-Service | Select-Object Name, DisplayName, Status, StartType |
Export-Csv "$collectionPath\services.csv" -NoTypeInformation
 
# Recent file modifications
Get-ChildItem -Path "C:\" -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
Export-Csv "$collectionPath\recent-files.csv" -NoTypeInformation

# Security log
wevtutil epl Security "$collectionPath\Security.evtx"
 
# System log
wevtutil epl System "$collectionPath\System.evtx"
 
# PowerShell logs
wevtutil epl "Microsoft-Windows-PowerShell/Operational" "$collectionPath\PowerShell.evtx"
 
# Defender logs
wevtutil epl "Microsoft-Windows-Windows Defender/Operational" "$collectionPath\Defender.evtx"

# Find initial access (Type 10 = Remote RDP, Type 3 = Network)
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4624
} -MaxEvents 1000 |
Where-Object { $_.Properties[8].Value -in @(3, 10) } |
Select-Object TimeCreated,
    @{N='Account'; E={$_.Properties[5].Value}},
    @{N='LogonType'; E={$_.Properties[8].Value}},
    @{N='SourceIP'; E={$_.Properties[18].Value}}
 
# Find process creation events
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} -MaxEvents 500 |
Select-Object TimeCreated,
    @{N='Process'; E={$_.Properties[5].Value}},
    @{N='CommandLine'; E={$_.Properties[8].Value}}

# Check Run keys
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
 
# Check scheduled tasks
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" } |
Select-Object TaskName, TaskPath, @{N='Actions'; E={$_.Actions.Execute}}
 
# Check services
Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike "*Windows*" } |
Select-Object Name, PathName, StartMode
 
# Check startup folder
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"

# Remove malicious scheduled task
Unregister-ScheduledTask -TaskName "<malicious-task>" -Confirm:$false
 
# Remove malicious service
Stop-Service -Name "<malicious-service>" -Force
sc.exe delete "<malicious-service>"
 
# Remove registry persistence
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "<malicious-entry>"
 
# Delete malicious files (after forensic collection)
Remove-Item -Path "<malicious-file-path>" -Force

□ No malicious processes running
□ No suspicious network connections
□ No persistence mechanisms remain
□ EDR shows clean status
□ AV scan completes with no detections
□ Startup items verified clean
□ Scheduled tasks reviewed
□ Services reviewed
□ User accounts audited

□ Backup integrity verified (not encrypted)
□ Backup predates infection (check timeline)
□ Clean environment ready for restoration
□ Network isolation maintained during restore
□ Credentials reset for restored systems

# Veeam - Check backup job status
Get-VBRBackup | Where-Object { $_.JobType -eq "Backup" } |
Select-Object Name, LastResult, LastPointCreationTime
 
# Azure Backup - List recovery points
az backup recoverypoint list --resource-group <RG> --vault-name <Vault> --container-name <Container> --item-name <Item>

- Create isolated VLAN for restoration
- No connection to production network
- Verify restored system is clean
- Run full security scan
- Check for persistence

# Verify no malicious files
Get-ChildItem -Path "C:\" -Recurse -Include "*.exe", "*.dll" -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $infectionDate } |
Select-Object FullName, LastWriteTime
 
# Verify no scheduled tasks
Get-ScheduledTask | Where-Object { $_.Date -gt $infectionDate }
 
# Verify services
Get-Service | Where-Object { $_.Status -eq "Running" -and $_.StartType -eq "Automatic" }

# Force password change for all users
Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $true
 
# Reset specific privileged account
Set-ADAccountPassword -Identity "admin-account" -Reset -NewPassword (Read-Host -AsSecureString "New Password")

1. Incident Timeline
   - Initial detection time
   - Key response actions with timestamps
   - Recovery completion time
   - Total incident duration
 
2. Technical Analysis
   - Attack vector (how did they get in?)
   - Ransomware variant and behavior
   - Systems affected
   - Data potentially exfiltrated
 
3. Business Impact
   - Downtime duration
   - Systems affected
   - Data loss (if any)
   - Financial impact estimate
 
4. Recommendations
   - Security improvements needed
   - Process improvements
   - Training needs
   - Tool enhancements

□ Implement/improve backup strategy (3-2-1 rule, air-gapped)
□ Enable MFA on all privileged accounts
□ Deploy EDR with ransomware protection
□ Implement network segmentation
□ Enable PowerShell logging and constraints
□ Improve email filtering and user training
□ Establish incident response retainer
□ Conduct regular IR tabletop exercises

SUBJECT: [SECURITY INCIDENT] Ransomware Detected - ACTION REQUIRED
 
Priority: CRITICAL
Time: [TIMESTAMP]
Incident ID: [IR-YYYY-###]
 
SITUATION:
We have detected ransomware activity affecting [SCOPE]. The Incident Response team is actively responding.
 
IMMEDIATE ACTIONS:
1. Do NOT attempt to access affected systems
2. Do NOT open suspicious emails or attachments
3. Report any unusual system behavior immediately
4. [Additional specific instructions]
 
CURRENT STATUS:
- Affected systems have been isolated
- Investigation is ongoing
- Backup integrity is being verified
 
NEXT UPDATE: [TIME]
 
Contact: [IR Team Contact]

EXECUTIVE INCIDENT BRIEF
Incident: Ransomware Attack
Date: [DATE]
Status: [Active Response / Contained / Recovered]
 
SUMMARY:
[Brief description of incident, scope, and current status]
 
IMPACT:
- Systems Affected: [COUNT/LIST]
- Business Functions Impacted: [LIST]
- Estimated Downtime: [DURATION]
- Data at Risk: [ASSESSMENT]
 
RESPONSE STATUS:
- Containment: [Complete/In Progress]
- Eradication: [Complete/In Progress]
- Recovery: [Complete/In Progress/Pending]
 
NEXT STEPS:
1. [Action item]
2. [Action item]
3. [Action item]
 
ESTIMATED RECOVERY: [TIMEFRAME]

RANSOMWARE DETECTED
        │
        ▼
Is attack active (spreading)?
    │           │
   YES          NO
    │           │
    ▼           ▼
ISOLATE       Assess scope
IMMEDIATELY   and impact
    │           │
    ▼           ▼
Preserve      Collect
evidence      evidence
    │           │
    └─────┬─────┘
          ▼
    Can we recover
    from backup?
    │           │
   YES          NO
    │           │
    ▼           ▼
Proceed to    Consider
recovery      options*
    │           │
    ▼           ▼
Reset all     Engage legal,
credentials   insurance, IR firm