Ransomware Incident Response Playbook

Category: Incident Response
Applies to: SOC Analysts, IR Teams, IT Security
Last reviewed: 2025

Overview

This playbook provides a structured response procedure for ransomware incidents. It covers detection through containment, eradication, recovery, and post-incident review. Follow each phase in order. Do not skip containment before attempting recovery.

Phase 1 — Detection & Initial Triage

Goal: Confirm ransomware activity and scope the blast radius.

• ☐ Receive alert from EDR, SIEM, or user report
• ☐ Verify indicators: encrypted files, ransom note, unusual process activity
• ☐ Identify affected host(s): hostname, IP, owner, business unit
• ☐ Check EDR telemetry for initial access vector (phishing, RDP, exploit)
• ☐ Determine if encryption is still active or has stopped
• ☐ Identify ransomware family if possible (check ransom note, file extension, ID Ransomware)
• ☐ Confirm whether backup systems are accessible and unaffected
• ☐ Open incident ticket and assign severity (P1 for active encryption)
• ☐ Notify incident commander and escalate to IR lead

Key questions to answer:
- Is encryption still running?
- How many hosts are affected?
- Is this a single endpoint or lateral movement?
- Are backups intact?

Phase 2 — Containment

Goal: Stop the spread. Isolate before you investigate.

• ☐ Isolate affected host(s) from the network immediately (disable NIC or use EDR isolation)
• ☐ Block the affected user account(s) in Active Directory / IdP
• ☐ Revoke active sessions and tokens for affected accounts
• ☐ Identify and isolate any additional hosts with similar indicators
• ☐ Block known C2 IPs/domains at firewall and DNS level
• ☐ Disable any compromised service accounts
• ☐ Preserve memory dump and disk image of at least one affected host before shutdown
• ☐ Notify IT to suspend any scheduled tasks or scripts originating from affected systems
• ☐ Document all containment actions with timestamps

⚠️ Do not reboot affected hosts before capturing forensic evidence unless active encryption is causing further damage.

Phase 3 — Investigation & Evidence Collection

Goal: Understand how the attacker got in, moved, and executed.

• ☐ Review EDR process tree for initial execution chain
• ☐ Identify patient zero — first host encrypted, first account compromised
• ☐ Collect relevant Windows Event Logs (4624, 4625, 4648, 4688, 7045)
• ☐ Review authentication logs for lateral movement (pass-the-hash, stolen creds)
• ☐ Check for persistence mechanisms: scheduled tasks, registry run keys, services
• ☐ Identify data exfiltration indicators (large outbound transfers, cloud sync tools)
• ☐ Document attacker TTPs using MITRE ATT&CK framework
• ☐ Preserve all evidence to secure storage (chain of custody if legal action possible)

Phase 4 — Eradication

Goal: Remove all attacker presence from the environment.

• ☐ Remove malware and associated files from all affected systems
• ☐ Delete attacker-created accounts and persistence mechanisms
• ☐ Reset all compromised credentials (affected users + service accounts)
• ☐ Rotate secrets, API keys, and certificates exposed on compromised systems
• ☐ Patch exploited vulnerability or disable exploited service
• ☐ Validate eradication with EDR rescan across all affected and adjacent hosts
• ☐ Confirm no remaining C2 communication from the environment

Phase 5 — Recovery

Goal: Restore systems safely and confirm clean state.

• ☐ Confirm backups are clean (scan backup files before restore)
• ☐ Restore affected systems from verified clean backups
• ☐ Rebuild systems from scratch if backup integrity is uncertain
• ☐ Re-enable network connectivity only after confirmed clean
• ☐ Re-enable user accounts after password reset
• ☐ Monitor restored systems closely for 72 hours post-recovery
• ☐ Validate business functionality with system owners

Phase 6 — Post-Incident Review

Goal: Learn and improve. Complete within 5 business days.

• ☐ Write full incident timeline (first indicator to containment to recovery)
• ☐ Document root cause and initial access vector
• ☐ Identify detection gaps — why wasn't this caught earlier?
• ☐ List all recommendations: patching, MFA, EDR tuning, backup improvements
• ☐ Schedule lessons-learned meeting with IR team, IT, and management
• ☐ Update detection rules, response playbooks, and training material
• ☐ Submit final incident report to stakeholders

Key Contacts

Role Responsibility IR Lead Overall incident coordination SOC Analyst Alert triage, evidence collection IT/Sysadmin Isolation, recovery execution Legal/Compliance Regulatory notification decisions Management Business decisions, ransom payment approval

Reference Resources

• CISA Ransomware Guide
• MITRE ATT&CK Ransomware TTPs
• No More Ransom Project
• ID Ransomware