Sign Up
Back to Guides
Incident ResponseAdvanced35 min read

Ransomware Response Playbook

Structured incident response for ransomware with containment procedures, negotiation considerations, recovery strategies, and post-incident hardening.

SBK Security Team
Incident Response Practice
Updated December 2024

Introduction#

Ransomware attacks represent one of the most critical threats to modern organizations, with average downtime costs exceeding $1.4M and ransom demands ranging from $10K to $50M depending on organization size.

Detail Level

This playbook provides a structured response framework from initial detection through full recovery. Time is critical—the first 60 minutes determine whether you contain a single endpoint or face enterprise-wide encryption.

CRITICAL: First Actions

If you suspect active ransomware RIGHT NOW:

  1. Disconnect affected systems from the network (pull cables, disable Wi-Fi)
  2. Do NOT shut down infected systems (preserves memory forensics)
  3. Alert your security team and activate incident response plan
  4. Preserve all ransom notes and communications
  5. Contact law enforcement (FBI IC3, Secret Service) immediately

Ransomware Threat Landscape#

Understanding the modern ransomware ecosystem is essential for effective response. Attacks have evolved from opportunistic malware to sophisticated RaaS operations targeting specific industries and high-value targets.

Common Attack Vectors

  • • Phishing emails with malicious attachments or links (45%)
  • • Exploitation of unpatched vulnerabilities (35%)
  • • Compromised RDP credentials (15%)
  • • Supply chain attacks through trusted vendors (5%)

Double Extortion Tactics

  • • Data exfiltration before encryption (stolen before locked)
  • • Threat to publish on leak sites
  • • Direct customer notification threats
  • • DDoS attacks during negotiation

LockBit

Fast encryption, automated deployment, StealBit data exfiltration tool. Known for targeting enterprise environments.

IOCs: .lockbit extension, LockBit-specific ransom notes, use of PowerShell and WMI for lateral movement

ALPHV/BlackCat

Rust-based, cross-platform, highly customizable. Triple extortion (encryption + data leak + DDoS).

IOCs: Random extensions, use of Tor for C2 communication, credential harvesting via Mimikatz

Cl0p

Targets file transfer applications, mass-exploitation of zero-days. Known for MOVEit and GoAnywhere attacks.

IOCs: .cl0p or .Clop extensions, exploitation of file transfer vulnerabilities, rapid encryption

Detection & Identification#

Early detection is the difference between a contained incident and enterprise-wide catastrophe. Most ransomware operations have a "dwell time" of 3-10 days before encryption begins, providing a critical window for detection.

⚠️

Early Warning Signs

Watch for these pre-encryption indicators:

  • • Unusual lateral movement or admin credential usage
  • • Mass file modifications or renames
  • • Backup deletion attempts or volume shadow copy removal
  • • Unexpected data exfiltration (large outbound transfers)
  • • Disabled security tools or endpoint protection
  • • New scheduled tasks or persistence mechanisms
Detail Level

Immediate Identification Steps:

1

Check for ransom notes

Look for .txt or .html files with payment instructions. Common names: README.txt, HOW_TO_DECRYPT.html, DECRYPT_INSTRUCTIONS.txt
2

Identify encryption pattern

Check file extensions—many ransomware families append unique extensions (.lockbit, .encrypted, random strings)
3

Assess spread

Quickly determine: Single system? Lateral movement? Multiple departments? Domain controller compromised?
4

Preserve evidence

Screenshot ransom notes, document affected systems, save any communication attempts from attackers

Initial Containment#

CRITICAL: Speed Matters

The first 60 minutes determine incident scope. Delayed containment allows lateral spread, backup destruction, and increased ransom demands. Execute containment BEFORE detailed forensics.

Containment focuses on stopping ransomware spread while preserving evidence for investigation and potential prosecution. Balance aggressive isolation with business continuity needs.

Detail Level

Immediate Containment Actions:

1

Network Isolation (High Priority)

Disconnect infected systems from network:

  • Physical disconnection preferred (unplug ethernet, disable WiFi)
  • VLAN segmentation if physical isolation not possible
  • Block lateral movement at firewall (disable SMB, RDP, WMI)
  • Quarantine via EDR if remote systems (beware of evasion)
2

Disable Compromised Accounts

Reset passwords and disable accounts showing suspicious activity. Prioritize admin accounts, service accounts, and any with recent lateral movement indicators.
3

Protect Backups (URGENT)

Ransomware prioritizes backup destruction:

  • Take backup systems offline immediately (air-gap if possible)
  • Verify backup integrity before relying on them
  • Create immutable snapshots if available
  • Export critical data to offline storage (external drives, cloud isolation)
4

Maintain Evidence

DO NOT power down infected systems yet (destroys RAM evidence). Keep systems isolated but running until forensic capture completed.

Impact Assessment & Scoping#

Once immediate containment is executed, conduct rapid assessment to understand full scope. This determines recovery strategy, regulatory obligations, and business continuity plans.

Detail Level

Critical Assessment Questions:

1

Systems Affected

Document all impacted systems: workstations, servers, domain controllers, databases, cloud instances. Categorize by criticality to business operations.
2

Data Encrypted

Identify what data is inaccessible. Focus on: customer data, financial records, intellectual property, regulated data (PII, PHI, PCI).
3

Data Exfiltration Risk

Assume exfiltration until proven otherwise. Check for:

  • Large outbound transfers in network logs (days before encryption)
  • References to stolen data in ransom communications
  • Threat actor claims on leak sites or dark web forums
  • File staging directories or compression artifacts
4

Backup Viability

Test backup restoration immediately. Determine: Are backups encrypted? How far back are clean backups? What's the recovery time objective (RTO)?
💡

Documentation is Critical

Maintain detailed timeline and evidence log. This is essential for insurance claims, regulatory reporting, law enforcement, and post-incident review. Use incident tracking system or shared document with timestamps and evidence links.

Evidence Preservation#

Proper evidence preservation is critical for potential prosecution, insurance claims, and post-incident analysis. Contaminated or lost evidence can jeopardize all three.

Chain of Custody

Law enforcement and insurance companies require documented chain of custody. Every person who handles evidence must be logged with timestamp, purpose, and transfer details.
Detail Level

Essential Evidence Collection:

1

Memory Capture (Time-Sensitive)

Use forensic tools (FTK Imager, WinPmem, LiME for Linux) to capture RAM from infected systems BEFORE powering down. Memory contains encryption keys, injected code, network connections.
2

Disk Imaging

Create forensic images of affected systems. Use write-blockers to prevent modification. Store images on separate, secured storage with checksums (SHA-256) for integrity verification.
3

Log Collection

Preserve: Windows Event Logs (Security, System, Application), firewall logs, EDR telemetry, Active Directory logs, web proxy logs, email gateway logs. Export to immutable storage.
4

Ransom Communications

Save all ransom notes, payment portals, chat transcripts, email communications. Screenshot everything. Never delete—even after resolution.

Communication & Coordination#

Ransomware incidents require coordinated communication with multiple stakeholders—internal leadership, legal counsel, law enforcement, customers, and potentially media. Poorly managed communications amplify reputational damage.

Detail Level

Internal Communication Priorities:

1

Executive Leadership (Immediate)

Brief C-suite and board within first 2 hours. Focus on: business impact, ransom demand, recovery timeline, regulatory obligations, reputation risk. Request decision-making authority for payment/recovery choices.
2

Legal Counsel (Immediate)

Engage legal team or external counsel immediately. They provide: attorney-client privilege protection, regulatory guidance (breach notification laws), contract review (SLA obligations, insurance claims), negotiation oversight.
3

Law Enforcement (First 4 Hours)

Contact appropriate agencies:

  • FBI Internet Crime Complaint Center (IC3) - file report at ic3.gov
  • U.S. Secret Service (financial crimes jurisdiction)
  • Local FBI field office - may provide on-site assistance
  • CISA (Cybersecurity and Infrastructure Security Agency) for critical infrastructure

Law enforcement notification does NOT prevent paying ransom (legal in U.S. unless sanctioned entity). They provide decryption assistance, threat intelligence, and potential recovery of funds.

4

Insurance Carrier (First 24 Hours)

Notify cyber insurance carrier. They often provide: breach coach (attorney), forensic vendors, ransom negotiation services, public relations assistance, coverage determination. CRITICAL: Follow policy requirements to avoid claim denial.

Recovery Options & Decision Framework#

Organizations face a critical decision: pay the ransom or pursue technical recovery. This is a business decision, not purely technical, requiring input from leadership, legal, insurance, and law enforcement.

Decision Timeframe

Most ransomware operators provide 48-72 hour negotiation window before increasing ransom or publishing stolen data. However, rushed decisions lead to poor outcomes—balance urgency with thorough analysis.
Detail Level

Recovery Path Analysis:

✓ Backup Recovery (Preferred)

Restore from clean backups without ransom payment.

Requirements:

  • • Verified clean backups (pre-encryption timestamps)
  • • Acceptable data loss window (RPO: hours, days, weeks?)
  • • Sufficient restoration capacity and time (RTO)
  • • Confidence that initial access vector is remediated

Risks:

  • • Data loss between last backup and encryption
  • • Extended downtime during restoration (days to weeks)
  • • Reinfection if attacker persistence not eliminated
  • • Stolen data may still be published (if exfiltrated)

⚠ Ransom Payment

Pay attackers for decryption key and potentially data deletion promise.

Considerations:

  • • Faster recovery (decryption typically 24-72 hours)
  • • No guarantee decryptor works (20-30% failure rate)
  • • Funds criminal operations (ethical/legal concerns)
  • • May violate sanctions if attacker in sanctioned country (OFAC review required)

Risks:

  • • Decryptor may be slow, buggy, or incomplete
  • • No assurance stolen data is actually deleted
  • • Marks organization as "willing to pay" (repeat targeting)
  • • Reputational damage if payment becomes public

Ransom Negotiation Framework#

⚠️

Legal & Ethical Considerations

Ransom payment is legal in most jurisdictions UNLESS the attacker is a sanctioned entity (e.g., North Korea, sanctioned Russian groups). OFAC (Office of Foreign Assets Control) review is required before payment. Consult legal counsel and consider ethical implications of funding criminal operations.

If the decision is made to negotiate, professional negotiators can reduce ransom amounts by 40-80% and improve decryptor delivery reliability. Most cyber insurance policies include negotiation services.

Detail Level

Negotiation Fundamentals:

1

Establish Communication

Follow instructions in ransom note to contact attackers. Typically via Tor-based chat portal or Tox messenger. Never use corporate email or reveal identity beyond necessary.
2

Verify Decryption Capability

Request proof-of-life: ask attackers to decrypt 1-2 sample files before any payment. Legitimate operators always comply. This verifies they have working decryptor.
3

Understand Demands

Clarify what payment includes: decryption key only? Data deletion promise? Proof of deletion? Non-disclosure agreement? Timeline for delivery?
4

Negotiate Reduction

Initial ransom demands are starting points. Professional negotiators achieve 40-80% reductions by emphasizing financial constraints, reputation concerns, willingness to walk away.

Never Rush

Attackers create artificial urgency ("price doubles in 24 hours"). Professional negotiators slow the process, demonstrating patience and willingness to explore alternatives. Most deadlines are negotiable.

System Recovery & Restoration#

Whether recovering via backups or decryption, the restoration process must be methodical. Rushing leads to incomplete recovery, reinfection, or overlooked damage. Plan for 7-21 days of intensive recovery effort.

Detail Level

Recovery Sequence:

1

Rebuild Core Infrastructure (Phase 1)

Start with foundational systems in isolated environment:

  • Domain controllers (rebuild from scratch, don't restore if compromised)
  • DNS and DHCP servers
  • File servers (prioritize by business criticality)
  • Email infrastructure (critical for business continuity)

DO NOT connect to production network until hardening complete and malware eradication verified.

2

Malware Eradication (Parallel)

While infrastructure rebuilds, eliminate attacker presence: Remove all detected malware, delete unauthorized accounts, remove persistence mechanisms (scheduled tasks, registry keys, startup items), patch exploited vulnerabilities.
3

Data Restoration (Phase 2)

Restore data from clean backups OR decrypt using ransomware decryptor:

  • Test decryptor on non-critical systems first (decryptors can be buggy)
  • Verify file integrity post-decryption (check file headers, test applications)
  • Prioritize restoration: tier 1 (revenue-critical), tier 2 (operational), tier 3 (nice-to-have)
  • Document any data loss or corruption for stakeholder reporting
4

Application Recovery (Phase 3)

Restore business applications in dependency order: databases first, application servers second, web frontends last. Test each layer before proceeding.
5

Endpoint Recovery (Phase 4)

User workstations recovered last. Many organizations opt for complete re-imaging rather than attempting cleanup. Faster and more reliable than forensic cleaning.
⚠️

Reinfection Risk

30% of ransomware victims experience reinfection within 30 days because initial access vector was not eliminated. Prioritize root cause remediation before reconnecting systems.

Post-Incident Hardening#

Recovery is not complete until root causes are remediated and security posture is strengthened. Organizations that skip post-incident hardening face 3x higher reinfection rates.

Root Cause Analysis

Conduct thorough root cause analysis within 30 days of incident. Identify: initial access vector, privilege escalation method, lateral movement technique, defense evasion tactics, and security control gaps that allowed the attack.
Detail Level

Immediate Hardening Actions:

1

Patch Management Overhaul

Address patch gaps that enabled initial access:

  • Emergency patching of all critical vulnerabilities (0-7 days)
  • Implement automated patch deployment for endpoints and servers
  • Virtual patching for systems that cannot be patched (legacy/EOL)
  • Establish formal patch SLA: critical (7 days), high (30 days), medium (90 days)
2

Backup Architecture Redesign

Ensure backups survive future attacks:

  • Implement 3-2-1 rule: 3 copies, 2 media types, 1 offsite/offline
  • Air-gapped or immutable backups (cannot be encrypted or deleted)
  • Regular restoration testing (quarterly for critical systems)
  • Separate backup admin accounts from domain admin accounts
3

Access Control Hardening

Implement principle of least privilege: Disable local admin rights on workstations, remove unnecessary domain admin accounts, implement privileged access management (PAM), enforce MFA for all accounts (especially admin).
4

Network Segmentation

Limit lateral movement capability: Segment critical assets (domain controllers, backups, databases), implement internal firewalls with strict rules, disable SMB/RDP where not required, require jump hosts for admin access.

Regulatory Reporting & Compliance#

Ransomware incidents often trigger multiple regulatory reporting obligations. Failure to report within required timeframes can result in substantial fines in addition to incident costs.

⚠️

Reporting Deadlines Are Strict

Reporting clocks start from incident discovery or determination of materiality—NOT from full investigation completion. Consult legal counsel immediately to determine obligations.
Detail Level

Key Reporting Requirements:

GDPR (EU/EEA Residents)

  • Trigger: Personal data breach likely to result in risk to rights and freedoms
  • Regulator Notification: 72 hours to supervisory authority (from awareness)
  • Individual Notification: Without undue delay if high risk to individuals
  • Content: Nature of breach, categories and number of affected individuals, likely consequences, measures taken/proposed
  • Penalties: Up to €20M or 4% of annual global turnover (whichever is higher)

SEC (Public Companies - U.S.)

  • Trigger: Cybersecurity incident determined to be material
  • Deadline: 4 business days from materiality determination (Form 8-K Item 1.05)
  • Content: Material aspects of nature, scope, timing; material impact or reasonably likely material impact
  • Delay: Possible if immediate disclosure poses substantial risk to national security or public safety (AG determination)
  • Annual: Aggregate disclosure of immaterial incidents if material in aggregate (Form 10-K)

HIPAA (Healthcare - U.S.)

  • Trigger: Breach of unsecured protected health information (PHI)
  • Large Breaches (500+): HHS Office for Civil Rights + media notification within 60 days
  • Small Breaches (<500): Annual notification to HHS within 60 days of calendar year end
  • Individual Notification: Within 60 days of discovery
  • Penalties: $100-$50,000 per violation (up to $1.5M annual maximum per category)

Post-Incident Review & Continuous Improvement#

Formal post-incident review is the most valuable output of a ransomware incident. Organizations that conduct thorough retrospectives demonstrate 60% lower reinfection rates and significantly improved incident response capabilities.

Detail Level

Post-Incident Review Framework:

1

Facilitate Blameless Retrospective

Conduct within 30 days of incident closure. Include: IR team, security operations, IT operations, affected business units, leadership. Focus on process and control gaps, not individual blame.
2

Document Timeline

Create detailed timeline from initial compromise through full recovery. Identify critical decision points, delays, successes, and failures. Visual timeline aids understanding.
3

Analyze What Worked

Positive outcomes to reinforce:

  • Effective detection mechanisms
  • Successful containment actions that prevented wider spread
  • Strong stakeholder communication
  • Backup recovery capabilities
  • Team collaboration and decision-making under pressure
4

Identify Improvement Areas

Gaps to address:

  • Technical control gaps (missing EDR, inadequate segmentation)
  • Process failures (delayed escalation, unclear roles)
  • Resource constraints (insufficient backup capacity, limited IR team)
  • Communication breakdowns (legal delays, customer notification issues)
5

Create Action Plan

Prioritize improvements by impact and feasibility. Assign owners, set deadlines, allocate budget. Track completion via project management system. Report progress to leadership quarterly.
ransomwareincident-responserecoveryextortioncontainment
All Guides