Incident Response Playbook for Ransomware Attacks (Updated 2025)

This Ransomware Incident Response Playbook provides a structured approach for handling ransomware attacks, ensuring rapid detection, containment, remediation, and recovery. This guide incorporates modern security measures, best practices, and response coordination techniques.

1. Preparation

Objective: Strengthen defences and establish procedures to respond effectively to ransomware incidents.

Key Steps:

1. Establish Security Controls:

   • Deploy Endpoint Detection and Response (EDR) solutions across endpoints and servers.

   • Ensure that antivirus, Intrusion Detection Systems (IDS), and email security gateways are fully operational and updated.

   • Implement network segmentation to isolate critical systems.

2. Develop a Backup Strategy:

   • Follow the 3-2-1 rule:

     • Maintain three copies of data.

     • Store data in two different formats (e.g., hard drive, cloud storage).

     • Keep one copy off-site.

   • Regularly test backup integrity to ensure it is not compromised by ransomware.

3. Threat Intelligence Integration:

   • Monitor and block known Indicators of Compromise (IOCs) from threat intelligence feeds.

   • Enable automated alerts for ransomware activity on critical infrastructure.

4. Raise Awareness:

   • Train employees to recognise phishing attempts, malicious attachments, and suspicious links.

   • Prepare communication templates for internal and external stakeholders to be used in case of an incident.

5. Plan Incident Escalation:

   • Maintain an incident escalation plan, including contacts for SOC analysts, CERTs, and external response teams.

2. Identification

Objective: Detect ransomware infections, determine their scope, and notify relevant stakeholders.

Common Indicators of Ransomware:

1. System Symptoms:

   • A ransom message appears, notifying users of encrypted files and demanding payment.

   • Files are renamed with unusual extensions (e.g., .lock, .enc).

   • Access to files or network shares is denied, with users reporting corruption or missing data.

2. Anomalous Activity:

   • High volumes of file modifications in a short period.

   • Sudden spikes in network traffic to Command-and-Control (C2) servers.

   • Connections to known Tor gateways or cryptocurrency payment sites.

3. EDR and Monitoring Alerts:

   • Alerts from antivirus, EDR, or SIEM tools indicating malicious activity.

   • Abnormal account logins, especially involving privileged accounts.

Steps:

1. Document Initial Findings:

   • Record details such as timestamps, affected systems, and ransom messages.

   • Preserve logs from security tools (e.g., EDR, firewalls, file servers).

2. Assess Scope:

   • Identify all infected devices and connected network segments.

   • Use YARA or automated forensic tools to detect ransomware artefacts across the environment.

3. Notify Teams:

   • Alert internal security teams, IT operations, and management.

   • Engage external response teams if necessary.

3. Containment

Objective: Prevent further damage and limit the spread of ransomware.

Steps:

1. Isolate Affected Systems:

   • Disconnect infected machines from the network but keep them powered on for memory forensics.

   • Block network traffic to known C2 servers and malicious IP addresses.

2. Disable Compromised Accounts:

   • Lock compromised user and administrator accounts to prevent lateral movement.

3. Limit Network Access:

   • Disconnect or restrict access to shared drives and sensitive resources.

4. Initiate Communication:

   • Issue a public statement if customer or partner data is affected.

   • Provide clear instructions to employees to prevent further data exposure.

4. Remediation

Objective: Remove the ransomware threat and secure the environment against future incidents.

Steps:

1. Eliminate Entry Points:

   • Identify and close the attack vectors, such as vulnerable RDP servers or phishing emails.

   • Remove ransomware binaries, scripts, and backdoors from affected systems.

2. Apply Security Patches:

   • Patch all known vulnerabilities in the operating system and applications.

   • Implement hardened security configurations for network access and remote services.

3. Strengthen Access Controls:

   • Enforce stricter password policies and implement multi-factor authentication (MFA) for critical accounts.

4. Notify Service Providers:

   • Inform endpoint and network security vendors to improve detection capabilities for future attacks.

5. Recovery

Objective: Restore systems to normal operation, ensuring data integrity and security.

Steps:

1. Reimage Systems:

   • Perform a clean reinstallation of affected operating systems and applications where necessary.

2. Restore Data:

   • Restore files from verified clean backups.

   • Ensure that backups are free of ransomware before restoring.

3. Credential Reset:

   • Reset all passwords for compromised accounts, including privileged accounts and service credentials.

4. Network Monitoring:

   • Resume full network operations with enhanced monitoring for abnormal traffic and malware artefacts.

   • Apply geo-blocking on firewalls to restrict access from high-risk regions.

5. Test Systems:

   • Verify the integrity and performance of restored systems and applications.

6. Lessons Learned

Objective: Document the incident and improve security measures for future incidents.

Steps:

1. Incident Report:

   • Include key details such as:

     • Initial infection vectors.

     • Actions taken during each response phase.

     • Indicators of compromise and attack techniques.

2. Post-Incident Review:

   • Conduct a review with stakeholders to identify strengths and weaknesses in the response process.

   • Update response plans, detection tools, and security policies based on findings.

3. Security Enhancements:

   • Improve endpoint protection, access controls, and backup processes.

   • Implement additional awareness training focused on ransomware prevention.

4. Threat Intelligence Sharing:

   • Share IOCs and lessons learned with industry partners and threat intelligence networks.

Conclusion

This Ransomware Incident Response Playbook equips organisations with a robust framework to detect, contain, remediate, and recover from ransomware attacks. Continuous updates to detection capabilities, training, and security infrastructure are essential to reducing the impact of future incidents.

For additional support, including automated response scripts, forensic tools, and incident reporting templates, please contact the cybersecurity operations team.