Ransomware Response Playbook

RANSOMWARE RESPONSE PLAYBOOK

[ORGANIZATION NAME]

Classification: Confidential
Document Owner: [CISO/Security Director]
Effective Date: [DATE]
Last Tested: [DATE]

TABLE OF CONTENTS

1. Purpose and Scope
2. Ransomware Overview
3. Pre-Incident Preparation
4. Detection and Initial Response
5. Containment Procedures
6. Investigation and Analysis
7. Eradication and Recovery
8. Communication Protocols
9. Ransom Payment Decision Framework
10. Post-Incident Activities
11. Quick Reference Checklists

1. PURPOSE AND SCOPE

1.1 Purpose

This playbook provides step-by-step guidance for responding to ransomware incidents affecting [ORGANIZATION NAME]. It is designed to:

• Enable rapid and coordinated response to ransomware attacks
• Minimize damage and data loss
• Preserve evidence for investigation and potential prosecution
• Guide recovery decisions including ransom payment considerations
• Ensure compliance with legal and regulatory notification requirements

1.2 Scope

This playbook applies to all ransomware incidents affecting:

☐ Corporate networks and systems

☐ Cloud environments

☐ Operational technology (OT) systems

☐ Third-party hosted systems containing organizational data

☐ Employee devices (including BYOD)

1.3 Activation Criteria

This playbook should be activated when:

☐ Ransomware is detected on any organizational system

☐ Ransom note is discovered

☐ Multiple systems show signs of encryption

☐ Threat intelligence indicates imminent ransomware attack

☐ Third-party notifies of ransomware affecting shared data

2. RANSOMWARE OVERVIEW

2.1 Common Ransomware Indicators

Technical Indicators:

• Files with unusual extensions (.encrypted, .locked, .crypted, etc.)
• Ransom notes (README.txt, DECRYPT_INSTRUCTIONS.html, etc.)
• Inability to open files that were previously accessible
• Unusual CPU/disk activity
• Services or processes terminating unexpectedly
• Network connections to known malicious IPs/domains
• Volume shadow copies deleted
• Security tools disabled

User-Reported Indicators:

• Desktop wallpaper changed to ransom message
• Pop-up windows displaying ransom demands
• Files renamed or inaccessible
• Computer running slowly or unresponsively

2.2 Common Ransomware Attack Vectors

2.3 Common Ransomware Families (Reference)

[NOTE: This list is for reference only and should be updated regularly]

• LockBit
• BlackCat/ALPHV
• Cl0p
• Royal
• Black Basta
• Play
• [Current variants]

3. PRE-INCIDENT PREPARATION

3.1 Technical Preparations

Backup Readiness

☐ Backups are performed according to policy

☐ Backups are stored offline or air-gapped

☐ Backups are encrypted

☐ Backup restoration has been tested within last [90] days

☐ Backup integrity monitoring is in place

☐ Immutable backup storage is implemented

Backup Verification:
| System/Data | Last Backup | Last Test | RTO | RPO |
|-------------|-------------|-----------|-----|-----|
| [SYSTEM] | [DATE] | [DATE] | [TIME] | [TIME] |

Network Segmentation

☐ Network segments are documented

☐ Critical systems are isolated

☐ Inter-segment traffic is restricted and monitored

☐ OT/IT network separation is implemented

Endpoint Protection

☐ EDR deployed on all endpoints

☐ Anti-ransomware capabilities enabled

☐ Controlled folder access enabled (where applicable)

☐ Application whitelisting implemented for critical systems

Identity and Access

☐ Privileged accounts are secured with MFA

☐ Service accounts are inventoried and secured

☐ Emergency "break glass" accounts are prepared

☐ Tiered administrative model implemented

3.2 Administrative Preparations

Contact Lists

Internal Contacts:
| Role | Primary | Backup | Phone | Email |
|------|---------|--------|-------|-------|
| Incident Response Manager | | | | |
| CISO | | | | |
| CIO | | | | |
| CEO/Executive | | | | |
| General Counsel | | | | |
| Communications/PR | | | | |
| IT Operations Lead | | | | |

External Contacts:
| Resource | Organization | Contact | Retainer/Contract |
|----------|--------------|---------|-------------------|
| IR Retainer | [FIRM] | [CONTACT] | [YES/NO] |
| Forensics | [FIRM] | [CONTACT] | [YES/NO] |
| Legal (Privacy) | [FIRM] | [CONTACT] | [YES/NO] |
| Cyber Insurance | [CARRIER] | [CONTACT] | Policy #: |
| FBI | Local Field Office | [NUMBER] | N/A |
| CISA | | 1-888-282-0870 | N/A |
| Ransom Negotiator | [FIRM] | [CONTACT] | [YES/NO] |

Documentation Ready

☐ Network diagrams current

☐ System inventories current

☐ Critical system list documented

☐ Recovery procedures documented

☐ Chain of custody forms prepared

4. DETECTION AND INITIAL RESPONSE

4.1 Detection Sources

4.2 Initial Response Actions (First 15 Minutes)

DO NOT:
☐ Reboot or power off affected systems (may cause data loss)
☐ Run anti-malware scans on affected systems (may trigger deadman switches)
☐ Delete ransom notes (evidence)
☐ Contact attackers without legal/executive approval
☐ Announce the incident publicly without approval

DO:

☐ Document everything - timestamp all observations and actions

☐ Alert incident response team using established communication channels

☐ Isolate affected systems from the network (but keep powered on)

• Disconnect network cables
• Disable Wi-Fi
• Do NOT power off

☐ Capture initial evidence (photographs of screens, ransom notes)

☐ Identify scope - how many systems appear affected?

☐ Activate incident response plan - declare severity level

4.3 Severity Classification

5. CONTAINMENT PROCEDURES

5.1 Network Containment

Immediate Network Actions:

☐ Isolate affected network segments at the firewall/switch level

☐ Block known malicious IPs/domains at perimeter

☐ Disable compromised user accounts

☐ Reset passwords for:

• All administrative accounts
• Service accounts with network access
• Accounts on affected systems

☐ Disable remote access (VPN, RDP) temporarily if attack vector is unknown

☐ Monitor network for lateral movement

☐ Implement firewall rules to restrict internal traffic if needed

Network Isolation Decision Matrix:

5.2 System Containment

For Each Affected System:

☐ Disconnect from network (do not power off)

☐ Document system name, IP, last known user, symptoms

☐ Capture volatile memory (RAM) if forensics capability available

☐ Note any visible ransom notes or instructions

☐ Preserve logs before they rotate

☐ Tag system for forensic analysis

Volatile Evidence Collection (if trained):

1. Capture RAM dump using approved forensic tool
2. Document running processes
3. Document network connections
4. Capture filesystem metadata
5. Preserve event logs

5.3 Account Containment

☐ Disable compromised accounts (do not delete)

☐ Force logout of active sessions

☐ Review recent account activity for affected users

☐ Reset credentials for accounts with elevated privileges

☐ Enable enhanced monitoring for privileged accounts

☐ Review and revoke unnecessary service account permissions

6. INVESTIGATION AND ANALYSIS

6.1 Scoping the Incident

Questions to Answer:

☐ What is the initial infection vector?

☐ When did the infection occur? (Patient zero timeline)

☐ How many systems are affected?

☐ What data may be compromised?

☐ Has data been exfiltrated? (check for double-extortion)

☐ What ransomware variant is involved?

☐ Are there indicators of persistent access?

☐ Are backup systems affected?

6.2 Ransomware Analysis

Ransom Note Analysis:

☐ Copy and preserve ransom note(s)

☐ Identify ransomware family from note content

☐ Note payment demands and deadlines

☐ Check for data leak threats (double extortion)

☐ Document contact methods provided by attackers

File Analysis:

☐ Document file extensions on encrypted files

☐ Collect sample encrypted files

☐ Check for decryption tool availability:

• NoMoreRansom.org
• Vendor decryptors
• Security researcher tools

6.3 Data Exfiltration Assessment

Indicators of Data Exfiltration:

☐ Large outbound data transfers in logs

☐ Unusual cloud storage activity

☐ Archive files (.zip, .7z, .rar) created before encryption

☐ Staging directories with copied data

☐ Attacker claims data possession in ransom note

☐ Data appearing on leak sites

Assessment Actions:

☐ Review network flow logs for unusual egress

☐ Check cloud storage access logs

☐ Review file server access logs

☐ Monitor known leak sites for organization data

☐ Engage threat intelligence for leak monitoring

7. ERADICATION AND RECOVERY

7.1 Eradication Checklist

Before Recovery:

☐ Attack vector identified and remediated

☐ All affected systems identified

☐ Malware fully analyzed

☐ Persistence mechanisms identified and removed

☐ Compromised credentials reset

☐ Vulnerabilities exploited are patched

☐ Enhanced monitoring in place

☐ Backup integrity verified

7.2 Recovery Options

Option 1: Restore from Backup (Preferred)

Prerequisites:
☐ Clean, verified backups available
☐ Backup system not affected
☐ Attack vector remediated

Process:

1. Rebuild or reimage affected systems to clean state
2. Restore data from verified clean backups
3. Apply all security patches
4. Reset all credentials
5. Implement enhanced security controls
6. Monitor closely for reinfection

Option 2: Decryption Tool (If Available)

Prerequisites:
☐ Decryption tool available for variant
☐ Tool verified safe by security team

Process:

1. Test decryption on non-critical system first
2. Verify file integrity after decryption
3. Still rebuild systems for security
4. Implement enhanced controls

Option 3: Decryption via Ransom Payment (Last Resort)

See Section 9 for decision framework.

7.3 Recovery Prioritization

7.4 Recovery Verification

For each recovered system:

☐ System functioning normally

☐ All security patches applied

☐ Security agents installed and reporting

☐ Latest backup verified

☐ No indicators of reinfection

☐ User access restored

☐ Application functionality verified

8. COMMUNICATION PROTOCOLS

8.1 Internal Communications

Initial Notification Template:

SUBJECT: URGENT - Security Incident in Progress

A security incident has been identified affecting [SCOPE]. The security team is actively responding. Please:

- Do not attempt to access affected systems
- Report any unusual system behavior immediately
- Do not discuss this incident externally
- Await further instructions

Additional updates will be provided as information becomes available.

Stakeholder Updates:

8.2 External Communications

Notification Requirements:

☐ Regulatory notifications (based on data affected)

☐ Customer notifications (if data affected)

☐ Law enforcement notification

☐ Cyber insurance carrier

☐ Business partners (if interconnected systems)

External Communication Approval:

All external communications require approval from:
☐ General Counsel
☐ CISO
☐ CEO/Executive designee
☐ PR/Communications Lead

8.3 Law Enforcement Notification

Report to FBI:

• IC3: www.ic3.gov
• Local Field Office: [CONTACT]
• Report even if not paying ransom

Report to CISA:

• CISA.gov/report
• 1-888-282-0870
• Required within 72 hours for critical infrastructure
• Ransomware payments: within 24 hours

Benefits of Reporting:

• Access to threat intelligence
• Potential decryption key availability
• Supports broader law enforcement efforts
• May be required by regulation/insurance

9. RANSOM PAYMENT DECISION FRAMEWORK

9.1 Important Considerations

IMPORTANT: This section provides a framework for decision-making only. Ransom payment decisions should involve:

• Executive leadership
• Legal counsel
• Cyber insurance carrier
• Law enforcement (notification)
• External incident response experts

9.2 Factors Against Payment

☐ No guarantee of decryption key working

☐ No guarantee attackers won't publish stolen data anyway

☐ Funds criminal enterprises

☐ Organization may be re-targeted

☐ Potential OFAC sanctions violations

☐ Reputational considerations

☐ Viable backup recovery option exists

9.3 Factors That May Support Payment

☐ No viable backup recovery option

☐ Critical operational impact (life safety, critical services)

☐ Cost of recovery significantly exceeds ransom

☐ Insurance coverage available

☐ Data exfiltration threat is credible and significant

9.4 Pre-Payment Requirements

If payment is being considered:

☐ Legal counsel approval obtained

☐ OFAC sanctions check completed on threat actor

☐ Insurance carrier notified and approved

☐ Law enforcement notified

☐ Professional negotiator engaged

☐ Payment method established (cryptocurrency)

☐ Expectations documented (no guarantee of recovery)

☐ Executive authorization documented

9.5 OFAC Sanctions Considerations

WARNING: Payment to sanctioned entities may violate U.S. law.

☐ Check OFAC SDN List for known ransomware actors

☐ Consult legal counsel on sanctions risk

☐ Document due diligence performed

☐ Consider OFAC voluntary self-disclosure if concerns exist

10. POST-INCIDENT ACTIVITIES

10.1 Lessons Learned

Conduct lessons learned session within [7] days of recovery:

Questions to Address:

☐ How was the attack successful?

☐ Why weren't we able to detect it earlier?

☐ What controls failed or were missing?

☐ How effective was our response?

☐ What would we do differently?

☐ What additional resources/capabilities are needed?

10.2 Remediation Plan

10.3 Post-Incident Monitoring

Enhanced monitoring for [90] days following incident:

☐ Increased log retention

☐ Additional alerting rules

☐ Threat hunting activities

☐ Dark web monitoring for data leaks

☐ User behavior analytics

10.4 Incident Documentation

Final incident report to include:

☐ Executive summary

☐ Timeline of events

☐ Attack vector analysis

☐ Scope and impact

☐ Response actions taken

☐ Recovery details

☐ Costs incurred

☐ Lessons learned

☐ Recommendations

11. QUICK REFERENCE CHECKLISTS

11.1 First Responder Checklist (Print and Post)

RANSOMWARE DETECTED - IMMEDIATE ACTIONS

1. ☐ DO NOT power off systems
2. ☐ DO NOT run antivirus scans
3. ☐ DISCONNECT affected systems from network
4. ☐ TAKE photographs of any ransom notes
5. ☐ CALL Security Hotline: [PHONE NUMBER]
6. ☐ DOCUMENT time of discovery and symptoms
7. ☐ PRESERVE evidence - do not delete files
8. ☐ AWAIT instructions from security team

11.2 Incident Commander Checklist

Hour 1:
☐ Activate incident response team
☐ Establish command and communication
☐ Begin containment measures
☐ Assess initial scope
☐ Notify executive leadership
☐ Activate external IR if needed
☐ Contact cyber insurance carrier

Hours 2-8:
☐ Complete network containment
☐ Scope affected systems
☐ Assess data exfiltration
☐ Analyze ransomware variant
☐ Check backup availability
☐ Begin recovery planning
☐ Prepare stakeholder communications

Hours 8-24:
☐ Continue investigation
☐ Evaluate recovery options
☐ Make ransom payment decision (if applicable)
☐ Begin recovery operations
☐ Fulfill notification obligations
☐ Provide regular status updates

11.3 Recovery Checklist

Pre-Recovery:
☐ Attack vector remediated
☐ All affected systems identified
☐ Backups verified clean
☐ Recovery order prioritized
☐ Enhanced monitoring ready

During Recovery:
☐ Systems rebuilt/reimaged
☐ Data restored from backup
☐ Patches applied
☐ Security agents installed
☐ Credentials reset
☐ Functionality verified

Post-Recovery:
☐ Users notified
☐ Systems monitored
☐ Backup verification
☐ Documentation completed
☐ Lessons learned scheduled

APPENDIX A: RANSOMWARE IDENTIFICATION RESOURCES

• No More Ransom Project: nomoreransom.org
• ID Ransomware: id-ransomware.malwarehunterteam.com
• Emsisoft Decryptors: emsisoft.com/ransomware-decryption-tools
• Kaspersky No Ransom: noransom.kaspersky.com

APPENDIX B: EVIDENCE COLLECTION TOOLS

[List approved forensic tools and their locations]

• Memory capture: [TOOL]
• Disk imaging: [TOOL]
• Log collection: [TOOL]
• Network capture: [TOOL]

DOCUMENT CONTROL

Approval:

Next Review Date: _________________

This playbook is classified as CONFIDENTIAL. Distribution is limited to authorized personnel. For questions, contact [SECURITY TEAM].