1. Immediate Response and Containment
1.1 Isolate Affected Systems
- Disconnect infected systems from all networks (wired and wireless).
- Disable shared drives and network shares.
- Block known malicious domains or IPs.
- Do not power off systems unless encryption is actively ongoing.
1.2 Activate Incident Response Plan
- Notify the Incident Response (IR) or CSIRT team.
- Inform executive leadership, legal, and compliance departments.
- Contact cyber insurance and law enforcement if applicable.
1.3 Preserve Evidence
- Create forensic images of infected systems.
- Capture volatile data (RAM, running processes, network connections).
- Record timestamps, affected systems, and user accounts involved.
2. Initial Assessment
2.1 Identify Scope and Impact
- Determine which systems and data were encrypted or accessed.
- Assess whether sensitive or personal data was exfiltrated.
2.2 Determine Ransomware Variant
- Review ransom notes or file extensions.
- Use tools like
ID Ransomware or VirusTotal to identify the strain.
- Gather threat intelligence for known indicators of compromise (IOCs).
2.3 Review Backups
- Verify backup availability and integrity.
- Ensure backups are clean and isolated before restoration.
3. Eradication and Recovery
3.1 Remove the Threat
- Perform comprehensive malware scans and remove all malicious payloads.
- Patch vulnerabilities exploited in the attack.
- Reset and secure all compromised credentials.
- Rebuild affected systems from trusted golden images.
3.2 Restore Systems
- Restore from clean, verified backups.
- Reintroduce systems to the network gradually under monitoring.
- Check for persistence mechanisms such as scheduled tasks or registry entries.
4. Root Cause Analysis (RCA)
4.1 Collect and Correlate Data
Gather logs and forensic data from:
- Firewall, proxy, and SIEM systems
- Windows Event Logs (Security, Sysmon, Application)
- Email gateways, VPN, and remote access logs
- Authentication (AD/LDAP) and file access logs
4.2 Trace the Initial Access Vector
| Attack Vector |
What to Investigate |
| Phishing Email |
Analyze headers, attachments, and user clicks. |
| Exposed RDP/VPN |
Review brute-force attempts or unpatched systems. |
| Exploited Vulnerability |
Check patch status and recent CVE exploit activity. |
| Compromised Credentials |
Investigate credential reuse and password spraying logs. |
| Third-party Compromise |
Review vendor access and external integrations. |
4.3 Map Lateral Movement
- Identify internal movement methods (PsExec, SMB, WMI, PowerShell).
- Look for privilege escalation or credential dumping.
- Detect C2 (command-and-control) channels and data exfiltration routes.
4.4 Determine the Root Cause
Answer these key questions:
- How did the attacker gain initial access?
- Which security gaps allowed persistence or privilege escalation?
- Why were existing controls ineffective?
5. Post-Incident Reporting and Hardening
5.1 Create a Detailed Incident Report
- Include a full event timeline, impacted systems, IOCs, and RCA summary.
- Document response actions and recovery progress.
- Highlight key lessons learned for management review.
5.2 Strengthen Defenses
- Patch all systems and applications.
- Enhance endpoint, email, and network defenses.
- Enforce least privilege access and multi-factor authentication (MFA).
- Segment networks to minimize future ransomware spread.
5.3 Conduct User Awareness Training
Educate employees on phishing, malicious attachments, and social engineering threats.
5.4 Continuous Monitoring
- Enable advanced SIEM alerting and correlation.
- Deploy proactive threat hunting for early detection.
- Subscribe to updated threat intelligence feeds.
6. Law Enforcement and Compliance
- Report the incident to national cybercrime or law enforcement authorities.
- Notify regulators if personal data was affected (e.g., GDPR, HIPAA).
- Communicate transparently with customers and stakeholders when required.