Ransomware

Encryption-based extortion attack targeting files, databases, or entire systems with ransom demands for decryption keys.

Triage

4 procedures
P1

Bound the Investigation Timeframe

~30 min
P1

Identify Patient Zero (First Compromised System)

~60 min
P1

Analyze Ransom Note and Variant Identification

~45 min
P2

Validate the Initial Access Vector

~45 min

Containment

4 procedures
P1

Network Isolation of Compromised Systems

~30 min
P1

Credential and Account Lockdown

~45 min
P1

Block Active Exfiltration Pathways

~30 min
P1

Halt Ransomware Propagation

~30 min
Sponsored

Preservation

4 procedures
P1

Volatile Memory Capture

~60 min
P1

Log Preservation and Snapshot

~45 min
P1

Preserve VSS Shadow Copies and Encryption Timing Artifacts

~90 min
P2

Document Chain of Custody for All Collected Evidence

~30 min

Collection

4 procedures
P2

EDR Telemetry Collection

~120 min
P2

M365 Unified Audit Log Collection

~90 min
P2

Identify Alternative Evidence When Primary Logs Are Missing

~60 min
P3

Coordinate Log Collection from Third-Party Vendors

~120 min

Analysis

5 procedures
P1

Lateral Movement Analysis and Mapping

~120 min
P1

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

~90 min
P1

Determine Encryption Scope and Affected Systems

~90 min
P1

Analyze Evidence of Credential Dumping Techniques

~90 min
P2

Identify Data Staging and Compression Activity

~60 min

Eradication

6 procedures
P1

Remove Malware, Backdoors, and Persistence Mechanisms

~120 min
P1

Mass Credential Reset and Session Invalidation

~90 min
P1

Comprehensive Persistence Mechanism Sweep

~120 min
P1

Eradication Verification Checklist

~90 min
P1

Assume-Breach Rebuild and Identity Reset

~480 min
P2

Post-Incident Configuration Hardening

~180 min

Recovery

4 procedures
P1

Assess Decryption Options (Backups, Keys, Tools)

~120 min
P1

Rebuild Compromised Systems from Known-Good Images

~240 min
P1

Validate Backup Integrity Before Restoration

~180 min
P2

Phased Service Restoration with Enhanced Monitoring

~120 min

Post-Incident Review

4 procedures
P2

Create New Detection Rules Based on Incident Findings

~90 min
P2

Generate Comprehensive Incident Report

~180 min
P2

Review Ransomware Resilience and Backup Isolation Failures

~90 min
P3

Conduct Lessons Learned Review Session

~120 min