We operate in a world where ransomware is no longer a distant possibility; it’s a “when, not if” scenario for most organizations. Even with strong training and preparation, the pressure of a real incident can make it difficult to think clearly in the moment. That’s why having a well‑structured guide is invaluable. Ransomware events are undoubtedly high‑stress, but they don’t have to spiral into disorder. With a clear process and coordinated actions, your organization can limit operational disruption, protect critical evidence, and regain control of the environment efficiently and confidently.

Phase 1: Detection and Immediate Containment

1. Identify and Isolate Affected Systems

• Determine which systems are impacted.

• Immediately isolate them from the network.

• If multiple systems or subnets are affected, take the network offline at the switch level if necessary.

• Prioritize isolating mission-critical systems first.

• If needed, physically unplug ethernet cables or remove devices from Wi-Fi.

• For cloud environments: Take snapshots of affected volumes to preserve a point-in-time forensic copy.

• If systems cannot be disconnected: Power them down to prevent further spread (only if no other isolation option is available).

Note: Powering down may result in loss of volatile memory evidence. Use this as a last resort.

2. Communicate Securely

• Assume attackers may be monitoring your network.

• Use out-of-band communications (phone calls, secure messaging apps not tied to your domain).

• Coordinate isolation actions carefully to avoid tipping off the threat actor.

  
  

Phase 2: Triage and Investigation

1. Prioritize Systems for Recovery

• Identify critical systems (health, safety, revenue, core operations).

• Confirm the type of data housed on impacted systems.

• Use a predefined critical asset list to guide restoration priorities.

• Track unaffected systems so they can be deprioritized.

2. Review Security Tools and Logs

Analyze antivirus, EDR, IDS, and firewall logs.

Look for evidence of earlier compromise stages.⬜ Identify potential “dropper” malware such as:

• Bumblebee

• Dridex

• Emotet

• QakBot

• Anchor

A ransomware event may be the final stage of a much longer intrusion.

3. Hunt for Advanced Threat Activity

In enterprise environments, check for:

• Newly created Active Directory accounts or privilege escalation (especially Domain Admin activity).Suspicious VPN or remote login activity.

• Tampering with backup or shadow copy tools (e.g., vssadmin, wbadmin, bcdedit, fsutil). Signs of Cobalt Strike beacon activity.

• Unexpected remote monitoring and management (RMM) tools.

• PowerShell misuse or PsTools execution.Credential dumping activity (e.g., LSASS access, Mimikatz, NTDSutil).

• Unexpected server-to-server communication. Evidence of data exfiltration (Rclone, Rsync, FTP/SFTP, web storage services).

• Newly created services or scheduled tasks.

• For cloud environments:

• Monitor IAM, firewall rules, and network security changes. Enable automation to detect and block risky changes (e.g., open 0.0.0.0/0 firewall rules).

  
  

Phase 3: Reporting and Notification

• Activate your incident response and communications plan.

• Notify internal stakeholders (IT, executives, legal, insurance, MSSPs).

• Provide regular updates to leadership.If required, initiate data breach notification procedures.

Report the incident to the appropriate authorities and consider requesting assistance from:

• Cybersecurity and Infrastructure Security Agency (CISA)

• Federal Bureau of Investigation (FBI)

• FBI Internet Crime Complaint Center (IC3)

• United States Secret Service

Law enforcement may be aware of decryptors for certain ransomware variants.

Phase 4: Containment and Eradication

If immediate mitigation is not possible:

• Capture system images and memory from sample devices.

• Preserve volatile evidence (memory, firewall buffers, security logs).

• Collect malware samples and indicators of compromise (IOCs).

To actively contain the threat:

• Research trusted guidance for the specific ransomware variant.

• Kill and disable known ransomware binaries.

• Remove associated registry entries and malicious files.

• Identify compromised accounts (including email).

• Disable VPN, SSO, remote access servers, and exposed assets if needed.

Investigate credential abuse and lateral movement:

• Review open sessions and file access logs.

• Check RDP logs and Windows Security logs.

• Monitor SMB activity and suspicious file renaming.

• Conduct packet capture analysis if necessary.

Eliminate persistence mechanisms:

• Audit domain and local accounts.

• Remove rogue accounts or backdoors.

• Identify outside-in and inside-out persistence.

• Deploy or enhance EDR visibility.

  
  

Phase 5: Rebuild and Restore

• Rebuild systems using clean, standard images.

• Use infrastructure-as-code templates for cloud rebuilds.

• Reset passwords for all affected systems and accounts.

• Patch vulnerabilities and close security gaps. Update encryption keys if necessary.

• Only after confirming the environment is clean:

• Restore from offline, encrypted backups.

• Reconnect systems in a controlled manner (e.g., clean VLAN).

• Ensure clean systems are not re-infected during restoration.

• The designated IT/security authority should formally declare the incident closed based on defined criteria.

  
  

Phase 6: Post-Incident Review

• Document lessons learned.

• Update policies, procedures, and playbooks.

• Refine detection and response capabilities.

• Share relevant indicators of compromise with CISA or your sector ISAC.

Go to Sources for Further Guidance:

• Cybersecurity and Infrastructure Security Agency — https://www.cisa.gov

• StopRansomware.gov (CISA resource hub) — https://www.stopransomware.gov

• Federal Bureau of Investigation — https://www.fbi.gov

• FBI Internet Crime Complaint Center — https://www.ic3.gov

• United States Secret Service — https://www.secretservice.gov

• Multi-State Information Sharing and Analysis Center — https://www.cisecurity.org/ms-isac

• National Institute of Standards and Technology — https://www.nist.gov