🔒 Ransomware

Encryption-based extortion attack targeting files, databases, or entire systems with ransom demands for decryption keys.

33 procedures8 lifecycle stages

Triage

(4 procedures)

Bound the Investigation Timeframe

P1

Timeframe Bounding

30min
View procedure

Identify Patient Zero (First Compromised System)

P1

Patient Zero

60min
View procedure

Analyze Ransom Note and Variant Identification

P1

Ransom Note Analysis

45min
View procedure

Validate the Initial Access Vector

P2

Access Validation

45min
View procedure

Containment

(4 procedures)

Network Isolation of Compromised Systems

P1

Network Isolation

30min
View procedure

Credential and Account Lockdown

P1

Account Lockdown

45min
View procedure

Block Active Exfiltration Pathways

P1

Block Exfiltration

30min
View procedure

Halt Ransomware Propagation

P1

Stop Ransomware Spread

30min
View procedure
Sponsored

Preservation

(4 procedures)

Volatile Memory Capture

P1

Memory Capture

60min
View procedure

Log Preservation and Snapshot

P1

Log Snapshot

45min
View procedure

Preserve VSS Shadow Copies and Encryption Timing Artifacts

P1

Ransomware Preservation

90min
View procedure

Document Chain of Custody for All Collected Evidence

P2

Chain of Custody

30min
View procedure

Collection

(4 procedures)

EDR Telemetry Collection

P2

EDR Collection

120min
View procedure

M365 Unified Audit Log Collection

P2

M365 UAL Collection

90min
View procedure

Identify Alternative Evidence When Primary Logs Are Missing

P2

Missing Log Fallback

60min
View procedure

Coordinate Log Collection from Third-Party Vendors

P3

Third-Party Logs

120min
View procedure

Analysis

(5 procedures)

Lateral Movement Analysis and Mapping

P1

Lateral Movement

120min
View procedure

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

P1

Exfil Channels

90min
View procedure

Determine Encryption Scope and Affected Systems

P1

Encryption Scope

90min
View procedure

Analyze Evidence of Credential Dumping Techniques

P1

Credential Dumping

90min
View procedure

Identify Data Staging and Compression Activity

P2

Data Staging

60min
View procedure

Eradication

(5 procedures)

Remove Malware, Backdoors, and Persistence Mechanisms

P1

Malware Removal

120min
View procedure

Mass Credential Reset and Session Invalidation

P1

Credential Reset

90min
View procedure

Comprehensive Persistence Mechanism Sweep

P1

Persistence Hunt

120min
View procedure

Eradication Verification Checklist

P1

Eradication Verification

90min
View procedure

Post-Incident Configuration Hardening

P2

Config Hardening

180min
View procedure

Recovery

(4 procedures)

Assess Decryption Options (Backups, Keys, Tools)

P1

Decryption Assessment

120min
View procedure

Rebuild Compromised Systems from Known-Good Images

P1

System Rebuild

240min
View procedure

Validate Backup Integrity Before Restoration

P1

Backup Validation

180min
View procedure

Phased Service Restoration with Enhanced Monitoring

P2

Service Restoration

120min
View procedure

Post-Incident Review

(3 procedures)

Create New Detection Rules Based on Incident Findings

P2

Detection Improvement

90min
View procedure

Generate Comprehensive Incident Report

P2

Incident Report

180min
View procedure

Conduct Lessons Learned Review Session

P3

Lessons Learned

120min
View procedure