🔒 Ransomware Response Quickstart

Photograph or screenshot the ransom note and extract IOCs such as bitcoin wallet addresses, Tor URLs, threat-actor aliases, and embedded file extensions. Cross-reference the ransom note language and formatting against known ransomware family databases (e.g., ID Ransomware, No More Ransom) to identify the variant. Early identification of the ransomware family determines whether free decryptors exist and informs the overall containment strategy.

Correlate the earliest encryption timestamps with authentication events, process execution logs, and email delivery records to pinpoint the first compromised host. Review Security Event Log entries for anomalous logon types (e.g., Event ID 4624 Type 10 for RDP) and Sysmon process-creation events around the identified timeframe. Establishing patient zero is essential for understanding the initial access vector and bounding the scope of compromise.

Immediately segment affected VLANs, disable inter-site VPN tunnels to impacted locations, and block SMB (TCP 445) and RDP (TCP 3389) at internal firewall boundaries. The goal is to halt lateral propagation of encryption without taking down the entire network. Coordinate with network operations to implement ACLs or switch-port shutdowns for confirmed-infected subnets while preserving connectivity for forensic workstations.

Disable or reset credentials for all accounts observed in the attack chain, including service accounts and any domain admin accounts showing anomalous activity. Review Azure AD sign-in logs for impossible-travel or anomalous-IP authentications that may indicate additional compromised identities. Prioritize high-privilege accounts to prevent the attacker from deploying additional ransomware payloads or destroying backups.

Many modern ransomware operators exfiltrate data before encrypting. Block known exfiltration channels by denying outbound traffic to suspicious IPs, cloud-storage upload domains (e.g., mega.nz, anonfiles), and any C2 infrastructure identified from IOC analysis. Review firewall logs for large outbound data transfers in the hours preceding the encryption event to assess whether double-extortion is likely.

Acquire full physical memory dumps from patient zero and other key systems before they are rebooted or powered off. Memory captures may contain the encryption key in cleartext, unpacked ransomware binaries, injected code in running processes, and network connection artifacts that are lost on reboot. Use validated acquisition tools like WinPMEM or LiME and document hash values for chain-of-custody purposes.

Export and preserve copies of Windows Security and Sysmon event logs from all systems in scope before log rotation or attacker tampering can destroy them. Ransomware operators frequently clear event logs as part of their playbook, so time is critical. Copy EVTX files to a forensic share with write-protection and compute SHA-256 hashes for each file to maintain evidentiary integrity.

Before beginning restoration, verify that backup copies have not been encrypted, deleted, or tampered with by the attacker. Test-restore a sample of critical data from offline, immutable, or air-gapped backups and validate file integrity. Check backup-system audit logs for unauthorized access or deletion attempts. Confirm the recovery-point objective (RPO) for each critical system and communicate realistic restoration timelines to leadership.