๐
Ransomware
Encryption-based extortion attack targeting files, databases, or entire systems with ransom demands for decryption keys.
33 runbook nodes8 lifecycle stages covered
Triage
(4 nodes)Containment
(4 nodes)Preservation
(4 nodes)Collection
(4 nodes)EDR Telemetry Collection
P2EDR Collection
120min
View node
M365 Unified Audit Log Collection
P2M365 UAL Collection
90min
View node
Identify Alternative Evidence When Primary Logs Are Missing
P2Missing Log Fallback
60min
View node
Coordinate Log Collection from Third-Party Vendors
P3Third-Party Logs
120min
View node
Analysis
(5 nodes)Lateral Movement Analysis and Mapping
P1Lateral Movement
120min
View node
Map Exfiltration Channels (HTTP, DNS, Cloud Sync)
P1Exfil Channels
90min
View node
Determine Encryption Scope and Affected Systems
P1Encryption Scope
90min
View node
Analyze Evidence of Credential Dumping Techniques
P1Credential Dumping
90min
View node
Identify Data Staging and Compression Activity
P2Data Staging
60min
View node
Eradication
(5 nodes)Remove Malware, Backdoors, and Persistence Mechanisms
P1Malware Removal
120min
View node
Mass Credential Reset and Session Invalidation
P1Credential Reset
90min
View node
Comprehensive Persistence Mechanism Sweep
P1Persistence Hunt
120min
View node
Eradication Verification Checklist
P1Eradication Verification
90min
View node
Post-Incident Configuration Hardening
P2Config Hardening
180min
View node
Recovery
(4 nodes)Assess Decryption Options (Backups, Keys, Tools)
P1Decryption Assessment
120min
View node
Rebuild Compromised Systems from Known-Good Images
P1System Rebuild
240min
View node
Validate Backup Integrity Before Restoration
P1Backup Validation
180min
View node
Phased Service Restoration with Enhanced Monitoring
P2Service Restoration
120min
View node