← All Playbooks

Ransomware Response Playbook

Step-by-step guide for responding to ransomware incidents

Free
5 Phases
1

Phase 1: Detect

Confirm Ransomware Infection

Verify that the incident is indeed ransomware

  • Check for ransom notes on affected systems
  • Look for encrypted files with unusual extensions
  • Review security tool alerts for ransomware signatures
  • Document the ransom demand and any attacker contact info

Artifacts

Ransom note screenshot
List of encrypted file extensions

Determine Scope

Identify the extent of the infection

  • Identify all affected systems and endpoints
  • Check network shares and mapped drives
  • Review backup systems for signs of compromise
  • Determine if any data was exfiltrated

Artifacts

List of affected systems
Network diagram with affected areas

Need help executing this step? Our IR team responds in 4 hours.

2

Phase 2: Contain

Isolate Affected Systems

Prevent further spread of the ransomware

  • Disconnect affected systems from the network (do NOT power off)
  • Block malicious IPs and domains at the firewall
  • Disable affected user accounts
  • Segment network to protect clean systems

Preserve Evidence

Collect forensic evidence for analysis

  • Create forensic images of affected systems
  • Capture memory dumps if possible
  • Preserve all logs (security, application, system)
  • Document timeline of events

Artifacts

Forensic images
Memory dumps
Log exports

Need help executing this step? Our IR team responds in 4 hours.

3

Phase 3: Eradicate

Identify Attack Vector

Determine how the ransomware entered the environment

  • Review email logs for phishing attempts
  • Check for exploited vulnerabilities
  • Analyze RDP/VPN access logs
  • Review recent software installations

Remove Malware

Clean ransomware from all affected systems

  • Run updated antivirus/EDR scans
  • Remove malicious files and registry entries
  • Patch exploited vulnerabilities
  • Reset compromised credentials

Need help executing this step? Our IR team responds in 4 hours.

4

Phase 4: Recover

Restore from Backups

Recover data and systems from clean backups

  • Verify backup integrity before restoration
  • Restore critical systems first
  • Restore data from the last known clean backup
  • Test restored systems before reconnecting to network

Return to Operations

Safely bring systems back online

  • Gradually reconnect restored systems to network
  • Monitor for signs of reinfection
  • Verify all business functions are operational
  • Communicate recovery status to stakeholders

Need help executing this step? Our IR team responds in 4 hours.

5

Phase 5: Post-Incident

Conduct Lessons Learned

Review incident response and identify improvements

  • Document complete incident timeline
  • Identify what worked and what needs improvement
  • Update incident response procedures
  • Plan security improvements to prevent recurrence

Artifacts

Post-Incident Report
Improvement recommendations

Need help executing this step? Our IR team responds in 4 hours.

Get Expert Incident Response Help

Don't handle incidents alone. Our certified IR team is available 24/7.

Ransomware Response Playbook | Protectyr | Protectyr