Ransomware Response Playbook
A ransomware response playbook is the predefined, step-by-step operational procedure that an organization executes when ransomware is detected in the environment.
A ransomware response playbook is the predefined, step-by-step operational procedure that an organization executes when ransomware is detected in the environment.
Continue your mission
# Ransomware Response Playbook
A ransomware response playbook is the predefined, step-by-step operational procedure that an organization executes when ransomware is detected in the environment. The playbook covers the full response lifecycle: detection confirmation, containment, assessment, recovery decision (restore from backup or negotiate payment), eradication, recovery execution, communication, and post-incident improvement.
This article is distinct from the Ransomware article (which covers the threat: what ransomware is, how it works, and how to prevent it). This article covers the response: what to do when prevention has failed and ransomware is active in the environment. The playbook assumes the worst-case scenario: encryption is underway, the scope is unknown, and the clock is running.
The organizations that survive ransomware without paying are the organizations that had a playbook, rehearsed it, and executed it under pressure. The organizations that pay or suffer catastrophic disruption are the organizations that had no playbook, no tested backups, and no rehearsal. The time to build the playbook is before the ransomware, not during.
Confirm the event. Distinguish ransomware from other security events. Indicators: ransom note files appearing on file shares, file extensions changing to unknown types (.encrypted, .locked, custom extensions), volume shadow copies being deleted (vssadmin delete shadows), EDR alerts for known ransomware behaviors (mass file encryption, process injection into LSASS), and user reports of inaccessible files.
Alert the response team. Activate the incident response team immediately. Do not wait for investigation to complete before alerting. The IR commander, SOC lead, IT operations lead, and executive sponsor (CISO or equivalent) are notified. The cyber insurance carrier is notified to activate the IR panel (forensic firm, breach counsel, negotiation firm). Early notification provides the fastest access to external expertise.
Preserve evidence before containment. Before isolating systems, capture volatile evidence where feasible: memory dumps of affected systems (running processes, encryption keys in memory, network connections), screenshots of ransom notes, and SIEM/EDR log exports. Evidence preserved in the first 30 minutes is frequently the most valuable for forensic investigation and insurance claims. Balance evidence preservation with containment urgency: do not delay containment to capture evidence from every system, but capture what is immediately accessible.
Containment and evidence preservation overlap. Containment actions begin as soon as ransomware is confirmed, even while evidence preservation is ongoing.
Isolate affected systems. Use EDR to isolate confirmed-infected endpoints from the network. If EDR isolation is not available, disconnect network cables or disable switch ports. The goal: stop the ransomware from spreading to additional systems. Every minute of delay is additional systems encrypted.
Isolate backup infrastructure. If not already air-gapped or immutable, immediately disconnect backup servers, repositories, and storage from the network. Ransomware operators specifically target backup infrastructure: they identify backup servers, compromise backup administrator credentials, and delete or encrypt backup repositories before launching the encryption payload. Protecting backups is the difference between recovery and total loss.
Disable compromised accounts. If the attacker's access path is identified (compromised user account, compromised service account, compromised VPN credentials), disable those accounts immediately. If the attacker achieved domain admin, the containment decision is more complex: resetting the KRBTGT password (twice, to invalidate Golden Tickets) may be necessary but requires careful execution to avoid disrupting legitimate authentication.
Segment the network. If the ransomware is spreading through lateral movement, implement emergency network segmentation: isolate affected network segments from unaffected segments using firewall rules or switch ACLs. This limits the blast radius to the affected segment rather than allowing propagation to the entire network.
Assess the scope. While containment is underway, assess the scope: how many systems are encrypted? Which network segments are affected? Are domain controllers compromised? Are backup systems compromised? Is the encryption still active or has it been contained? The scope assessment determines the recovery strategy and the notification obligations.
With the ransomware contained and the scope assessed, the organization faces the critical decision: restore from backup or engage with the attacker.
Evaluate backup viability. Can the organization restore from backup? Are the backups intact (not encrypted, not deleted, not corrupted)? Are the backups current enough (does the RPO meet business requirements)? Has the organization tested backup restoration (is the RTO achievable)? If the answer to all three questions is yes, restoration is the preferred path. If any answer is no, the decision becomes more complex.
Evaluate the ransom demand. What is the ransom amount? Is it within the organization's financial capacity? Does the cyber insurance policy cover ransom payments (check the policy language, sub-limits, and nation-state exclusions)? What is the attacker's reputation for providing working decryption keys after payment (some groups have reliable decryption; others provide broken tools or do not respond after payment)?
Evaluate data exfiltration. Did the attacker exfiltrate data before encrypting? Double extortion (pay to decrypt AND pay to prevent publication of stolen data) complicates the decision: even if the organization restores from backup (making decryption unnecessary), the attacker still holds the exfiltrated data and will publish it if not paid. Forensic investigation determines whether exfiltration occurred by examining network telemetry, DLP logs, and endpoint evidence.
The decision framework.
Backups viable + no exfiltration: restore from backup. Do not pay. The ransomware demand is irrelevant because the organization can recover independently and has no data leverage to worry about.
Backups viable + data exfiltrated: restore from backup for recovery. The exfiltration creates a separate decision about whether to pay to prevent publication. This decision involves legal counsel, insurance carrier, and executive leadership. There is no guarantee that paying prevents publication (attackers have published data after receiving payment).
Backups not viable + no exfiltration: the organization must negotiate or rebuild from scratch. Negotiation may be the faster path to recovery. Rebuilding from scratch is the more expensive but more certain path (no dependency on the attacker providing a working decryption key).
Backups not viable + data exfiltrated: the worst case. The organization cannot recover independently and faces data publication. Negotiation, legal counsel, insurance activation, and board-level decision-making are all required simultaneously.
Legal considerations. OFAC (Office of Foreign Assets Control) sanctions prohibit payments to sanctioned entities. Several ransomware groups (Evil Corp, some affiliates of sanctioned Russian entities) are sanctioned. Payment to a sanctioned group exposes the organization to OFAC enforcement. Breach counsel advises on sanctions risk. The insurance carrier's negotiation firm conducts due diligence on the attacker's sanctions status before facilitating payment.
Restore from backup (preferred path). Execute the Disaster Recovery plan. Restore systems in priority order based on RTOs defined in the BIA. Verify data integrity after restoration. Rebuild compromised domain controllers from clean media (do not restore domain controllers from backup if the attacker had domain admin, as the backup may contain persistence mechanisms). Rotate all credentials (user passwords, service account passwords, KRBTGT password) before reconnecting restored systems to the network.
Rebuild from clean images (if backups are compromised). Rebuild affected systems from known-clean operating system images. Reinstall applications from trusted sources. Restore data from the most recent clean backup (which may be older than the RPO if recent backups were compromised). This path is slower but eliminates the risk of restoring attacker persistence from compromised backups.
Decrypt from attacker's key (if ransom is paid). Apply the decryption tool provided by the attacker. Test on non-critical systems first to verify the tool works. Decryption is slower than restoration from backup in most cases (the Colonial Pipeline learned this: paying was faster than the decryption process). After decryption, the environment must still be rebuilt: the attacker's access mechanisms must be eradicated regardless of whether decryption succeeds.
Eradicate the attacker. Regardless of the recovery method, the attacker's access must be eliminated before normal operations resume. Reset all compromised credentials. Remove persistence mechanisms (scheduled tasks, registry run keys, WMI subscriptions, backdoor accounts). Patch the vulnerability that provided initial access. Implement the controls that prevent the same attack path (MFA on the compromised entry point, PAM for the escalated credentials, segmentation for the lateral movement path).
Communication occurs throughout the response, not as a separate phase. See Incident Communication and Notification for detailed guidance.
Internal communication. Brief executive leadership within the first hour. Brief the board within 24 hours. Communicate with employees about the impact on their work and what actions they should take (change passwords, report suspicious activity, do not discuss the incident externally).
External notification. Activate breach notification obligations based on the data exfiltration assessment. Notify regulators within required timelines (GDPR 72 hours, HIPAA 60 days, SEC 4 business days for material incidents, state laws vary). Notify affected individuals as required.
Insurance. Notify the insurance carrier within the policy's required window (typically 24-72 hours). Activate the IR panel. Document every cost for the eventual claim: forensic investigation, legal counsel, notification, credit monitoring, business interruption, and (if paid) the ransom.
After-action review. Conduct a structured review: what was the initial access vector? Why did prevention fail? How fast was detection? How fast was containment? Did the backups work? What went well? What needs improvement? The AAR produces specific, assigned, deadline-tracked improvements.
Implement improvements. The ransomware event is the most expensive security assessment the organization will ever receive. Every gap it revealed must be remediated: the initial access vector patched, the missing MFA deployed, the backup architecture strengthened, the detection rules improved, and the response playbook updated based on the lessons learned.
Monitoring for re-attack. Ransomware groups re-attack organizations that paid or that demonstrated weak defenses. Enhanced monitoring for the first 90 days after the incident detects re-attack attempts before they succeed.
The ransomware response playbook is a cross-domain operation in the Planetary Defense Model. TID detects the ransomware and coordinates the response. DPS provides the backup architecture that makes recovery possible without payment. IAT manages the credential reset and access control restoration. SPH rebuilds the endpoint environment. RGA manages the communication, notification, and insurance dimensions.
CDA's Predictive Defense Intelligence (PDI) methodology applies to ransomware response through preparation: the playbook is written, the backups are tested, and the team is rehearsed before the ransomware arrives. "See the threat before it sees you." The organization that has rehearsed the ransomware playbook through Tabletop Exercises responds with the calm efficiency of a prepared team. The organization that has not rehearsed responds with the chaos of an unprepared one.
Three TOP missions directly support ransomware response readiness:
CDA's non-negotiable for ransomware readiness: tested, immutable backups. An organization with immutable backups that has tested recovery within the defined RTO does not need to negotiate with ransomware operators. The encryption is an inconvenience, not an existential threat. The backup makes the ransom demand irrelevant. That is the position CDA builds every client toward.
Word count: 2,048
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.