Back to Blog
Incident Response Playbook: Handling Ransomware Attacks
Incident Response
15 min read

Incident Response Playbook: Handling Ransomware Attacks

A comprehensive step-by-step guide for responding to ransomware incidents, including containment strategies, recovery procedures, and lessons learned from real-world cases.

Het Mehta

Het Mehta

Incident Response Manager

January 8, 2025
RansomwareIncident ResponseForensicsRecovery

Incident Response Playbook: Handling Ransomware Attacks

Ransomware attacks have become one of the most significant threats to organizations worldwide. This playbook provides a structured approach to responding to ransomware incidents effectively.

Immediate Response (First 30 Minutes)

1. Incident Identification and Classification

When ransomware is suspected or confirmed:

# Immediate system isolation commands

Disconnect from network (preserve evidence)


sudo ifconfig eth0 down

sudo systemctl stop networking
Document current system state


ps aux > /tmp/processes_$(date +%Y%m%d_%H%M%S).txt

netstat -tulpn > /tmp/network_$(date +%Y%m%d_%H%M%S).txt

2. Activate Incident Response Team

Key Roles:

- Incident Commander

- Technical Lead

- Communications Lead

- Legal Counsel

- Executive Sponsor

3. Initial Containment

Prevent further spread while preserving evidence:

1. **Isolate affected systems** (don't power off immediately)

2. **Identify patient zero** - the initial infection point

3. **Check backup systems** for integrity

4. **Preserve system memory** for forensic analysis

Investigation Phase (Hours 1-4)

Forensic Data Collection

# Example: Memory dump collection

import subprocess

import datetime
def collect_memory_dump(output_path):

    timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")

    dump_file = f"{output_path}/memory_dump_{timestamp}.mem"

    

    try:

        # Using volatility for memory analysis

        subprocess.run([

            "volatility", "-f", "/dev/mem", 

            "--profile=LinuxUbuntu1804x64",

            "linux_pslist", "-o", dump_file

        ], check=True)

        return dump_file

    except subprocess.CalledProcessError as e:

        print(f"Memory dump failed: {e}")

        return None

Ransomware Identification

Common indicators to look for:

- **File extensions** changed to unusual formats

- **Ransom notes** in multiple directories

- **Encryption processes** running

- **Network communications** to known C&C servers

# Search for common ransomware indicators

find / -name "*.encrypted" -o -name "*.locked" -o -name "*README*" 2>/dev/null

grep -r "bitcoin\|ransom\|decrypt" /home/ 2>/dev/null

Containment and Eradication

Network Segmentation

Implement emergency network segmentation:

# Emergency firewall rules

firewall_rules:

  - action: DENY

    source: infected_subnet

    destination: critical_servers

    ports: all

  

  - action: ALLOW

    source: incident_response_team

    destination: infected_subnet

    ports: [22, 3389]  # SSH, RDP for investigation

System Isolation Strategy

1. **Tier 1**: Confirmed infected systems - full isolation

2. **Tier 2**: Potentially infected systems - limited network access

3. **Tier 3**: Clean systems - enhanced monitoring

Recovery Phase

Backup Verification and Restoration

#!/bin/bash
BACKUP_PATH="/backup/daily"

VERIFICATION_LOG="/var/log/backup_verification.log"
verify_backup() {

    local backup_file="$1"

    local checksum_file="${backup_file}.sha256"

    

    if [ -f "$checksum_file" ]; then

        if sha256sum -c "$checksum_file"; then

            echo "$(date): $backup_file - VERIFIED" >> "$VERIFICATION_LOG"

            return 0

        else

            echo "$(date): $backup_file - CORRUPTED" >> "$VERIFICATION_LOG"

            return 1

        fi

    else

        echo "$(date): $backup_file - NO CHECKSUM" >> "$VERIFICATION_LOG"

        return 2

    fi

}
Verify all backups


for backup_file in $(find "$BACKUP_PATH" -name "*.tar.gz"); do

    verify_backup "$backup_file"

done

Clean System Rebuild

1. **Format affected systems** completely

2. **Reinstall operating systems** from clean media

3. **Restore data** from verified clean backups

4. **Apply all security patches** before reconnecting

Post-Incident Activities

Lessons Learned Session

Conduct a thorough post-incident review:

Key Questions:

- What was the initial attack vector?

- How long did the attacker have access?

- What controls failed or succeeded?

- How can we prevent similar incidents?

Improvement Recommendations

## Security Enhancements
Immediate (0-30 days)


- [ ] Deploy endpoint detection and response (EDR)

- [ ] Implement application whitelisting

- [ ] Enhance backup procedures
Short-term (30-90 days)


- [ ] Security awareness training

- [ ] Network segmentation improvements

- [ ] Incident response plan updates
Long-term (90+ days)


- [ ] Zero Trust architecture implementation

- [ ] Advanced threat hunting capabilities

- [ ] Third-party security assessment

Prevention Strategies

Technical Controls

1. **Email Security** - Advanced threat protection

2. **Endpoint Protection** - Next-generation antivirus

3. **Network Monitoring** - Behavioral analysis

4. **Backup Strategy** - 3-2-1 rule implementation

Administrative Controls

1. **Security Policies** - Regular updates and enforcement

2. **User Training** - Phishing simulation and awareness

3. **Incident Response** - Regular drills and updates

4. **Vendor Management** - Third-party risk assessment

Conclusion

Ransomware response requires preparation, quick action, and systematic execution. Regular testing of this playbook through tabletop exercises ensures your team is ready when an incident occurs.

Remember: The goal is not just to recover from the attack, but to emerge stronger and more resilient than before.

Het Mehta

About Het Mehta

Incident Response Manager with extensive experience in cybersecurity crisis management and digital forensics.