Ransomware incident response playbook
When ransomware hits at 03:00, you do not have time to think — you execute. Here is a tight playbook calibrated for the modern double-extortion era.
Modern ransomware operations follow a predictable kill chain: initial access via phishing, RDP brute force, or exploited edge devices (recent campaigns abused CVE-2024-3400 in PAN-OS, CVE-2024-1709 in ConnectWise ScreenConnect, and CVE-2024-21887 in Ivanti); lateral movement using legitimate tools like PsExec, BITSAdmin, and AnyDesk; data exfiltration to MEGA or Dropbox over weeks; and finally encryption with LockBit, Akira, BlackCat fork variants, or Play. The double-extortion model means even with backups you face data publication.
Hour zero begins the moment encryption is detected. Step one: isolate. Cut affected segments at the firewall and from any cloud SaaS via conditional access policies. Do not power off encrypting hosts — memory artifacts help forensics. Step two: declare incident, activate your retainer with an incident response firm, and notify counsel. In Azerbaijan, banks must notify the Central Bank under the operational risk reporting rules; personal data breaches require notification to the Ministry of Digital Development under the Personal Data Law within the prescribed window.
Step three is preserving evidence and scoping. Image at least one encrypted host and the original patient zero if identifiable. Pull EDR telemetry — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint — for the prior 30 days and search for known IOCs from the threat actor's profile (CISA, Mandiant, and Group-IB publish actor-specific TTPs). Identify what was exfiltrated by reviewing egress logs, cloud storage telemetry, and DLP alerts. Assume worst case until proven otherwise.
Recovery prioritizes business-critical systems from immutable backups. Test restorations to clean infrastructure, never the original VLAN. Rotate every credential, certificate, and API token that ever touched compromised systems. Patch the initial access vector — hardening must precede reconnection. Decisions on ransom payment should sit with the board and legal counsel; many jurisdictions and your cyber insurer have explicit policies. Post-incident, complete a full root cause analysis within 30 days and feed every gap into the next audit cycle.
Related reading
Phishing attack types: from bulk email to MFA-bypass kits
Phishing has evolved from typo-ridden emails to AI-cloned voices and Adversary-in-the-Middle proxies — defenders must keep up with each variant.
Defending against supply chain attacks
From SolarWinds to xz-utils, supply chain compromise is now a top-tier risk — here is how to harden your software bill of materials and vendors.
Zero-day vulnerabilities: how to manage what you cannot patch
A zero-day has no patch — yet defenders are not helpless. Layered controls, virtual patching, and threat intel reduce the blast radius until a fix arrives.