Ransomware Incident Playbook¶

Metadata¶

Trigger Conditions¶

Activate this playbook on any of the following:

• [ ] VSS / Volume Shadow Copy deletion detected (vssadmin delete shadows, wmic shadowcopy delete)
• [ ] Bulk file extension change alert from EDR (e.g., .locked, .encrypted, .[threat-actor])
• [ ] Mass file rename/write events exceeding threshold (>500 files/min on any host)
• [ ] Ransom note file detected (README.txt, DECRYPT_FILES.html, HOW_TO_RECOVER.txt)
• [ ] Backup system or agent reporting sudden disconnection
• [ ] EDR alert: vssadmin, bcdedit /set recoveryenabled no, or wbadmin delete catalog
• [ ] Network anomaly: large outbound transfer to unknown destination immediately prior

Decision Tree¶

flowchart TD
    A([Ransomware Trigger Detected]) --> B{Is encryption\nactively in progress?}
    B -- Yes --> C[ISOLATE affected hosts\nimmediately via EDR]
    B -- No --> D{Identify patient zero\nand blast radius}
    C --> E{Is a Domain Controller\naffected?}
    D --> E
    E -- Yes --> F[Initiate krbtgt\ndouble-reset procedure]
    E -- No --> G{Is exfiltration\nconfirmed?}
    F --> G
    G -- Yes --> H[Notify Legal\nStart regulatory clock\nOFAC check]
    G -- No --> I[Proceed to\nPhase 2 — Eradicate]
    H --> I
    I --> J{Backups\nintact and clean?}
    J -- Yes --> K[Phase 3 — Recover\nfrom immutable backup]
    J -- No --> L[Assess ransom\nnegotiation framework\nOFAC screen first]
    K --> M([Post-Incident Review])
    L --> M

Phase 1 — Contain (0–2 Hours)¶

1.1 EDR Isolation¶

CrowdStrike Falcon (CLI):

# Isolate a host by device ID
falconctl -s --cid=<CID> network-containment --action=contain --host-id=<DEVICE_ID>

# Bulk isolate by hostname list
while IFS= read -r host; do
  falconctl contain --hostname "$host"
done < affected_hosts.txt

# Verify containment status
falconctl containment status --hostname <HOSTNAME>

Microsoft Defender for Endpoint (MDE) via PowerShell:

# Isolate device via MDE API (requires DeviceId)
$headers = @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" }
Invoke-RestMethod -Method Post `
  -Uri "https://api.securitycenter.microsoft.com/api/machines/$DeviceId/isolate" `
  -Headers $headers `
  -Body '{"Comment":"Ransomware IR — IR-PB-001","IsolationType":"Full"}'

1.2 Active Directory — Emergency Account Actions¶

# Disable all accounts observed in ransom execution context
$accounts = @("svc-backup","svc-admin","compromised-user")
foreach ($acct in $accounts) {
    Disable-ADAccount -Identity $acct
    Write-Host "[$(Get-Date -Format u)] Disabled: $acct"
}

# Force logoff active sessions for compromised accounts
$sessions = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate |
    Where-Object { $_.LastLogonDate -gt (Get-Date).AddHours(-4) }
# Review $sessions before mass revocation

1.3 Backup System Isolation¶

• [ ] Immediately disconnect backup agents on affected hosts from the backup network VLAN
• [ ] Set backup server to read-only mode — no new jobs accepted
• [ ] Verify immutable/air-gapped backup integrity (do not mount until Phase 3)
• [ ] Notify cloud backup provider (e.g., Veeam Cloud Connect, Azure Backup) to halt sync

1.4 Stakeholder Notifications (within 30 min)¶

Phase 2 — Eradicate (2–24 Hours)¶

2.1 Malware Removal¶

• [ ] Submit ransom binary, note, and dropped files to sandbox (CrowdStrike Sandbox, Any.run, VirusTotal)
• [ ] Identify ransomware family via Ransom.live, ID Ransomware (nomoreransom.org)
• [ ] Pull IOCs (hashes, C2 IPs, registry keys) and push to EDR as custom IOAs
• [ ] Run full EDR scan across all non-isolated hosts with updated IOC set

2.2 Persistence Hunting Checklist¶

• [ ] Scheduled tasks: schtasks /query /fo LIST /v | findstr /i "ransomware-related-name"
• [ ] Registry run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• [ ] WMI subscriptions: Get-WMIObject -Namespace root\subscription -Class __EventFilter
• [ ] Services: look for newly created services in the 48h window prior to execution
• [ ] Startup folders: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• [ ] BITS jobs: bitsadmin /list /allusers /verbose

2.3 krbtgt Double-Reset Procedure¶

# Step 1 — Reset krbtgt password (first reset)
Import-Module ActiveDirectory
$krbtgt = Get-ADUser -Identity krbtgt
Set-ADAccountPassword -Identity krbtgt -Reset `
    -NewPassword (ConvertTo-SecureString -AsPlainText (New-Guid).Guid -Force)
Write-Host "[$(Get-Date -Format u)] krbtgt first reset complete. Ticket lifetime: wait 10 hours."

# Step 2 — Wait at minimum the maximum Kerberos ticket lifetime (default 10 hours)
# Then perform second reset to invalidate any Golden Tickets minted after the first reset
Set-ADAccountPassword -Identity krbtgt -Reset `
    -NewPassword (ConvertTo-SecureString -AsPlainText (New-Guid).Guid -Force)
Write-Host "[$(Get-Date -Format u)] krbtgt second reset complete."

2.4 Credential Reset Scope¶

Phase 3 — Recover (24–72 Hours)¶

3.1 Recovery Tier Priorities¶

Tier 1 (0–8h):   Domain Controllers → DNS → DHCP → Authentication Infrastructure
Tier 2 (8–24h):  Core business applications → Email → VPN
Tier 3 (24–48h): Secondary apps → File shares → Collaboration tools
Tier 4 (48–72h): Non-critical systems → Dev/test environments

3.2 Restore from Immutable Backups¶

• [ ] Verify backup hash integrity before mounting: sha256sum backup.vbk
• [ ] Restore to isolated VLAN — do not reconnect to production until clean bill of health
• [ ] Validate restored systems with EDR scan before production reconnection
• [ ] Confirm no ransomware artifacts present in restored data (check backup timestamp vs. infection time)
• [ ] Re-apply all security baselines (CIS Benchmarks, STIG) post-restore

3.3 Integrity Verification¶

# Verify critical system file hashes post-restore
find /restored_mount -type f -name "*.exe" -o -name "*.dll" | \
  xargs sha256sum > post_restore_hashes.txt
# Compare against known-good baseline
diff known_good_hashes.txt post_restore_hashes.txt

Phase 4 — Post-Incident Actions¶

4.1 OFAC Sanctions Check¶

• [ ] Cross-reference ransomware group against OFAC SDN list (ofac.treasury.gov)
• [ ] Review CISA ransomware advisories for attribution
• [ ] Obtain legal opinion before ANY negotiation or payment

4.2 Law Enforcement Notification¶

4.3 Regulatory Notifications¶

4.4 Ransom Negotiation Decision Framework¶

Decision Gate 1: Are backups viable? → YES → Do not pay. Recover from backup.
Decision Gate 2: OFAC sanctions check → SANCTIONED GROUP → Do not pay. Legal exposure.
Decision Gate 3: Exfiltration confirmed + sensitive data → Legal + insurance review
Decision Gate 4: Business impact of non-recovery > estimated ransom → Insurance claim + legal opinion
Final: Any payment requires legal counsel sign-off + cyber insurance carrier notification

Runbook Checklist¶

Detection & Triage¶

• [ ] Incident confirmed and IR bridge opened
• [ ] Severity assigned (P1 — Critical)
• [ ] IR Lead designated and on bridge
• [ ] CISO, Legal, and Executive Sponsor notified
• [ ] Patient zero identified

Containment¶

• [ ] All affected hosts isolated via EDR
• [ ] Compromised AD accounts disabled
• [ ] Backup systems disconnected from production
• [ ] Network egress to attacker C2 blocked (firewall/proxy)

Eradicate¶

• [ ] Ransomware family identified
• [ ] IOCs pushed to EDR and SIEM
• [ ] Persistence mechanisms removed
• [ ] krbtgt double-reset completed (if DC affected)
• [ ] All compromised credentials reset

Recover¶

• [ ] Backup integrity verified
• [ ] Systems restored in tier priority order
• [ ] EDR scan passed on all restored systems
• [ ] Security baselines re-applied

Post-Incident¶

• [ ] OFAC check completed and documented
• [ ] FBI / CISA notified
• [ ] Regulatory notifications sent (log dates)
• [ ] Cyber insurance claim filed
• [ ] Post-incident review scheduled (within 2 weeks)
• [ ] Lessons learned documented and actioned

Nexus SecOps Benchmark Control Mapping¶