Playbooks
T1486Ransomware Response
A step-by-step playbook for the first 60 minutes of a ransomware incident — isolate, identify, preserve evidence, check backups, and decide whether to contain or escalate. Includes detection Event IDs, SPL/KQL queries, and variant-specific triage.
View on Graph
What This Playbook Covers
- This playbook handles the first 60 minutes between the moment ransomware is confirmed (encrypted files, ransom note present, or encryption in progress) and the initial containment decision.
- It does not replace a full incident response plan — it is the immediate-response checklist for the SOC analyst or first responder who gets the call before the IR team is assembled.
- MITRE ATT&CK maps the impact phase to
T1486(Data Encrypted for Impact).
Phase 0: Triage — Confirm It Is Ransomware (0-5 minutes)
Before executing any response actions, confirm you are dealing with ransomware:
| Indicator | Where to Check | Confirmation |
|---|---|---|
| File renaming | Network share — are .locked, .encrypt, .crypt, or random file extensions appearing? | Check a few files — can they still be opened? |
| Ransom note | Desktop, root of drives, all directories — README.txt, HOW_TO_DECRYPT.html, DECRYPT_INSTRUCTIONS.txt | Read a line. Note the group name and contact method. |
| Process encryption | EDR alert or manual check — is a process writing to many files at high speed? | Task Manager → High disk I/O from an unknown process |
| High disk I/O alerts | EDR or Sysmon — thousands of WriteFile operations per second | Correlate with file rename events (Sysmon Event ID 11) |
SPL query — detect mass file encryption via Sysmon Event ID 11 (run in Splunk):
index=windows sourcetype=WinEventLog:Sysmon EventCode=11
| stats count by Computer, Image, TargetFilename, bin(_time, 60s)
| where count > 100
| eval alert = "CRITICAL — " . count . " file modifications in 60 seconds by " . Image . " — possible ransomware encryption in progress"
| table _time, Computer, Image, count, TargetFilename, alert
| sort - countSPL query — detect file rename storm (Sysmon Event ID 11 with rename):
index=windows sourcetype=WinEventLog:Sysmon EventCode=11
| search TargetFilename="*.*.encrypt" OR TargetFilename="*.*.locked" OR TargetFilename="*.*.crypt" OR TargetFilename="*.*.lockbit" OR TargetFilename="*.*.blackcat" OR TargetFilename="*.*.ako"
| stats count by Computer, Image, bin(_time, 30s)
| where count > 20
| eval alert = "CRITICAL — mass file renaming by " . Image . " — ransomware likely"
| table _time, Computer, Image, count, alertPhase 1: Immediate Isolation (5-15 minutes)
Do NOT shut down affected systems. Shutting down destroys volatile evidence (memory, running processes, network connections) and may trigger additional encryption behavior on reboot.
Checklist — Short-Term Isolation
- Isolate the affected host — disable the network interface or block switch port. Do not use shutdown.
- Block outbound C2 at the firewall — if the ransomware variant is known, block its known C2 domains/IPs. If unknown, temporarily block all outbound traffic from the affected network segment.
- Disconnect network shares — prevent the encryptor from reaching mapped drives. The attacker may have already poisoned the network share with a scheduled encryption job.
- Isolate other hosts that are communicating with the affected host. Check Sysmon Event ID 3 (network connections) for lateral movement indicators.
- Disable the affected user’s AD account — the credentials used at the time of compromise may be compromised.
What NOT to Do
| Action | Why It’s Dangerous |
|---|---|
| Power off the system | Destroys memory evidence, may trigger “I’ve been detected, encrypt everything” logic |
| Run anti-malware scan | May alter evidence, delete artifacts, or trigger additional malicious behavior |
| Reimage immediately | You lose all forensic evidence. Image first, reimage later. |
| Pay the ransom | No guarantee of decryption. Emboldens attackers. Funds criminal operations. |
Phase 2: Variant Identification (15-25 minutes)
Knowing the ransomware family tells you whether decryption is possible, whether data exfiltration was involved, and what containment steps are known to work.
Quick Identification Checklist
| Clue | Where to Check | Possible Variant |
|---|---|---|
| File extension | .lockbit, .abcd, .encrypt, .blackcat | LockBit, ALPHV/BlackCat, Akira, Royal |
| Ransom note name | README.txt, HOW_TO_DECRYPT.html, RECOVER-FILES.txt, DECRYPT_INSTRUCTIONS.txt | Check note content against known variants |
| Contact method | Email address, Tox ID, qTox chat, web portal | TOX-based = LockBit or similar; Email-based = older variants |
| Encryption speed | Fast (minutes) vs slow (hours) | Fast = intermittent encryption (LockBit, BlackCat); Slow = full encryption (older variants) |
| Exfiltration note | Ransom note mentions “your data was stolen” | Double-extortion variant — data was exfiltrated before encryption |
| Background encryption | Can you use the machine while it’s encrypting? | Yes = user-mode encryption; No = kernel-mode or interrupt-driven |
Variant-Specific Checks
| Variant | Known File Extension | Known C2 Ports | Exfiltration Method | Decryption Tool |
|---|---|---|---|---|
| LockBit 3.0 | .lockbit | 443, 80 | Yes — StealBit tool | No public tool |
| ALPHV/BlackCat | .blackcat | 443, 8443 | Yes — Rust-based | No public tool |
| Akira | .akira | 443 | Yes | No public tool |
| Royal | .royal | 443, 80 | Yes | No public tool |
| BianLian | .bianlian | 443 | Yes — data-only extortion recently | No |
| Phobos | .phobos, .eking | Various RDP ports | No | No public tool |
| Magniber | .mgnb | 443 | No | No public tool |
| WannaCry | .wncry | 445 (SMB EternalBlue) | No | Yes — free tool available |
| NotPetya | No extension (overwrites MBR) | 445 | No | No recovery |
SPL query — identify variant by ransom note filename:
index=windows sourcetype=WinEventLog:Sysmon EventCode=11
| search TargetFilename IN ("*README*.txt", "*HOW_TO_DECRYPT*", "*RECOVER*", "*DECRYPT*", "*README*.hta", "*HELP_YOUR_FILES*", "*DECRYPT_INFO*", "*RESTORE*")
| stats count by Computer, TargetFilename
| table _time, Computer, TargetFilename, countPhase 3: Evidence Preservation (25-35 minutes)
What to Capture Before Cleanup
| Evidence | Capture Method | Why Important |
|---|---|---|
| Full memory dump | dumpit.exe or winpmem | Contains encryption keys (if still in memory), C2 endpoint data, running processes |
| Encrypted files | Copy 5-10 encrypted files and the originals (if available) | For file analysis and variant confirmation |
| Ransom note | Full copy — filename, contents, metadata | Variant identification, communication channels |
| Event logs | wevtutil epl Security C:\captures\security.evtx | Process creation, account changes, service installation |
| Sysmon logs | wevtutil epl Microsoft-Windows-Sysmon/Operational C:\captures\sysmon.evtx | Full telemetry trail |
| Network captures | If the host is still connected, capture live traffic | C2 communication patterns, data exfiltration evidence |
| Registry export | Export HKLM\SYSTEM, HKLM\SOFTWARE, HKLM\SAM | Service entries, persistence, configuration |
Phase 4: Backup Assessment and Recovery Options (35-45 minutes)
| Backup Status | Action | Risk |
|---|---|---|
| Offline backups available (unaffected) | Wipe and restore from clean backup. | Low. Ensure the infection vector is closed before restoration. |
| Online backups available (network-connected) | Verify no encryption reached the backup server. | Medium. Attacker may have encrypted backups too. |
| No backups | Do not pay ransom. Engage IR team for recovery assessment. | High. Data may be permanently lost. |
| Backups encrypted | Check for volume shadow copies — vssadmin list shadows. | Low chance on modern ransomware. |
Backup Verification Commands
# Check for volume shadow copies
vssadmin list shadows
vssadmin list providers
# Check if shadow copies were deleted
vssadmin list shadows
# If empty or different volume, attacker deleted them (common ransomware behavior)SPL query — detect volume shadow copy deletion:
index=windows sourcetype=WinEventLog:System EventCode=33 OR EventCode=32
| search EventID IN (33, 32)
| eval alert = "CRITICAL — Volume Shadow Copy deleted — ransomware or intentional evidence destruction"
| table _time, Computer, EventCode, MessagePhase 5: Escalation and Decision (45-60 minutes)
Escalation Thresholds
| Finding | Who to Contact |
|---|---|
| Single workstation encrypted | SOC Manager + IT team (reimage) |
| File server encrypted | IR team + IT management |
| Multiple servers encrypted | IR team + executive leadership |
| Domain Controller encrypted | IR team + executive + CISA (critical infrastructure) |
| Data exfiltration also confirmed | IR team + legal + executive + law enforcement |
Decision Matrix
| Scenario | Containment Action | Recovery Path |
|---|---|---|
| Single host, no lateral movement | Isolate host. Image forensically. | Restore from backup. Reimage. |
| File server + workstation | Isolate all affected hosts. Scan remaining network for encryption process. | Restore file server from clean backup. Reimage workstations. |
| Domain-wide encryption | Kill network. All switches to isolated segments. | Restore from offline backup. Rebuild domain from backup. |
| Data exfiltration confirmed | Preserve evidence for law enforcement. Isolate. Engage breach counsel. | Standard recovery + breach notification requirements. |
Related
- Ransomware Fundamentals — covers the ransomware fundamentals concepts
- Ransomware — detection and response for T1486 techniques
- Kill Chain — covers the kill chain concepts
- Active Directory Compromise Response — detection and response for T1558 techniques
- Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques