Ransomware IR Runbook

DOCUMENT CONTROL

Revision history

Ver	Date	Author	Summary of change
1.0	2025-02-14	SteveisIT	Initial release
1.1	2025-06-30	SteveisIT	Added cloud / SaaS isolation steps
1.2	2025-11-12	SteveisIT	Updated regulator notification timelines
1.3	2026-05-03	SteveisIT	Revised backup-validation procedure; new comms templates

How to use this runbookKeep a printed copy offline — ransomware may encrypt the very systems hosting this document. Work top-to-bottom through the phase that matches your situation. Check each box as you complete the step.

SECTION 1

Purpose & Scope

This runbook defines the authorized procedure for responding to a suspected or confirmed ransomware incident affecting Northwind systems, data, or services. It exists to make the first hour calm, coordinated, and defensible — not improvised.

In scope: endpoints, servers, network infrastructure, cloud/SaaS tenants, and backups owned or operated by Northwind.

Out of scope: physical security incidents and non-ransomware events (see the general IR plan). When in doubt, escalate — over-reporting is free; under-reporting is expensive.

SECTION 2

Roles & responsibilities

The first responder's job is not to fix everything — it is to declare the incident and assign these roles.

Role	Responsibility	Primary	Backup
Incident Commander	Owns the response, makes the calls, runs the clock	IT Director	SteveisIT
Technical Lead	Containment & recovery execution	Sr. SysAdmin	MSP on-call
Comms Lead	Internal updates, customer/press holding statements	COO	Marketing Mgr
Legal / Compliance	Regulator & breach-notification obligations	General Counsel	Outside counsel
Executive Sponsor	Authorizes spend, ransom decision, business calls	CEO	CFO

Activate the bridgeOpen the incident bridge line and the out-of-band chat channel (Signal group "NW-IR") before doing anything else. Assume email and Teams are compromised.

SECTION 3

Severity classification

Classify within the first 15 minutes. This drives who gets woken up and how fast.

Level	Criteria	Response	Notify
SEV-1	Active encryption spreading; core business systems down	Immediate, all-hands	Exec + Legal now
SEV-2	Confirmed ransomware, contained to a segment	< 30 min	IC + Exec
SEV-3	Single host; suspicious but unconfirmed	< 2 hours	IC + Tech Lead
SEV-4	Indicator/alert only; no confirmed impact	Same business day	Tech Lead

SECTION 4

Response phases

1

Detect & Validate

objective: confirm it's ransomware and stop the bleeding decision-making

Confirm indicators: ransom note, mass file renames/extensions, spiking CPU/disk, disabled AV.
Identify patient zero and the strain (note file extension + ransom-note filename).
Declare the incident and assign roles (Section 2). Start the timeline log.
Assign a severity level (Section 3).

Do notDo not power off affected machines — you'll destroy volatile memory and forensic evidence. Isolate instead (Phase 2).

2

Contain

objective: stop lateral spread without destroying evidence

Isolate affected hosts from the network (disable switch port / Wi-Fi / pull cable — keep powered on).
Disable affected user & service accounts; force-reset privileged credentials.
Block known C2 indicators at the firewall; segment the affected VLAN.
Disconnect & protect backups — verify they are offline and untouched.
Revoke SaaS/cloud sessions & rotate API tokens for impacted tenants.

# Windows: isolate NIC without shutting down (preserves memory)
netsh interface set interface "Ethernet" admin=disable

# Quick triage: list recently modified files (possible encryption sweep)
Get-ChildItem C:\ -Recurse -EA 0 |
  ? { $_.LastWriteTime -gt (Get-Date).AddHours(-2) } |
  Select FullName,LastWriteTime | Export-Csv triage.csv

3

Eradicate

objective: remove the threat actor's access entirely

Identify & remove persistence (scheduled tasks, services, run keys, rogue accounts).
Patch the entry vector (RDP, VPN, phishing payload, unpatched CVE).
Reset ALL credentials, including domain admin and service accounts (krbtgt twice).
Rebuild — do not "clean" — compromised systems from known-good images.

4

Recover

objective: restore service safely and verify integrity

Restore from validated, offline backups only — scan before reconnecting.
Bring systems back in priority order (Appendix C) on a clean, monitored segment.
Verify data integrity & application function with system owners before go-live.
Heighten monitoring for 14 days — attackers often return.

Ransom decisionThe decision to pay is an executive + legal call only — never operational. Paying funds crime, may violate sanctions law, and recovers data only ~60% of the time. Engage counsel and your cyber-insurer before any contact with the actor.

5

Post-Incident

objective: turn a bad day into a stronger program

Hold a blameless post-mortem within 5 business days.
Produce the incident report & timeline; preserve evidence per Section 6.
Complete required breach notifications (Section 5).
Track remediation actions to closure with owners and dates.

SECTION 5

Communications & escalation

Escalation path

First responder └─▶ Incident Commander (declares incident) ├─▶ Technical Lead → containment / recovery ├─▶ Comms Lead → internal + external messaging └─▶ Executive Sponsor → ransom / business decisions └─▶ Legal & Cyber-Insurer (SEV-1 / SEV-2)

Notification clock

Audience	When	Owner
Cyber-insurance carrier	ASAP — before remediation, to preserve coverage	Legal
Affected individuals (PII)	Per jurisdiction (e.g. GDPR: 72 hrs)	Legal
Regulators / law enforcement	Per obligation; FBI/CISA voluntary	Legal + IC
Customers / public	Only via approved holding statement	Comms Lead

Holding line"We are aware of an issue affecting some systems and have activated our response plan. We'll share verified updates as we have them." — never speculate on cause, scope, or attribution publicly.

SECTION 6

Evidence handling & chain of custody

Capture volatile data (memory, network state) before isolation where safe.
Image affected disks; hash (SHA-256) every image and record the value.
Preserve the ransom note, malware sample, and all relevant logs.
Log every handler, action, and timestamp in the chain-of-custody record.

Why it mattersClean evidence handling is what makes insurance claims, legal action, and law-enforcement support actually possible. Document as if it will be read in court — because it might be.

SECTION 7

Critical "Do-NOT" rules

Read before you touch anything

Do not power off systems — isolate them (memory = evidence).
Do not reconnect backups until confirmed clean.
Do not communicate with the attacker without legal authorization.
Do not pay a ransom without executive + legal + insurer sign-off.
Do not discuss the incident on email/Teams that may be compromised.
Do not delete or "clean" — rebuild from known-good images.

APPENDICES

Quick reference

A · Emergency contacts

Incident Commander	+1 555-0100	ic@northwind.example
SteveisIT (retained IR)	+1 555-0142	hello@steveisit.com
Cyber-insurer hotline	+1 800-555-0177	claims@carrier.example
Outside counsel	+1 555-0188	breach@lawfirm.example

B · Core tooling

EDR console · backup console (offline creds in the safe) · firewall mgmt · KAPE / FTK Imager for acquisition · out-of-band Signal channel · this runbook (printed copy in the IR binder).

C · Recovery priority order

1 · Domain controllers & identity → 2 · ERP / line-of-business → 3 · File & email services → 4 · Endpoints → 5 · Non-critical systems.

Ransomware Containment & Recovery

Revision history

Purpose & Scope

Roles & responsibilities

Severity classification

Response phases

Detect & Validate

Contain

Eradicate

Recover

Post-Incident

Communications & escalation

Escalation path

Notification clock

Evidence handling & chain of custody

Critical "Do-NOT" rules

Quick reference

A · Emergency contacts

B · Core tooling

C · Recovery priority order