Ransomware Response: A Practical Playbook for Security Teams

The First 15 Minutes Are Critical

You receive an alert. Files are being encrypted across multiple systems. Users are calling the help desk in a panic. This is the moment where cool heads and clear procedures separate a contained incident from a company-wide disaster.

Your first instinct might be to start investigating what happened. Resist this urge. Your immediate priority is containment, not investigation. Every minute you spend analyzing is another minute the ransomware has to spread and encrypt more systems.

Immediate Containment Actions

Start by isolating affected systems from the network. Do not shut them down yet - you might need them for forensics. Disconnect network cables or disable network adapters. If you have network segmentation in place, use it to isolate the affected segment.

Identify and protect your backups immediately. Many modern ransomware variants specifically target backup systems. Take backup servers offline or make them read-only if possible. If your backups are already compromised, knowing this early changes your response strategy.

Disable or closely monitor any service accounts and administrator credentials that were active on affected systems. Ransomware often steals credentials to spread further. Force password resets for any accounts that might have been compromised.

Assessment and Decision Making

Once containment is underway, you need to assess the scope and impact. How many systems are affected? What data has been encrypted? Are backups intact? This assessment drives every decision that follows.

You will face pressure to restore operations as quickly as possible. Business stakeholders will want to know when systems will be back online. This pressure is understandable, but rushing the response usually makes things worse.

Document everything you do and observe. You will need this information for insurance claims, law enforcement, and post-incident analysis

Establish a communication plan. Who needs to know what, and when? Consider legal, regulatory, insurance, and customer notification requirements

Preserve evidence. Even as you work to restore operations, maintain forensic integrity where possible. You may need this evidence later

The Payment Question

Should you pay the ransom? This is often the most contentious question. There is no universal answer, but there are important factors to consider.

Paying does not guarantee you will get your data back. Some ransomware variants have buggy decryption tools. Some attackers simply take the money and disappear. Even when decryption works, it is often slower than restoring from backups.

Payment encourages future attacks, both against you and others. You are funding criminal operations that will use that money to develop more sophisticated attacks. In some jurisdictions, paying ransoms may violate sanctions laws.

That said, some organizations find themselves in impossible positions where paying is the least bad option. If you do consider payment, involve legal counsel and law enforcement from the start. Document your reasoning and ensure you are not violating any laws.

Recovery and Prevention

Recovery is not just about restoring files. Before bringing systems back online, you need to ensure the initial infection vector has been closed. Otherwise, you risk getting hit again immediately.

Review your security controls and identify what failed. Was it a phishing email? An unpatched vulnerability? Weak passwords? Inadequate network segmentation? Use this incident to justify the security improvements you have been requesting.

Test your backups regularly. The worst time to discover your backups do not work is during a ransomware incident. Regular restore tests should be part of your standard procedures, not something you only do after an incident.