ForumsSecurityRansomware response playbook — our IR plan template

Ransomware response playbook — our IR plan template

MDR_Analyst_Chris 10/12/2025 USER

Sharing our ransomware IR playbook structure (sanitized). Adapt it to your org:

Phase 1: Detection & Containment (0-4 hours)

  • Confirm ransomware (not false positive)
  • Isolate affected systems (network disconnect, not shutdown)
  • Preserve evidence (don't reboot — memory forensics)
  • Activate IR team and communication plan

Phase 2: Eradication (4-48 hours)

  • Identify patient zero and attack vector
  • Scan for persistence mechanisms
  • Reset all compromised credentials
  • Verify backups are clean and not encrypted

Phase 3: Recovery (48 hours - 2 weeks)

  • Restore from clean backups (offline/immutable preferred)
  • Rebuild if backups unavailable
  • Staged reconnection with monitoring
  • Validate business operations

Phase 4: Post-Incident (2-4 weeks)

  • Incident report with timeline
  • Lessons learned meeting
  • Update detection rules
  • Review and improve this playbook

Key decision: NEVER pay ransom without consulting legal, insurance, and law enforcement.

AP
AppSec_Jordan10/13/2025

Excellent template. I'd add to Phase 1: check your backup infrastructure immediately. Advanced ransomware groups target backup servers first. If your Veeam/Datto server is compromised, your recovery plan is dead.

SC
SCADA_Guru_Ivan10/13/2025

Communication plan is critical and often forgotten. Who contacts the CEO? Who talks to clients? Who handles media? Pre-assign these roles. During a real incident, panic makes people forget.

FO
Forensics_Dana10/15/2025

For the "don't reboot" advice — this is crucial. We had a client panic-reboot 15 servers during a ransomware incident. Lost all memory artifacts and the ransomware re-encrypted on startup because the persistence was in a startup script.

ZE
ZeroTrust_Hannah10/16/2025

Insurance notification is time-sensitive. Most policies require notification within 24-72 hours. Missing that window can void coverage. Add it to Phase 1.

PR
Proxy_Admin_Nate10/16/2025

We built AlertMonitor automation for Phase 1 containment. When our EDR flags ransomware behavior, AlertMonitor automatically isolates the endpoint and creates an incident with full context. Saves critical minutes.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created10/12/2025
Last Active10/16/2025
Replies5
Views2,424

Similar Threads