🚨 Ransomware Response Playbook

Критический инцидент - действуйте быстро и методично

⏱️ Critical Timeline - First 24 Hours

T+0 to T+15 minutes

Confirm ransomware infection (не false positive)
Activate Incident Response Team
Begin isolation procedures
Document initial observations
Notify SOC Manager and CISO

T+15 to T+60 minutes

Isolate affected systems from network
Disconnect backup systems
Identify patient zero
Assess scope of encryption
Preserve evidence (memory dumps, logs)
Contact external IR team if needed

T+1 to T+4 hours

Complete network segmentation
Identify ransomware variant
Check for data exfiltration evidence
Assess backup integrity
Notify legal and compliance teams
Prepare initial executive briefing

T+4 to T+8 hours

Complete impact assessment
Evaluate recovery options
Contact law enforcement (FBI/Local)
Notify insurance carrier
Begin recovery planning
Coordinate with PR team

T+8 to T+24 hours

Execute recovery decision
Begin restoration process
Monitor for re-infection
Update stakeholders
Document lessons learned
Plan for business continuity

🌳 Decision Tree

Are backups available and unencrypted?

YES ✓

• Verify backup integrity
• Plan restoration timeline
• Do NOT pay ransom
• Begin systematic recovery

NO ✗

• Assess business impact
• Consider negotiation options
• Consult with legal/insurance
• Evaluate data criticality

Is data exfiltration confirmed?

YES ✓

• Activate breach protocol
• Assess regulatory requirements
• Prepare notifications
• Consider double extortion

NO ✗

• Continue monitoring
• Check exfiltration indicators
• Analyze network logs
• Maintain evidence chain

📢 Communication Plan

👔 Executive Leadership

Initial: T+30 minutes

High-level impact, response status

Updates: Every 2 hours

Progress, decisions needed, recovery ETA

⚖️ Legal & Compliance

Initial: T+1 hour

Incident details, potential data exposure

Ongoing: As needed

Regulatory requirements, notification timelines

👮 Law Enforcement

Initial: T+4 hours

File report, share IOCs

Follow-up: Daily

Investigation support, evidence sharing

🏢 Insurance

Initial: T+4 hours

Claim notification, coverage confirmation

Ongoing: Per policy

Documentation, approved vendors

👥 Employees

Initial: T+6 hours

Awareness, instructions, support info

Updates: Daily

Status updates, return to normal ops

🌐 Public/Media

If needed: T+24 hours

Prepared statement, key messages

Ongoing: As required

Updates through official channels

🔄 Recovery Procedures

Containment & Eradication

Isolate all infected systems
Identify and remove ransomware artifacts
Reset all credentials (domain admin first)
Patch exploited vulnerabilities
Remove persistence mechanisms
Validate clean systems before reconnection

Recovery Planning

Prioritize critical systems for recovery
Validate backup integrity and age
Plan recovery sequence
Allocate recovery resources
Establish success criteria
Create rollback procedures

Restoration

Restore from clean backups
Rebuild systems from known good images
Apply all security patches
Restore data in isolated environment first
Validate functionality before production
Monitor for re-infection indicators

Post-Recovery

Enhanced monitoring for 30 days
Threat hunt for missed artifacts
Update security controls
Conduct lessons learned
Update incident response plans
Employee security awareness training

💰 Negotiation Considerations

✓ DO

Consult with legal counsel first
Verify decryption capability with proof
Use experienced negotiators
Document all communications
Consider cyber insurance coverage
Evaluate total business impact
Maintain operational security

✗ DON'T

Pay without executive/legal approval
Trust threat actors completely
Negotiate without experience
Violate sanctions regulations
Delete any communications
Rush the decision
Forget about data exfiltration

🛠️ Tools & Resources

🔍

ID Ransomware

Identify ransomware variant from ransom note or encrypted files

🔓

No More Ransom

Free decryption tools for various ransomware families

💾

KAPE

Forensic artifact collection tool

🛡️

RansomWhere

Monitor for ransomware IoCs

📊

Volatility

Memory forensics framework

🔐

YARA Rules

Pattern matching for malware identification