Ransomware Incident Response

This scenario covers a ransomware detection: rapid host isolation, scope assessment across the environment, and coordinated recovery with affected business units.

Scenario

Multiple endpoints report encryption activity within minutes of each other. The SIEM generates a high-severity alert with the affected hostnames, a file hash from the ransomware binary, and the ransom note filename as observables.

Create the case

Open Alerts and locate the alert. Click Preview, check the Similar cases tab to find any related alerts from the same wave, then select --Empty case-- from the Import alert as dropdown and click Yes, Import.

Add the tasks listed below manually from the Tasks tab.

If the SIEM generated multiple alerts from different hosts, tick their checkboxes in the Alerts list and click Merge selection into case to consolidate them into a single investigation.

The case is created with the following tasks:

Task

Group

Action

Identify affected hosts

Identification

Search SIEM logs for hosts showing encryption activity, unusual file rename patterns (e.g. mass extension changes), or connections to the initial C2.

Isolate affected hosts

Containment

Use the Run Responder action on each hostname observable to trigger automated network isolation. Prioritise hosts with active encryption processes.

Disable compromised accounts

Containment

Identify accounts used on affected hosts during the attack window. Suspend them using the LDAP BlockUser responder or manually via AD.

Analyse the ransomware binary

Verification

Run threat intelligence analyzers on the file hash observable to identify the ransomware family, known decryptors, and associated TTPs.

Assess backup integrity

Identification

Verify that backup systems are unaffected and that the last clean snapshot pre-dates the infection. Document the recovery point objective.

Notify affected teams

Communication

Inform the business units whose data or systems are affected. Escalate to management if critical infrastructure is involved.

Before closing the case

Enrichment

Tag all confirmed IOCs (Is IOC), map MITRE ATT&CK techniques on the TTPs tab (T1486 Data Encrypted for Impact, T1490 Inhibit System Recovery), and attach forensic artefacts.

Add observables and run analyzers

Open the Observables tab and click Add Observable. Add all affected hostnames (type hostname or ip), the ransomware binary hash (type hash), any C2 addresses extracted from the binary (type ip or domain), and the ransom note filename (type filename).

Select the hash observable, click Run Analyzers, and run the threat intelligence analyzers. Check the analyzer report for:

  • Known ransomware family (e.g. LockBit, BlackCat, Cl0p).

  • Availability of a public decryptor.

  • C2 infrastructure associated with the family.

Run the same analyzers on any C2 IP or domain observables.

Scope assessment

After initial isolation, use the Search page to find cases or observables in other organisations (in MSSP mode) that share the same C2 infrastructure. Run the Correlate Alerts workflow to surface related cases automatically.

If the ransomware reached file servers or shares, add the affected network paths as other-type observables so they appear in the timeline and can be tracked.

TTPs

Map the attack to MITRE ATT&CK from the TTPs tab. Common techniques for ransomware:

  • T1566 Phishing — initial access via malicious attachment or link.

  • T1059 Command and Scripting Interpreter — dropper execution.

  • T1486 Data Encrypted for Impact — ransomware payload.

  • T1490 Inhibit System Recovery — deletion of shadow copies.

  • T1567 Exfiltration Over Web Service — data theft before encryption.

Close the case

After all tasks are complete, click Close case. Select True Positive. Set Impact to Yes if data was encrypted, exfiltrated, or systems were unavailable for more than one hour. Enter a Summary describing the ransomware family, affected scope, containment actions taken, and recovery status. Click Close case.