Ransomware incidents are the highest pressure situations a SOC team faces. The decisions made in the first 30 minutes determine whether the organisation recovers in days or weeks. This checklist covers the complete response lifecycle from initial detection through recovery, built from real ransomware IR at major Canadian financial institutions.
The single most important rule in ransomware response: contain before you investigate. Every minute the attacker has access is more encrypted files. Isolate first. Investigate second. This is not how most IR processes work and it is the most common mistake teams make.
Pre-Incident: What to Have Ready Before It Fires
Ransomware response is significantly faster when the following are in place before an incident occurs. If you are doing this during an active incident some of these may already be too late.
- Offline backup verified and tested within the last 30 days
- Network segmentation documented with isolation procedures for each segment
- Out-of-band communication channel established (personal phones, Signal group)
- Executive communication templates pre-written and approved
- Legal and PR contacts identified and accessible without corporate email
- EDR network isolation procedure documented and tested
- Shadow copy and VSS backup status verified on all critical systems
Phase 1: Detection and Initial Assessment
- Confirm the alert is ransomware and not a false positive. Look for ransom note files, encrypted file extensions, or mass file modification events
- Identify the affected host or hosts. Check for similar alerts across the environment in the past 72 hours
- Determine the ransomware family if possible. Check ransom note naming conventions against known families
- Assess whether encryption is still in progress or has completed
- Identify any network shares that may be affected beyond the initial host
- Escalate to IR lead and management immediately. Do not wait for full investigation
- Activate out-of-band communication channel
Detection query — Mass file modification (Microsoft Sentinel KQL)
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName matches regex @"\.(locked|encrypted|enc|crypt|cry|ryuk|conti|lck)$"
or FileName matches regex @"HOW_TO_DECRYPT|RANSOM_NOTE|README_FOR_DECRYPT"
| summarize
FileCount = count(),
FileTypes = make_set(FileName),
FolderCount = dcount(FolderPath)
by DeviceName, AccountName, bin(Timestamp, 5m)
| where FileCount > 20
| order by FileCount desc
Phase 2: Containment
Isolate affected systems immediately. The investigation can wait. Every second of delay means more files encrypted and more potential lateral movement to clean systems.
- Isolate affected endpoints via EDR network isolation. Do not simply unplug from network as this may trigger kill switches in some ransomware families
- Disable affected user accounts in Active Directory and revoke Entra ID sessions
- Identify and isolate any shared network drives that were mounted on affected systems
- Block external communication from affected network segments at the firewall
- Preserve volatile memory before isolation where possible. Memory contains encryption keys in some cases
- Take forensic snapshots of affected systems before any remediation
- Verify backup systems are isolated and not affected
- Check shadow copies and VSS snapshots are intact on unaffected systems
Phase 3: Patient Zero Investigation
- Identify patient zero — the first system encrypted and the initial access vector
- Review email logs for phishing delivery to affected accounts in the 7 days prior
- Check RDP access logs. External RDP is the most common ransomware initial access vector
- Review VPN and remote access logs for unusual login times or geolocation anomalies
- Pull full process execution history from EDR on patient zero going back 14 days
- Identify the dwell time. Most ransomware operators are in the environment for 11 to 30 days before encrypting
- Check for data exfiltration prior to encryption. Most modern ransomware groups exfiltrate before encrypting for double extortion
- Document the complete attack timeline from initial access to encryption
Phase 4: Executive and Legal Communication
- Brief executive team using out-of-band channel with: scope confirmed, containment status, estimated recovery timeline, and next update time
- Engage legal counsel before any ransom negotiation or communication with threat actors
- Assess regulatory notification requirements. Financial institutions typically have 72-hour notification windows
- Do not communicate incident details via corporate email which may be compromised
- Prepare holding statement for internal staff to prevent rumour spread
- Engage cyber insurance carrier if applicable
Executive brief template
STATUS: Active ransomware incident confirmed as of [TIME]
SCOPE: [X] systems affected, [encryption complete / in progress]
CONTAINMENT: [Affected systems isolated / In progress]
BUSINESS IMPACT: [Critical systems affected / Not affected]
DATA EXFIL: [Confirmed / Under investigation / Not confirmed]
RECOVERY ESTIMATE: [X hours / days] pending full investigation
NEXT UPDATE: [TIME] or immediately if situation changes
Phase 5: Eradication and Recovery
- Rebuild affected systems from clean images. Do not restore to pre-encryption state without full investigation
- Rotate all credentials for accounts that touched affected systems
- Patch the initial access vulnerability before reconnecting to the network
- Restore from offline backup after confirming backup integrity and that backup was created before compromise
- Test restored systems in isolation before reconnecting to production network
- Verify no attacker persistence mechanisms remain on clean systems
- Monitor rebuilt systems closely for 30 days post-recovery
Post-Incident Review Checklist
- Document complete attack timeline from initial access to detection to containment to recovery
- Identify detection gaps. What should have fired and did not
- Calculate dwell time and identify why the attacker was present for that long undetected
- Identify process failures. Where did the response break down
- Update detection rules to catch the initial access pattern that was used
- Test and update backup and recovery procedures based on lessons learned
- Brief executive team on lessons learned and remediation investments required
The full ransomware runbook with detection queries, communication scripts, and evidence checklists is available in the IR Runbook Bundle. Or join the Intelligence Pack for weekly detection rules, incident case studies, and monthly Office Hours with direct access to a 10-year SOC veteran.
Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49Cancel anytime. 30-day money back guarantee.