Ransomware incidents are the highest pressure situations a SOC team faces. The decisions made in the first 30 minutes determine whether the organisation recovers in days or weeks. This checklist covers the complete response lifecycle from initial detection through recovery, built from real ransomware IR at major Canadian financial institutions.

Critical

The single most important rule in ransomware response: contain before you investigate. Every minute the attacker has access is more encrypted files. Isolate first. Investigate second. This is not how most IR processes work and it is the most common mistake teams make.

Pre-Incident: What to Have Ready Before It Fires

Ransomware response is significantly faster when the following are in place before an incident occurs. If you are doing this during an active incident some of these may already be too late.

0
Preparation Checklist

Phase 1: Detection and Initial Assessment

1
Detection and Triage
0 — 15 minutes

Detection query — Mass file modification (Microsoft Sentinel KQL)

DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName matches regex @"\.(locked|encrypted|enc|crypt|cry|ryuk|conti|lck)$"
    or FileName matches regex @"HOW_TO_DECRYPT|RANSOM_NOTE|README_FOR_DECRYPT"
| summarize
    FileCount = count(),
    FileTypes = make_set(FileName),
    FolderCount = dcount(FolderPath)
    by DeviceName, AccountName, bin(Timestamp, 5m)
| where FileCount > 20
| order by FileCount desc

Phase 2: Containment

Contain Before Investigating

Isolate affected systems immediately. The investigation can wait. Every second of delay means more files encrypted and more potential lateral movement to clean systems.

2
Containment Actions
15 — 45 minutes

Phase 3: Patient Zero Investigation

3
Root Cause Analysis
45 minutes — 4 hours

Phase 4: Executive and Legal Communication

4
Communication
First 2 hours and ongoing

Executive brief template

STATUS: Active ransomware incident confirmed as of [TIME]
SCOPE: [X] systems affected, [encryption complete / in progress]
CONTAINMENT: [Affected systems isolated / In progress]
BUSINESS IMPACT: [Critical systems affected / Not affected]
DATA EXFIL: [Confirmed / Under investigation / Not confirmed]
RECOVERY ESTIMATE: [X hours / days] pending full investigation
NEXT UPDATE: [TIME] or immediately if situation changes

Phase 5: Eradication and Recovery

5
Eradication and Recovery
Post-containment

Post-Incident Review Checklist

6
Post-Incident Review
Within 2 weeks of resolution
Intelligence Pack
Get the complete Ransomware IR Runbook

The full ransomware runbook with detection queries, communication scripts, and evidence checklists is available in the IR Runbook Bundle. Or join the Intelligence Pack for weekly detection rules, incident case studies, and monthly Office Hours with direct access to a 10-year SOC veteran.

Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49

Cancel anytime. 30-day money back guarantee.