IR-006ransomwarev1.0.0

Ransomware Initial Response and Containment

⚠️ critical

⏱ Est. Time15m

📋 Steps10 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution240m

★ View on GitHub

🎯 MITRE ATT&CK

T1486 T1490 T1489 T1485 T1070.001 T1562.001 T1135 T1021.002 T1078

🔧 Tools Required

edrsiemnetwork firewallbackup systemincident response platform

⚡ Triggers

edr_ransomware_detectionhoneypot_file_modifiedmass_file_rename_alertshadow_copy_deletion_alertsiem_ransomware_ioc_matchuser_reported_ransom_note

🔌 Integrations

req

crowdstrike falcon

Ransomware detection, host isolation, and lateral movement visibility

opt

palo alto cortex xdr

Alternative XDR with ransomware-specific behavioral detection

req

veeam

Backup and recovery — critical for restoration decision

req

splunk

Enterprise-wide log correlation during active incident

opt

servicenow

Major incident management and executive communication

Click each step to expand the full procedure, automation hints, and expected outputs.

This is a P0 critical incident. Immediately wake up the full incident response team. Notify CISO, CTO, and legal counsel NOW — do not wait for full analysis. Activate the IR retainer if one exists (CrowdStrike Services, Mandiant, etc.). Open a bridge call. Time is critical: every minute of delay allows further encryption and lateral movement. Do not attempt analysis on the affected host — isolate first, analyze later.

📤 Outputs

ir_team_assembledbridge_call_openciso_notifiedretainer_activated