Ransomware Investigation & Response Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access

---

Overview & Scope

This runbook provides standardised procedures for investigating and responding to ransomware attacks across the hybrid enterprise environment. Ransomware incidents require rapid, coordinated response to minimise damage, preserve evidence, and enable recovery. Time is critical—every minute of delay can result in additional encrypted systems and data loss.

What is Ransomware?

Ransomware is malicious software that encrypts files and systems, rendering them inaccessible until a ransom is paid. Modern ransomware operations (often called "Big Game Hunting") typically involve:

• Data exfiltration before encryption (double extortion)

• Threat to publish stolen data if ransom not paid

• Targeting of backups to prevent recovery

• Domain-wide encryption via compromised credentials

• Ransomware-as-a-Service (RaaS) affiliate models

Key Statistics:

• Average downtime: 21+ days

• Average ransom demand: $200,000 - $5,000,000+

• Recovery costs often exceed ransom amount

• 80% of victims who pay are attacked again

• Data exfiltration occurs in 70%+ of cases

Environment Architecture

Component	Role in Ransomware Response
Microsoft Defender for Endpoint (MDE)	Ransomware detection, device isolation, live response
Microsoft Defender for Identity (MDI)	Lateral movement detection, credential compromise
Microsoft Sentinel	Correlation, automated response, hunting
Active Directory	Credential reset, KRBTGT rotation, GPO recovery
Microsoft Entra ID	Cloud identity protection, session revocation
Backup Systems	Recovery source validation, integrity verification
Palo Alto Prisma Access	Network isolation, C2 blocking

Ransomware Attack Lifecycle

1. Initial Access (Days to Weeks Before)
   ├── Phishing email with malicious attachment/link
   ├── Exploitation of public-facing application
   ├── Compromised credentials (RDP, VPN)
   └── Supply chain compromise

2. Execution & Persistence
   ├── Malware deployment
   ├── Backdoor installation
   └── Scheduled tasks/services created

3. Credential Access
   ├── Mimikatz/credential dumping
   ├── Kerberoasting
   └── DCSync attack

4. Discovery & Lateral Movement
   ├── Network enumeration
   ├── Active Directory reconnaissance
   ├── Move to high-value targets
   └── Compromise Domain Controllers

5. Collection & Exfiltration (Double Extortion)
   ├── Identify sensitive data
   ├── Stage for exfiltration
   └── Exfiltrate to attacker infrastructure

6. Impact - Ransomware Deployment
   ├── Disable security tools
   ├── Delete shadow copies/backups
   ├── Deploy ransomware domain-wide
   └── Encrypt files and systems

Ransomware Families Reference

Prevalent Ransomware Groups (2024-2025)

Group/Ransomware	Characteristics	TTPs
LockBit 3.0	RaaS, fast encryption, data leak site	GPO deployment, PsExec
BlackCat/ALPHV	Rust-based, cross-platform, triple extortion	Cobalt Strike, ExMatter
Cl0p	Targets file transfer appliances (MOVEit, GoAnywhere)	Zero-day exploitation
Royal/BlackSuit	Rebranded Conti members, partial encryption	Callback phishing, BatLoader
Play	Intermittent encryption, no RaaS	AdFind, SystemBC
Akira	Targets VPNs, Linux/VMware variants	Cisco VPN exploitation
Black Basta	Conti successor, QakBot delivery	QakBot, Cobalt Strike
Rhysida	Healthcare/education targeting	Phishing, Cobalt Strike
Medusa	Data leak blog, negotiation portal	RDP brute force
8Base	SMB targeting, Phobos variant	Phishing, SmokeLoader

Ransomware File Extensions

Extension	Ransomware Family
.lockbit, .lockbit3	LockBit
.alphv, .ALPHV	BlackCat
.clop, .Cl0p	Cl0p
.royal	Royal
.play	Play
.akira	Akira
.basta	Black Basta
.rhysida	Rhysida
.medusa	Medusa
.8base	8Base

---

Detection Sources & Indicators

Log Sources Matrix

Platform	Log Table	Ransomware Detection Data
Defender for Endpoint	DeviceAlertEvents	Ransomware behavior alerts
Defender for Endpoint	DeviceFileEvents	Mass file modifications
Defender for Endpoint	DeviceProcessEvents	Encryption processes, deletion tools
Defender for Endpoint	DeviceEvents	Shadow copy deletion, service tampering
Defender for Identity	IdentityLogonEvents	Mass lateral movement
Defender for Identity	IdentityDirectoryEvents	DCSync, credential access
Sentinel	SecurityAlert	Correlated ransomware alerts
Windows Events	SecurityEvent	Logon events, service installation
Windows Events	Event (System)	Service creation, VSS events
Prisma Access	PaloAltoPrismaAccess	C2 communication, exfiltration

Pre-Encryption Indicators (Warning Signs)

Days/Weeks Before Encryption

Indicator	Description	Detection Source
Cobalt Strike beacons	C2 framework activity	MDE alerts, network
Mimikatz execution	Credential dumping	MDE process events
DCSync attacks	Domain replication from non-DC	MDI alerts, Event 4662
Mass reconnaissance	AdFind, BloodHound, network scans	MDE process events
Lateral movement spikes	RDP, SMB, WinRM to many systems	MDI, MDE logon events
New admin accounts	Unauthorized privileged accounts	AD audit logs
Disabled security tools	AV/EDR tampering	MDE health alerts
Backup access/deletion	Targeting backup systems	Backup system logs

Hours Before Encryption

Indicator	Description	Detection Source
Shadow copy deletion	vssadmin, wmic commands	MDE process events
GPO creation/modification	Ransomware deployment prep	AD audit logs
PsExec deployment	Mass tool deployment	MDE, Event 7045
Security tool uninstall	Removing defenses	MDE events
bcdedit modifications	Disabling recovery options	MDE process events
Service account usage spike	Automation of deployment	Logon events
Scheduled tasks creation	Timed ransomware execution	Event 4698

Active Encryption Indicators

Indicator	Description	Detection Source
Mass file modifications	Thousands of files changed/renamed	MDE DeviceFileEvents
Ransom note creation	README, DECRYPT, RECOVER files	MDE DeviceFileEvents
Known ransomware processes	Identified encryption binaries	MDE alerts
High CPU/disk usage	Encryption activity	Performance monitoring
File extension changes	Mass extension modifications	MDE DeviceFileEvents
User complaints	Unable to access files	Service desk
Application failures	Systems becoming unavailable	Monitoring systems

Critical Detection Rules

MDE Alert Categories for Ransomware

Alert Category	Severity	Action
Ransomware	High/Critical	Immediate response
Suspicious credential access	High	Investigate immediately
Tampering with security	High	Investigate immediately
Suspicious process activity	Medium-High	Investigate within 1 hour
Lateral movement	Medium-High	Investigate within 1 hour
Data exfiltration	High	Investigate immediately

---

Investigation Workflows

Ransomware Incident Response Phases

┌─────────────────────────────────────────────────────────────────────┐
│                    RANSOMWARE RESPONSE PHASES                       │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 1: DETECTION & INITIAL RESPONSE (0-15 minutes)               │
│  → Validate alert, assess scope, activate IR team                   │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 2: CONTAINMENT (15-60 minutes)                               │
│  → Isolate systems, block C2, preserve evidence                     │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 3: INVESTIGATION (Ongoing)                                   │
│  → Determine scope, identify patient zero, map impact               │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 4: ERADICATION (After containment)                           │
│  → Remove malware, reset credentials, validate clean                │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 5: RECOVERY (After eradication)                              │
│  → Restore from backup, rebuild systems, validate integrity         │
├─────────────────────────────────────────────────────────────────────┤
│  Phase 6: POST-INCIDENT (After recovery)                            │
│  → Lessons learned, hardening, documentation                        │
└─────────────────────────────────────────────────────────────────────┘

---

Phase 1: Detection & Initial Response

Timeline: 0-15 minutes Objective: Validate the ransomware incident and mobilise response.

Step 1.1: Alert Validation

1. Confirm alert is ransomware (not false positive)

2. Identify alerting source and detection logic

3. Determine affected system(s) from initial alert

4. Check for ransomware indicators:

   • Known ransomware file extensions

   • Ransom notes present

   • Mass file modification alerts

   • Shadow copy deletion

Step 1.2: Initial Scope Assessment

1. Query for related alerts in last 24-72 hours

2. Identify potentially related systems

3. Check for Domain Controller involvement

4. Assess criticality of affected systems

5. Determine if encryption is active or complete

Step 1.3: Incident Declaration

Condition	Declaration
Single workstation, contained	Security Incident - Medium
Multiple workstations affected	Security Incident - High
Server infrastructure affected	Major Incident
Domain Controllers affected	Critical Incident / Disaster
Active encryption spreading	Critical Incident / Disaster

Step 1.4: Activate Incident Response

1. Notify IR Team Lead immediately

2. Establish communication channel (out-of-band if needed)

3. Begin incident documentation

4. Alert leadership per escalation matrix

5. Engage external IR support if needed (Critical/Major)

Initial Response Checklist

□ Alert validated as ransomware incident
□ Initial affected systems identified
□ Incident severity declared
□ IR team activated
□ Communication channel established
□ Initial timeline documented
□ Evidence preservation initiated
□ External IR on standby (if needed)

---

Phase 2: Containment

Timeline: 15-60 minutes

copies/backupsObjective: Stop the spread of ransomware and preserve evidence.

⚠️ Critical Decision: Containment must be fast but measured. Premature actions may tip off attackers or destroy evidence. However, delay costs encrypted systems.

Step 2.1: Network Containment

Immediate Network Actions

Priority	Action	Method	Risk
1	Isolate confirmed infected systems	MDE Device Isolation	Low
2	Block known C2 infrastructure	Prisma Access / Firewall	Low
3	Isolate suspected systems	MDE Device Isolation	Medium
4	Segment affected network zones	Firewall rules	Medium
5	Block lateral movement ports	Emergency firewall rules	High (business impact)
6	Disable external access	VPN/RDP shutdown	High (business impact)

Network Isolation Decision Tree

Is encryption actively spreading?
├── YES → Aggressive network isolation immediately
│         Consider domain-wide segmentation
│         Accept business disruption
│
└── NO (encryption stopped/contained)
    ├── How many systems affected?
    │   ├── <10 → Isolate individual systems
    │   ├── 10-50 → Isolate network segment
    │   └── >50 → Consider broader isolation
    │
    └── Are Domain Controllers compromised?
        ├── YES → Isolate DC network
        │         Prepare for KRBTGT reset
        └── NO → Continue targeted isolation

Step 2.2: Endpoint Containment

# MDE Device Isolation via Security Center or API
# Isolates device from network but maintains MDE connectivity

# Via Microsoft Graph Security API
$deviceId = "device-id-here"
$body = @{
    Comment = "Ransomware containment - IR-2024-XXX"
    IsolationType = "Full"
} | ConvertTo-Json

Invoke-MgGraphRequest -Method POST `
    -Uri "https://api.securitycenter.microsoft.com/api/machines/$deviceId/isolate" `
    -Body $body

Step 2.3: Identity Containment

Immediate Identity Actions

Action	When	Method
Disable compromised accounts	Confirmed compromise	AD + Entra ID
Reset compromised passwords	Confirmed compromise	AD + Entra ID
Revoke active sessions	All suspicious accounts	Entra ID
Disable service accounts	If used in attack	AD (with caution)
Block suspicious IPs	Attacker infrastructure	Conditional Access

Account Containment Commands

# Disable potentially compromised accounts
$compromisedUsers = @("user1", "user2", "admin1")

foreach ($user in $compromisedUsers) {
    # Disable AD account
    Disable-ADAccount -Identity $user
    
    # Disable Entra ID account
    Update-MgUser -UserId "$user@domain.com" -AccountEnabled:$false
    
    # Revoke sessions
    Revoke-MgUserSignInSession -UserId "$user@domain.com"
    
    Write-Host "Contained account: $user"
}

Step 2.4: Preserve Evidence

⚠️ Critical: Do not wipe or reimage systems until evidence is preserved!

Evidence Type	Collection Method	Priority
Memory dumps	MDE Live Response, WinPmem	High
Ransomware samples	MDE quarantine, manual collection	High
Ransom notes	Copy to evidence storage	High
Event logs	Export before rotation	High
MFT/filesystem metadata	Forensic tools	Medium
Network captures	PCAP from network devices	Medium

Step 2.5: Protect Backups

Action	Purpose
Verify backup isolation	Ensure backups not accessible to attackers
Disable backup network access	Prevent backup encryption/deletion
Validate backup integrity	Confirm backups are usable
Create backup of backups	Protect recovery capability
Document backup status	Record what's available for recovery

Containment Checklist

□ Infected systems isolated (network)
□ C2 infrastructure blocked
□ Affected network segments isolated
□ Compromised accounts disabled
□ Sessions revoked for affected users
□ Evidence collection initiated
□ Backups verified and protected
□ Encryption spread stopped
□ Containment documented with timestamps

---

Phase 3: Investigation

Timeline: Ongoing (parallel to containment/eradication) Objective: Determine full scope, identify root cause, and map impact.

Step 3.1: Identify Patient Zero

1. Query for earliest ransomware indicators

2. Trace back from encrypted systems

3. Identify initial access vector

4. Document initial compromise timeline

5. Determine attacker dwell time

Step 3.2: Map Lateral Movement

1. Query all lateral movement for compromised accounts

2. Identify all systems accessed

3. Map credential usage patterns

4. Document administrative access points

5. Identify Domain Controller access

Step 3.3: Determine Full Scope

Question	Investigation Method
How many systems encrypted?	MDE query, file share scan
Which systems were accessed?	Logon event analysis
What accounts compromised?	Authentication analysis
Was data exfiltrated?	Network analysis, cloud logs
Are backups affected?	Backup system verification
Are DCs compromised?	DC forensic analysis

Step 3.4: Assess Data Exfiltration

1. Review network traffic for large outbound transfers

2. Check cloud storage activity

3. Review known exfiltration tools

4. Analyse pre-encryption timeline

5. Document potential data exposure

Step 3.5: Identify Ransomware Variant

1. Collect ransom notes

2. Analyse encrypted file extensions

3. Check ransomware identification services

4. Research variant-specific TTPs

5. Check for available decryptors

Investigation Documentation Template

RANSOMWARE INVESTIGATION SUMMARY
================================
Incident ID: IR-2024-XXX
Date Detected: YYYY-MM-DD HH:MM
Ransomware Variant: [Name/Family]
Ransom Amount: $XXX,XXX

TIMELINE:
---------
Initial Access: YYYY-MM-DD (estimated)
First Lateral Movement: YYYY-MM-DD
Data Exfiltration: YYYY-MM-DD (if confirmed)
Encryption Started: YYYY-MM-DD HH:MM
Encryption Detected: YYYY-MM-DD HH:MM

SCOPE:
------
Total Systems Affected: XXX
Servers Encrypted: XXX
Workstations Encrypted: XXX
Domain Controllers: [Affected/Clean]
Backups Status: [Intact/Compromised/Unknown]

ACCOUNTS COMPROMISED:
--------------------
- [List accounts]

DATA EXFILTRATION:
-----------------
Status: [Confirmed/Suspected/No Evidence]
Data Types: [If known]
Volume: [If known]

ROOT CAUSE:
-----------
Initial Access Vector: [Phishing/RDP/VPN/Other]
Exploited Vulnerability: [If applicable]

---

Phase 4: Eradication

Timeline: After containment confirmed

Objective: Remove all attacker presence from the environment.

⚠️ Warning: Do not begin eradication until containment is complete. Partial eradication may alert attackers and trigger destructive actions.

Step 4.1: Credential Reset Strategy

Tiered Credential Reset

Tier	Accounts	When	Method
Tier 0	KRBTGT, Domain Admin, Enterprise Admin	Immediately if DC compromised	Scripted reset
Tier 1	All privileged accounts	After Tier 0	Scripted reset
Tier 2	Service accounts	After Tier 1	Coordinated reset
Tier 3	All user accounts	After Tier 1-2	Forced reset at logon

KRBTGT Reset Procedure

⚠️ Critical: KRBTGT reset affects all Kerberos authentication. Plan carefully.

# KRBTGT Reset Procedure
# Must be done TWICE with appropriate interval

# Pre-requisites:
# - Verify all DCs are replicating
# - Plan for authentication disruption
# - Have rollback plan ready

# Download official Microsoft script
# https://github.com/microsoft/New-KrbtgtKeys.ps1

# Step 1: First Reset
.\New-KrbtgtKeys.ps1 -Mode 2  # Mode 2 = Reset

# Step 2: Wait for replication
# Minimum wait: Maximum TGT lifetime (default 10 hours)
# Recommended: 24 hours if possible

# Step 3: Monitor for issues
# - Authentication failures
# - Application issues
# - Service account problems

# Step 4: Second Reset (invalidates any attacker tickets)
.\New-KrbtgtKeys.ps1 -Mode 2

# Step 5: Monitor for 24-48 hours

Domain Admin Reset

# Reset all Domain Admin passwords
$domainAdmins = Get-ADGroupMember -Identity "Domain Admins" -Recursive |
    Where-Object {$_.objectClass -eq "user"}

foreach ($admin in $domainAdmins) {
    # Generate secure random password
    $newPassword = -join ((65..90) + (97..122) + (48..57) + (33..47) | 
        Get-Random -Count 20 | ForEach-Object {[char]$_})
    
    # Reset password
    Set-ADAccountPassword -Identity $admin.SamAccountName `
        -Reset -NewPassword (ConvertTo-SecureString $newPassword -AsPlainText -Force)
    
    # Log securely (store password securely for distribution)
    Write-Host "Reset password for: $($admin.SamAccountName)"
}

# Force password change at next logon for all users
Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $true

Step 4.2: Malware Removal

Per-System Eradication

Step	Action	Verification
1	Run full AV scan	MDE full scan
2	Remove persistence mechanisms	Registry, services, tasks
3	Remove malware files	All identified binaries
4	Remove attacker tools	Cobalt Strike, Mimikatz, etc.
5	Verify removal	Second scan, manual check

Persistence Mechanism Removal

# Check and remove common persistence mechanisms

# Scheduled Tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -notmatch "Microsoft"} |
    Select-Object TaskName, TaskPath, State

# Services
Get-WmiObject Win32_Service | Where-Object {
    $_.PathName -notmatch "Windows|Microsoft|Program Files" -and
    $_.State -eq "Running"
} | Select-Object Name, PathName, StartMode

# Run Keys
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($key in $runKeys) {
    Get-ItemProperty -Path $key -ErrorAction SilentlyContinue |
        Select-Object PSPath, *
}

# WMI Subscriptions
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter
Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding

Step 4.3: GPO Cleanup

# Check for suspicious GPOs
Get-GPO -All | Where-Object {
    $_.ModificationTime -gt (Get-Date).AddDays(-30)
} | Select-Object DisplayName, ModificationTime, GpoStatus

# Review GPO contents
Get-GPO -All | ForEach-Object {
    $report = Get-GPOReport -Guid $_.Id -ReportType XML
    # Analyse for suspicious settings
}

# Remove malicious GPOs
Remove-GPO -Name "Suspicious GPO Name" -Confirm

Step 4.4: Validate Eradication

Validation Check	Method	Pass Criteria
Full endpoint scan	MDE scan all systems	No detections
Persistence check	Manual/script verification	No persistence found
Network monitoring	24-48 hour monitoring	No C2 callbacks
Credential verification	Test authentication	Clean authentication
IOC search	Hunt for known IOCs	No matches

Eradication Checklist

□ KRBTGT reset completed (twice)
□ All Domain Admin passwords reset
□ All privileged account passwords reset
□ Service account passwords reset
□ Malware removed from all systems
□ Persistence mechanisms removed
□ Malicious GPOs removed
□ Attacker tools removed
□ Full scan completed on all systems
□ 24-48 hour monitoring shows no reinfection
□ Eradication validated and documented

---

Phase 5: Recovery

Timeline: After eradication validated

Objective: Restore systems and data from clean backups.

Step 5.1: Recovery Prioritisation

Priority	Systems	Recovery Method	Timeline Target
P1	Domain Controllers	Rebuild or verified backup	Immediate
P2	Authentication infrastructure	Rebuild or verified backup	Immediate
P3	Critical business applications	Backup restore	24-48 hours
P4	File servers	Backup restore	48-72 hours
P5	User workstations	Reimage + backup data	As capacity allows

Step 5.2: Backup Validation

⚠️ Critical: Validate backups are clean before restoration!

Validation Step	Method	Purpose
Isolate backup	Air-gapped restoration	Prevent infection
Scan backup	AV/EDR scan	Detect malware
Test restore	Restore to isolated VM	Verify integrity
Date verification	Confirm backup date	Ensure pre-infection
Application test	Test functionality	Verify usability

Step 5.3: Domain Controller Recovery

If DCs Are Compromised

Option	When to Use	Complexity
Restore from backup	Clean backup available, <24hrs old	Medium
Rebuild DC	No clean backup, or backup old	High
Forest recovery	Multiple/all DCs compromised	Very High

DC Rebuild Procedure (Summary)

1. Build new DC on clean hardware/VM

2. Promote to Domain Controller

3. Wait for replication

4. Seize FSMO roles if needed

5. Demote compromised DCs

6. Remove compromised DC metadata

7. Validate AD functionality

Step 5.4: System Recovery Procedures

Server Recovery

1. Validate backup integrity (isolated restore test)
2. Prepare clean hardware/VM
3. Restore from backup
4. Apply security updates before network connection
5. Harden configuration
6. Deploy EDR agent
7. Validate functionality
8. Connect to network (monitored segment initially)
9. Monitor for 24-48 hours
10. Move to production

Workstation Recovery

1. Reimage with clean OS image
2. Apply security updates
3. Install required applications
4. Deploy EDR agent
5. Restore user data from backup (scan first)
6. Enforce password change at first logon
7. Monitor for anomalies

Step 5.5: Data Recovery

Data Type	Recovery Method	Validation
File shares	Restore from backup	Spot check + AV scan
Databases	Restore from backup	Integrity check + test
Email	PST restore or O365 recovery	Verify mailbox function
Cloud data	Point-in-time recovery	Verify access
Application data	Application-specific restore	Application testing

Recovery Checklist

□ Recovery priorities established
□ Backup integrity validated
□ Domain Controllers recovered/rebuilt
□ KRBTGT reset completed (if not done)
□ Authentication services functional
□ Critical applications restored
□ File servers restored
□ User workstations reimaged
□ User data restored
□ All systems scanned post-recovery
□ Recovery validated and documented
□ Users notified of recovery status

---

Phase 6: Post-Incident Activities

Timeline: After recovery complete

Objective: Learn from the incident and improve defences.

Step 6.1: Post-Incident Review (PIR)

Topic	Questions to Address
Detection	How was the incident detected? How long was dwell time?
Response	What worked well? What could be improved?
Containment	Was containment fast enough? What slowed it down?
Eradication	Was eradication complete? Any reinfection?
Recovery	How long did recovery take? Were backups adequate?
Communication	Was communication effective? Any gaps?

Step 6.2: Documentation Requirements

Document	Contents	Audience
Technical Report	Full technical details, IOCs, timeline	Security team
Executive Summary	Business impact, costs, key decisions	Leadership
Legal Report	Evidence, timeline for litigation	Legal counsel
Regulatory Report	Data breach details if applicable	Regulators
Insurance Claim	Costs, timeline, evidence	Cyber insurance

Step 6.3: Hardening Recommendations

Category	Common Improvements
Identity	MFA everywhere, privileged access management, reduced admin accounts
Endpoint	EDR coverage, application control, attack surface reduction
Network	Segmentation, east-west traffic monitoring, zero trust
Backup	Air-gapped backups, immutable storage, tested restoration
Detection	Improved alerting, UEBA, deception technology
Response	Updated runbooks, tabletop exercises, IR retainer

Step 6.4: Regulatory Notifications

Regulation	Notification Requirement	Timeline
GDPR	Data Protection Authority if EU data	72 hours
HIPAA	HHS if PHI involved	60 days
State Breach Laws	State AG, affected individuals	Varies (typically 30-60 days)
SEC	Material cybersecurity incidents	4 business days
PCI-DSS	Card brands, acquirer	Immediately
CISA	Critical infrastructure	72 hours

---

KQL Query Cheat Sheet

Ransomware Detection Queries

Mass File Modification Detection

DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileModified", "FileRenamed", "FileCreated")
| summarize 
    ModifiedFiles = count(),
    UniqueExtensions = dcount(tostring(split(FileName, ".")[-1])),
    Extensions = make_set(tostring(split(FileName, ".")[-1]), 20)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where ModifiedFiles > 100
| sort by ModifiedFiles desc

Known Ransomware Extensions

let ransomwareExtensions = dynamic([
    ".lockbit", ".lockbit3", ".alphv", ".ALPHV", ".clop", ".Cl0p",
    ".royal", ".play", ".akira", ".basta", ".rhysida", ".medusa",
    ".8base", ".encrypted", ".enc", ".locked", ".crypted"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| where FileName has_any (ransomwareExtensions)
| summarize Count = count(), Files = make_set(FileName, 20) by DeviceName, InitiatingProcessFileName
| sort by Count desc

Ransom Note Detection

let ransomNotePatterns = dynamic([
    "readme", "DECRYPT", "RECOVER", "RESTORE", "HOW_TO", "HELP_ME",
    "READ_ME", "ATTENTION", "_HELP_", "RANSOM", "ENCRYPTED"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (ransomNotePatterns)
| where FileName endswith ".txt" or FileName endswith ".html" or FileName endswith ".hta"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
| sort by Timestamp desc

Shadow Copy Deletion

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "vssadmin.exe" and ProcessCommandLine has_any ("delete", "shadows", "resize"))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("shadowcopy", "delete"))
    or (FileName =~ "wbadmin.exe" and ProcessCommandLine has "delete")
    or (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("recoveryenabled", "no", "ignoreallfailures"))
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Get-WmiObject", "Win32_ShadowCopy", "Delete"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

Security Tool Tampering

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "DisableAntiSpyware",
    "DisableRealtimeMonitoring",
    "Set-MpPreference",
    "Stop-Service",
    "sc stop",
    "net stop",
    "taskkill /F /IM"
)
| where ProcessCommandLine has_any (
    "defender", "antivirus", "malware", "security", "protect",
    "msmpeng", "mssense", "sense", "windefend"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

---

Pre-Encryption Activity Detection

Credential Dumping Tools

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mimikatz.exe", "procdump.exe", "procdump64.exe", "comsvcs.dll")
    or ProcessCommandLine has_any (
        "sekurlsa", "lsadump", "kerberos::", "privilege::debug",
        "-ma lsass", "MiniDump", "comsvcs.dll,MiniDump"
    )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

Reconnaissance Tools

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("AdFind.exe", "adfind.exe", "bloodhound.exe", "sharphound.exe")
    or ProcessCommandLine has_any (
        "AdFind", "-f objectcategory=computer",
        "Get-ADComputer", "Get-ADUser", "Get-ADGroup",
        "net group", "net user", "net localgroup",
        "nltest /dclist", "dsquery"
    )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

PsExec and Remote Execution

union
(DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "paexec.exe")
| project Timestamp, DeviceName, AccountName, Tool = FileName, CommandLine = ProcessCommandLine),
(DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "ServiceInstalled"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName)
| where ServiceName matches regex @"(?i)(psexe|paexe|remcom|csexe)"
| project Timestamp, DeviceName, AccountName, Tool = "Service", CommandLine = ServiceName)
| sort by Timestamp desc

Lateral Movement Velocity

DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType in ("Network", "RemoteInteractive")
| where ActionType == "LogonSuccess"
| summarize 
    TargetCount = dcount(DeviceName),
    Targets = make_set(DeviceName, 50),
    SourceIPs = make_set(RemoteIP, 10)
    by AccountName, bin(Timestamp, 15m)
| where TargetCount > 10
| sort by TargetCount desc

---

Active Encryption Detection

Real-Time File Encryption Alert

DeviceFileEvents
| where Timestamp > ago(15m)
| where ActionType in ("FileModified", "FileRenamed")
| summarize 
    FileCount = count(),
    UniqueDirectories = dcount(FolderPath)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1m)
| where FileCount > 50
| sort by Timestamp desc, FileCount desc

Encryption Process Identification

// Find processes modifying many files
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileModified", "FileRenamed", "FileCreated")
| summarize FileCount = count() by DeviceName, InitiatingProcessFileName, InitiatingProcessId
| where FileCount > 500
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(1h)
) on DeviceName, $left.InitiatingProcessFileName == $right.FileName
| project DeviceName, ProcessName = InitiatingProcessFileName, FileCount, ProcessCommandLine, ProcessCreationTime = Timestamp
| sort by FileCount desc

Affected Systems Dashboard

DeviceFileEvents
| where Timestamp > ago(4h)
| where ActionType in ("FileModified", "FileRenamed")
| extend FileExtension = tostring(split(FileName, ".")[-1])
| summarize 
    TotalFiles = count(),
    UniqueExtensions = dcount(FileExtension),
    Extensions = make_set(FileExtension, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName
| where TotalFiles > 100
| sort by TotalFiles desc

---

Post-Compromise Investigation

Timeline for Affected Device

let targetDevice = "INFECTED-PC01";
let timeframe = 7d;
union
(DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where DeviceName == targetDevice
| project Timestamp, EventType = "Process", Details = strcat(FileName, " - ", ProcessCommandLine)),
(DeviceLogonEvents
| where Timestamp > ago(timeframe)
| where DeviceName == targetDevice
| project Timestamp, EventType = "Logon", Details = strcat(AccountName, " from ", RemoteIP, " (", LogonType, ")")),
(DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where DeviceName == targetDevice
| where RemoteIPType == "Public"
| project Timestamp, EventType = "Network", Details = strcat(InitiatingProcessFileName, " -> ", RemoteIP, ":", RemotePort)),
(DeviceFileEvents
| where Timestamp > ago(timeframe)
| where DeviceName == targetDevice
| where ActionType in ("FileCreated", "FileModified") and FileName endswith ".exe"
| project Timestamp, EventType = "FileEvent", Details = strcat(ActionType, ": ", FileName))
| sort by Timestamp asc

Account Activity Analysis

let compromisedAccount = "DOMAIN\\username";
let timeframe = 7d;
IdentityLogonEvents
| where Timestamp > ago(timeframe)
| where AccountUpn contains compromisedAccount or AccountName contains compromisedAccount
| summarize 
    LogonCount = count(),
    UniqueTargets = dcount(TargetDeviceName),
    Targets = make_set(TargetDeviceName, 50),
    LogonTypes = make_set(LogonType),
    Protocols = make_set(Protocol)
    by bin(Timestamp, 1h)
| sort by Timestamp asc

C2 Communication Detection

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| summarize 
    Connections = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    Processes = make_set(InitiatingProcessFileName, 10)
    by DeviceName, RemoteIP, RemotePort
| where Connections > 100 or BytesSent > 100000000
| sort by Connections desc

---

Backup and Recovery Queries

Backup System Access

DeviceLogonEvents
| where Timestamp > ago(30d)
| where DeviceName has_any ("backup", "veeam", "commvault", "veritas", "cohesity")
| summarize 
    LogonCount = count(),
    UniqueAccounts = dcount(AccountName),
    Accounts = make_set(AccountName, 20)
    by DeviceName, LogonType, bin(Timestamp, 1d)
| sort by Timestamp desc

VSS Activity Monitoring

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("vssadmin.exe", "wmic.exe", "diskshadow.exe")
| where ProcessCommandLine has_any ("shadow", "delete", "create", "resize", "list")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

---

Response Actions & Commands

Immediate Response Actions

MDE Device Isolation

# Isolate device via MDE
# Full isolation - device can only communicate with MDE

$deviceId = "device-machine-id"
$comment = "Ransomware containment - IR-2024-XXX"

# Via Microsoft Graph
$body = @{
    Comment = $comment
    IsolationType = "Full"
} | ConvertTo-Json

Invoke-MgGraphRequest -Method POST `
    -Uri "https://api.securitycenter.microsoft.com/api/machines/$deviceId/isolate" `
    -Body $body

# Bulk isolation
$deviceIds = @("device1-id", "device2-id", "device3-id")
foreach ($id in $deviceIds) {
    Invoke-MgGraphRequest -Method POST `
        -Uri "https://api.securitycenter.microsoft.com/api/machines/$id/isolate" `
        -Body $body
    Write-Host "Isolated: $id"
}

Network Containment via Prisma Access

# Emergency Security Policy - Block Ransomware Spread

Rule 1: Block SMB Lateral Movement
- Source: Any internal
- Destination: Any internal  
- Service: microsoft-ds (445), netbios-ssn (139)
- Action: Deny
- Log: Yes

Rule 2: Block RDP Lateral Movement
- Source: Any internal (except jump servers)
- Destination: Any internal
- Service: ms-rdp (3389)
- Action: Deny
- Log: Yes

Rule 3: Block Known C2
- Source: Any
- Destination: [IOC IP list]
- Service: Any
- Action: Deny
- Log: Yes

Mass Account Disable

# Disable compromised accounts in bulk
$compromisedAccounts = @(
    "user1@domain.com",
    "user2@domain.com",
    "admin1@domain.com"
)

# Entra ID
Connect-MgGraph -Scopes "User.ReadWrite.All"
foreach ($user in $compromisedAccounts) {
    Update-MgUser -UserId $user -AccountEnabled:$false
    Revoke-MgUserSignInSession -UserId $user
    Write-Host "Disabled and revoked sessions: $user"
}

# On-premises AD
foreach ($user in $compromisedAccounts) {
    $samAccount = ($user -split "@")[0]
    Disable-ADAccount -Identity $samAccount
    Write-Host "Disabled AD account: $samAccount"
}

Evidence Collection

Collect Ransomware Artifacts

# Collect artifacts from affected system (run via MDE Live Response or locally)

$evidencePath = "C:\IR_Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $evidencePath -Force

# Collect ransom notes
Get-ChildItem -Path C:\ -Recurse -Include "*readme*","*decrypt*","*recover*","*help*" -File -ErrorAction SilentlyContinue |
    Where-Object {$_.Extension -in ".txt",".html",".hta"} |
    Copy-Item -Destination $evidencePath

# Collect encrypted file samples
Get-ChildItem -Path C:\Users -Recurse -File -ErrorAction SilentlyContinue |
    Where-Object {$_.Extension -match "\.(lockbit|encrypted|enc|locked)"} |
    Select-Object -First 5 |
    Copy-Item -Destination $evidencePath

# Export event logs
$logs = @("Security", "System", "Application", "Microsoft-Windows-PowerShell/Operational")
foreach ($log in $logs) {
    wevtutil epl $log "$evidencePath\$($log -replace '/','-').evtx"
}

# Collect running processes
Get-Process | Export-Csv "$evidencePath\processes.csv" -NoTypeInformation

# Collect network connections
Get-NetTCPConnection | Export-Csv "$evidencePath\connections.csv" -NoTypeInformation

# Collect scheduled tasks
Get-ScheduledTask | Export-Csv "$evidencePath\scheduledtasks.csv" -NoTypeInformation

# Collect services
Get-Service | Export-Csv "$evidencePath\services.csv" -NoTypeInformation

# Compress evidence
Compress-Archive -Path $evidencePath -DestinationPath "$evidencePath.zip" -Force

Write-Host "Evidence collected to: $evidencePath.zip"

Memory Acquisition

# Using WinPmem (must be deployed to system)
# Run via MDE Live Response

# Upload WinPmem to device first
# Then execute:
.\winpmem_mini_x64.exe memdump.raw

# Alternative: Using MDE Live Response built-in
# (limited memory collection capability)

---

Quick Reference Cards

Ransomware Response Checklist

Immediate Actions (First 15 Minutes)

□ Validate ransomware alert
□ Identify initial affected systems
□ Declare incident severity
□ Activate IR team
□ Establish secure communication
□ Begin isolating confirmed infected systems
□ Alert leadership
□ Start incident documentation

Containment Actions (15-60 Minutes)

□ Isolate all confirmed infected systems
□ Block C2 infrastructure
□ Isolate network segments if spreading
□ Disable compromised accounts
□ Protect backup systems
□ Preserve evidence (don't wipe!)
□ Verify containment effectiveness
□ Document containment actions

Investigation Actions (Ongoing)

□ Identify patient zero
□ Determine initial access vector
□ Map lateral movement
□ Identify all compromised accounts
□ Assess data exfiltration
□ Determine encryption scope
□ Identify ransomware variant
□ Check for available decryptors

Eradication Actions (After Containment)

□ Plan credential reset strategy
□ Execute KRBTGT reset (if DC compromised)
□ Reset all privileged passwords
□ Reset all user passwords
□ Remove malware and persistence
□ Remove attacker tools
□ Clean up GPOs
□ Validate eradication complete

Recovery Actions (After Eradication)

□ Validate backup integrity
□ Prioritise system recovery
□ Recover/rebuild Domain Controllers
□ Restore critical applications
□ Restore file servers
□ Reimage workstations
□ Restore user data
□ Validate recovery complete

Ransomware Variant Quick Reference

If You See...	Likely Ransomware	Known For
.lockbit3 extension, red wallpaper	LockBit 3.0	Fast encryption, RaaS
.ALPHV extension, rust-based	BlackCat/ALPHV	Cross-platform
Targets MOVEit/GoAnywhere	Cl0p	Zero-day exploitation
.royal extension	Royal/BlackSuit	Partial encryption
.play extension	Play	No RaaS, stealth
.akira extension, retro theme	Akira	VPN targeting
.basta extension	Black Basta	QakBot delivery

Critical Contacts Template

Role	Name	Phone	Email
IR Team Lead
CISO
Legal Counsel
External IR Firm
Cyber Insurance
FBI Field Office
PR/Communications

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response
🔴 Critical	Active encryption spreading, DCs affected, >50 systems	All hands, external IR
🟠 High	Encryption contained, multiple servers affected	Full IR team
🟡 Medium	Single server or multiple workstations	Tier 2 + Tier 1
🟢 Low	Single workstation, rapidly contained	Tier 1 with Tier 2 backup

Escalation Timeline

Time	Actions
0-15 min	IR team lead notified, incident declared
15-30 min	CISO notified, containment in progress
30-60 min	Executive leadership briefed
1-4 hours	External IR engaged (if needed), Legal notified
4-24 hours	Board notification (if critical), insurance notified
24-72 hours	Regulatory notification assessment

Communication Templates

Initial Executive Notification

Subject: SECURITY INCIDENT - Ransomware Detected

Priority: CRITICAL

Summary:
At [TIME], our security systems detected ransomware activity affecting 
[NUMBER] systems. The incident response team has been activated.

Current Status:
- Containment actions in progress
- Affected systems are being isolated
- Investigation underway

Impact Assessment:
- Systems affected: [NUMBER/LIST]
- Business services impacted: [LIST]
- Data at risk: [ASSESSMENT]

Next Update: [TIME]

Actions Required:
- [Any executive decisions needed]

Contact: [IR Lead] - [Phone]

Status Update Template

Subject: SECURITY INCIDENT UPDATE #[X] - Ransomware Response

Time: [TIMESTAMP]
Status: [Containment/Investigation/Eradication/Recovery]

Progress Since Last Update:
- [Bullet points of progress]

Current Actions:
- [What's happening now]

Challenges/Blockers:
- [Any issues]

Next Steps:
- [Planned actions]

Metrics:
- Systems Contained: X/Y
- Systems Clean: X/Y
- Estimated Recovery: [TIME]

Next Update: [TIME]

---

MITRE ATT&CK Mapping

Pre-Ransomware Techniques

Tactic	Technique	ID	Detection
Initial Access	Phishing	T1566	MDO alerts
Initial Access	External Remote Services	T1133	VPN/RDP logs
Initial Access	Valid Accounts	T1078	SigninLogs anomalies
Execution	PowerShell	T1059.001	Script block logging
Execution	Command Interpreter	T1059.003	Process command lines
Persistence	Scheduled Task	T1053.005	Event 4698
Persistence	Registry Run Keys	T1547.001	Registry monitoring
Privilege Escalation	Valid Accounts	T1078	Privileged logons
Defense Evasion	Disable Security Tools	T1562.001	MDE health alerts
Credential Access	OS Credential Dumping	T1003	MDE alerts, process events
Credential Access	Kerberoasting	T1558.003	Event 4769
Discovery	Domain Trust Discovery	T1482	Nltest, AD queries
Discovery	Network Share Discovery	T1135	Net view commands
Lateral Movement	Remote Services	T1021	Logon events
Lateral Movement	SMB/Admin Shares	T1021.002	Event 5140
Collection	Data from Local System	T1005	File access
Exfiltration	Exfil Over Web Service	T1567	Network traffic

Ransomware Execution Techniques

Tactic	Technique	ID	Detection
Impact	Data Encrypted for Impact	T1486	Mass file modification
Impact	Inhibit System Recovery	T1490	VSS deletion, bcdedit
Impact	Service Stop	T1489	Service control events
Impact	System Shutdown/Reboot	T1529	System events

---

Appendix: Additional Resources

Ransomware Identification Resources

Resource	URL	Purpose
ID Ransomware	https://id-ransomware.malwarehunterteam.com	Identify variant by sample
No More Ransom	https://www.nomoreransom.org	Free decryptors
Ransomwhere	https://ransomwhe.re	Ransom payment tracking
CISA Ransomware Guide	https://www.cisa.gov/stopransomware	Official guidance

Decryptor Resources

Source	URL
No More Ransom Project	https://www.nomoreransom.org/en/decryption-tools.html
Emsisoft Decryptors	https://www.emsisoft.com/ransomware-decryption-tools/
Kaspersky No Ransom	https://noransom.kaspersky.com
Avast Decryptors	https://www.avast.com/ransomware-decryption-tools

Legal and Regulatory Resources

Topic	Resource
FBI IC3	https://www.ic3.gov (report ransomware)
CISA	https://www.cisa.gov/stopransomware
OFAC Sanctions	Check before any ransom consideration
State Breach Laws	Varies by state

Ransom Payment Considerations

⚠️ Important Legal Note: This section is for awareness only. Ransom payment decisions require legal, executive, and potentially law enforcement consultation.

Factor	Consideration
OFAC Sanctions	Payment to sanctioned entities is illegal
No Guarantee	Payment doesn't guarantee decryption
Repeat Targeting	Paying may invite future attacks
Data Already Leaked	Payment won't prevent data publication
Decryptor Availability	Free decryptors may exist
Backup Recovery	Recovery without payment may be possible
Insurance Coverage	Policy may have payment restrictions
Legal Liability	Consider all legal implications

Recommendation: Exhaust all recovery options before considering payment. Always involve legal counsel and potentially law enforcement.

---

🚨 CRITICAL REMINDER: Ransomware incidents are time-critical. Every minute of delay can result in additional encrypted systems. However, hasty actions can destroy evidence or alert attackers. Balance speed with precision. When in doubt, isolate first, investigate second. NEVER pay ransom without exhausting all other options and consulting legal counsel. Most importantly—test your backups regularly; they are your primary recovery mechanism.