Ransomware Incident Response Framework

When a ransomware attack strikes, the speed and quality of your response can mean the difference between a contained incident and a catastrophic business failure. This framework provides a structured, step-by-step approach to responding to a ransomware event, based on the NIST Computer Security Incident Handling Guide (SP 800-61) and industry best practices.

The single most important thing you can do before an incident is plan for one. An incident response plan that has never been tested is barely better than having no plan at all.

Phase 1: Preparation

Preparation is not technically part of the response, but it determines everything that follows.

• Develop and document a formal incident response plan (IRP)
• Assemble an incident response team with defined roles (IR lead, communications, legal, IT, management)
• Establish relationships with external resources: forensic investigators, law enforcement contacts, legal counsel, cyber insurance provider
• Maintain an up-to-date asset inventory and network diagrams
• Conduct tabletop exercises at least twice per year simulating ransomware scenarios
• Ensure offline copies of the IRP exist (a ransomware attack may render your intranet inaccessible)

Phase 2: Detection and Analysis

Early detection significantly improves outcomes. The median dwell time for ransomware actors before encryption is approximately 5 days, providing a critical window for detection.

• Monitor for indicators of compromise (IOCs): unusual file extension changes, mass file modifications, ransom notes appearing
• Watch for precursor activity: reconnaissance scanning, credential harvesting, unusual administrative tool usage (PsExec, Cobalt Strike, PowerShell abuse)
• Use EDR and SIEM alerts to identify anomalous behaviour patterns
• Once suspected, immediately escalate to the incident response team
• Begin documenting everything: timestamps, affected systems, observations, decisions made

Phase 3: Containment

The goal is to stop the spread of ransomware while preserving evidence for forensic analysis.

Immediate actions (first 30 minutes)

• Isolate affected systems from the network immediately (disconnect cables, disable Wi-Fi, but do NOT power off)
• Disable network shares and mapped drives to prevent further encryption
• Block known malicious IPs and domains at the firewall
• Disable compromised accounts
• Preserve forensic evidence: take memory dumps and disk images of affected systems before any remediation

Short-term containment (first 24 hours)

• Identify the ransomware strain using ransom notes, encrypted file extensions, and threat intelligence databases (e.g., ID Ransomware, No More Ransom)
• Determine the scope: how many systems are affected? Which business functions are impacted?
• Assess whether data exfiltration occurred (check for unusual outbound traffic, uploads to external services)
• Reset all potentially compromised credentials, prioritising administrative accounts

Phase 4: Eradication

• Identify and remove the root cause: the initial access vector (phishing email, exploited vulnerability, compromised RDP)
• Remove all malware, persistence mechanisms, and attacker tools from affected systems
• Patch the vulnerability or close the access vector that enabled the attack
• Scan the entire network for indicators of compromise to ensure no dormant threats remain

Phase 5: Recovery

• Restore systems from known-clean backups, starting with the most critical business functions
• Verify the integrity of restored data before bringing systems back online
• Rebuild systems that cannot be verified as clean
• Implement enhanced monitoring on recovered systems for at least 30 days
• Gradually restore network connectivity in a controlled manner
• Check for publicly available decryption tools (nomoreransom.org) before considering ransom payment

Phase 6: Communication

Effective communication during a ransomware incident is as important as the technical response.

• Internal: Keep employees informed about what happened, what is being done, and what they should/should not do
• Customers and partners: If data was potentially compromised, notify affected parties promptly and transparently
• Regulators: Under GDPR, NIS2, and other regulations, you may be legally required to report the incident within specific timeframes (typically 72 hours for GDPR)
• Law enforcement: Report the attack to relevant agencies (FBI IC3, Europol EC3, national CERT teams). They may have intelligence that assists your recovery
• Media: Prepare a holding statement. Designate a single spokesperson. Do not speculate publicly

Phase 7: Post-Incident Analysis

After the crisis is resolved, conduct a thorough lessons-learned review. This is not about assigning blame; it is about strengthening your defences for next time.

• Document the complete timeline of the incident
• Identify what worked well and what needs improvement in the response
• Update your incident response plan based on findings
• Implement additional technical controls to address identified gaps
• Share anonymised threat intelligence with industry peers and ISACs
• Schedule follow-up tabletop exercises incorporating lessons learned

Should You Pay the Ransom?

This is ultimately a business decision that must weigh multiple factors, including the criticality of encrypted data, the availability of backups, legal obligations, and the advice of law enforcement. However, law enforcement agencies consistently recommend against payment. See our What Is Ransomware? page for a detailed analysis of the pay/no-pay decision.