How to Recover from a Ransomware Attack: Incident Response Playbook

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Ransomware response is not primarily a technical problem: it is a decision problem under time pressure with incomplete information, legal obligations, and significant financial consequences. The technical actions are well-defined; the difficulty is knowing which actions to take first, which evidence to preserve, and which decisions require external input before proceeding.
This playbook is organized in chronological phases. Each phase has decisions that must be made before moving to the next. Do not skip phases or execute them out of order: the most common recovery mistakes happen when organizations jump to rebuilding before containing, or restore from backups before verifying they are clean. Organizations that survive ransomware with minimal downtime typically had both a tested IR retainer and verified immutable backups in place before the incident.
Phase 1: Immediate Response (0-2 hours)
First 15 minutes: do these immediately, in this order:
1. Establish out-of-band communication:
- Move all IR team communication off corporate email/Slack immediately
- Attackers monitor compromised email during ransomware incidents
- Use: personal cell phones, Signal, WhatsApp, or a pre-established
out-of-band communication channel
- Assume all corporate systems are compromised until proven otherwise
2. Activate your Incident Response retainer:
- Call your IR firm immediately (not email)
- If no retainer: CISA (1-888-282-0870), FBI local field office
- Do NOT contact the attackers yet: your IR firm or legal counsel manages this
3. Notify legal counsel BEFORE taking remediation actions:
- Privilege protection: attorney-client privilege may cover IR investigation
- Legal will tell you what documentation is required
- Regulatory notification deadlines begin from "known" date
- Do NOT delete anything before legal approves
4. Preserve evidence before any remediation:
- Do NOT reboot encrypted systems (destroys volatile memory artifacts)
- Do NOT delete ransom notes or apparent malware files
- If possible: take memory dumps of affected running systems
- Take photographs of ransom notes on screen for documentation
Contain lateral movement (do not let it spread):
Network isolation options (choose based on scope):
Option A - Total network isolation (severe outbreak):
- Disable all external internet access at the perimeter firewall
- Disable all internal VLAN routing
- This stops spread and C2 communication but also stops business
Option B - Segment isolation (contained outbreak):
- Identify affected subnets from ransom note locations and encrypted files
- Block east-west traffic from affected subnets at the firewall/switch level
- Keep unaffected business segments operational
Option C - Individual host isolation (early detection):
- Isolate specific hosts via EDR (CrowdStrike: Contain Host)
- Remove network access from affected machines while preserving state
Disable compromised accounts immediately:
- Reset krbtgt password (if AD compromise is suspected): twice, 10 hours apart
- Disable any service accounts seen in attacker activity
- Block suspected attacker IPs at perimeter
Phase 2: Scope Assessment (2-8 hours)
Determine what is encrypted and what is not:
# Identify encrypted files by extension pattern:
# Most ransomware appends a unique extension to encrypted files
# Run from a non-compromised machine that can read network shares:
# Find files with unusual extensions (adjust extension pattern to match ransom note):
find /mnt/fileserver -name "*.encrypted" -o -name "*.locked" \
-o -name "*.RYUK" -o -name "*.blackmatter" 2>/dev/null | wc -l
# Windows: PowerShell scan for encrypted file patterns:
# (Run from a clean machine accessing shares remotely)
Get-ChildItem -Path '\\fileserver\shares' -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -notmatch '\.(docx|xlsx|pdf|txt|jpg|mp4)$' } |
Select-Object FullName, Extension | Group-Object Extension |
Sort-Object Count -Descending | Select-Object -First 20
Identify the ransomware family:
1. Examine the ransom note for threat actor branding
2. Submit a sample encrypted file to:
- ID Ransomware: https://id-ransomware.malwarehunterteam.com/
(identifies 1,000+ ransomware families, checks for known decryptors)
- No More Ransom: https://www.nomoreransom.org/
(free decryption tools for specific ransomware families)
Knowing the family tells you:
- Whether free decryption exists (rare but real: check first)
- Typical attacker dwell time and data exfiltration behavior
- Whether backup deletion is confirmed behavior for this group
- Negotiation patterns and average ransom demanded
Assess backup integrity:
Backup assessment checklist:
□ Are backups stored offline, offsite, or in immutable cloud storage?
Yes → high confidence of clean backup availability
No → assume backups may also be encrypted
□ When did the attacker first gain access? (from initial compromise date)
This determines which backup versions predate the compromise
Only backups taken BEFORE the initial access date are definitively clean
□ Test a backup restore in an isolated environment BEFORE committing to this path:
- Restore one non-critical system from backup
- Verify restored files are not encrypted
- Run AV scan on restored system
- Do NOT restore to production without isolation testing
□ Is there evidence attackers specifically targeted backup systems?
Check: Veeam, Backup Exec, Azure Backup logs for unauthorized access
Ransomware groups (Conti, LockBit) specifically delete VSS shadow copies:
wmic shadowcopy delete (look for this in EDR logs pre-encryption)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Phase 3: Recovery Decision
The three recovery paths: make this decision with IR firm and legal:
Path A: Restore from backup
Requirements:
- Clean backups exist predating initial compromise
- Backup restoration is faster than other options
- Backup systems were not compromised
Steps:
1. Identify clean backup from before compromise date
2. Rebuild affected systems from scratch (not restore-in-place)
3. Restore data to rebuilt systems from backup
4. Scan restored systems before returning to production
5. Reset all credentials before bringing systems online
Note: Does NOT address double extortion: data may still be leaked
Path B: Rebuild from scratch
Requirements:
- Backups are unavailable, encrypted, or of uncertain integrity
- Business can tolerate extended downtime
Steps:
1. Source clean OS images and application installers
2. Rebuild all servers on fresh hardware or new VMs/cloud instances
3. Restore only data that can be verified clean
4. Accept permanent loss of data not backed up
Note: Most expensive in time and labor; cleanest result
Path C: Ransom negotiation (last resort)
When to consider:
- No viable backups
- Critical systems required for life/safety operations
- Decryptor available only from attacker
Before negotiating:
- Engage IR firm with ransomware negotiation experience
- Notify FBI/CISA (they track payments; may have intelligence on the group)
- Check OFAC sanction list: paying certain groups is illegal
- Negotiate to reduce demand (most groups reduce 20-50% if engaged)
- Paying does NOT guarantee decryption or prevent data leak
- Paying may mark you for future attacks
Regulatory and insurance obligations:
Notification requirements: consult legal for your specific obligations:
- GDPR: 72 hours from awareness if personal data affected (EU data)
- HIPAA: 60 days for breaches affecting 500+ individuals (US healthcare)
- SEC: 4 business days for material cybersecurity incidents (public companies)
- State breach notification: varies by state; often 30-72 hours
- Cyber insurance: notify immediately per policy terms
(most policies require notification within 24-72 hours of discovery)
Failure to notify on time may void coverage
□ Cyber insurance carrier contacted (breach hotline, not normal claims)
□ Forensic firm documented as insurance-approved vendor
□ All evidence preserved per IR retainer/insurance requirements
Phase 4: Rebuild and Harden
System rebuild sequence:
Rebuild order (critical to non-critical):
1. Identity infrastructure (AD DCs, Entra ID): everything depends on auth
2. Core network services (DNS, DHCP)
3. Security infrastructure (EDR, SIEM, backup systems)
4. Business-critical applications (ERP, email)
5. File servers and collaboration
6. User workstations (last: users can work from alternate devices)
For each rebuilt system:
□ Fresh OS installation from verified ISO (do not restore the OS partition)
□ All credentials reset before joining to domain
□ EDR installed before connecting to production network
□ Vulnerability scan run before returning to production
□ Verify no persistence mechanisms present (scheduled tasks, services, startup keys)
Harden against reinfection: the attacker still has your credentials:
# Reset krbtgt password (Kerberos Golden Ticket invalidation): twice:
# First reset:
Set-ADAccountPassword -Identity krbtgt -Reset \
-NewPassword (ConvertTo-SecureString 'NewRandomPassword1' -AsPlainText -Force)
# Wait 10 hours (covers maximum Kerberos ticket lifetime)
# Second reset (invalidates any Golden Tickets created with first password):
Set-ADAccountPassword -Identity krbtgt -Reset \
-NewPassword (ConvertTo-SecureString 'NewRandomPassword2' -AsPlainText -Force)
# Reset all privileged account passwords:
Get-ADGroupMember -Identity 'Domain Admins' | ForEach-Object {
Set-ADAccountPassword -Identity $_.SamAccountName -Reset \
-NewPassword (ConvertTo-SecureString (New-Guid).ToString() -AsPlainText -Force)
}
# Force all domain users to reset passwords at next login:
Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $true
# Review and remove unauthorized accounts and group memberships:
Get-ADUser -Filter {Enabled -eq $true} |
Where-Object { $_.Created -gt $initialAccessDate } |
Select-Object SamAccountName, Created, Description
# Disable and investigate any accounts created during the attacker dwell period
The bottom line
Ransomware response sequence: (1) establish out-of-band comms immediately (not corporate email), (2) call IR retainer and legal counsel BEFORE taking remediation actions, (3) contain lateral movement via network isolation: do NOT reboot encrypted systems or delete ransom notes, (4) identify the ransomware family via ID Ransomware to check for free decryptors, (5) assess backup integrity (only backups predating initial compromise are definitively clean), (6) choose recovery path (backup restore, rebuild, or negotiation) with IR firm and legal. The first 72 hours are the highest-leverage window for limiting damage. Notify cyber insurance within 24-72 hours per policy terms. After recovery: double-reset krbtgt, reset all privileged passwords, and force domain-wide password reset before restoring production access.
Frequently asked questions
Should you pay the ransom after a ransomware attack?
Payment is a last resort: attempt backup restoration and free decryption tools (ID Ransomware, No More Ransom) first. If considering payment: verify the ransomware group is not on the OFAC sanctions list (paying sanctioned groups is illegal under US law), engage an IR firm with ransomware negotiation experience, and notify the FBI (they may have intelligence on the group or a decryptor). Understand that payment does not guarantee decryption, does not prevent data leakage if double extortion applies, and may identify your organization as willing to pay: making future attacks more likely.
Why should you not reboot encrypted servers during a ransomware incident?
Encrypted servers may still hold volatile memory artifacts that are critical for forensic investigation: the attacker's tools, processes, and network connections may be visible in RAM before a reboot clears them. Some ransomware families also require the running process to perform decryption (if a key can be recovered from memory). Additionally, rebooting may trigger additional encryption stages, destroy evidence needed for insurance claims or law enforcement reporting, or trigger anti-recovery mechanisms some ransomware variants include.
What should be in a ransomware incident response playbook?
A ransomware IR playbook should define: (1) Detection and triage: indicators that trigger the playbook (EDR mass encryption alert, user reports, ransom note discovery), who declares an incident, and initial severity classification. (2) Containment: network isolation procedures for affected segments, guidance on whether to use automated isolation or manual firewall changes, and which systems to prioritize isolating first. (3) Investigation: how to determine patient zero, attacker dwell time, and whether data was exfiltrated before encryption. (4) Communication: who notifies legal, cyber insurance, law enforcement (FBI IC3), and regulators (GDPR 72-hour notification if applicable). (5) Recovery: backup verification steps, restoration order, and system rebuild procedures. Pre-identify your IR firm and cyber insurance contacts before an incident — do not search for them during one.
How do ransomware groups gain initial access to enterprise environments?
The three most common ransomware initial access vectors are: (1) Phishing emails with malicious attachments or links that deliver initial access malware (Qbot, IcedID, Emotet) which then sell access to ransomware affiliates. (2) Exploitation of internet-facing systems: unpatched VPN appliances (Pulse Secure, Fortinet, Citrix), RDP exposed to the internet, and Exchange servers. Ransomware groups actively scan for specific CVEs immediately after publication. (3) Compromised credentials: purchased from initial access brokers on dark web marketplaces — credentials are often stolen months earlier via infostealer malware. Prioritizing these three vectors covers the majority of ransomware incidents.
What is the 3-2-1 backup rule and why is it critical for ransomware recovery?
The 3-2-1 backup rule: 3 copies of data (production plus 2 backups), on 2 different media types (disk and tape, or disk and cloud), with 1 copy offsite (geographically separated or in a different cloud region). For ransomware specifically, the critical addition is air-gapping: the backup must be inaccessible from the production network during normal operations. Ransomware operators specifically target backup infrastructure to eliminate recovery options. Modern ransomware groups spend dwell time (often weeks) identifying and deleting backup systems before triggering encryption. Immutable backups (cloud storage with object lock, tape with offline media) are the reliable defense: the attacker can delete backup catalog entries but cannot modify the underlying immutable media.
How do you determine the initial access date during ransomware forensics to identify which backups are clean?
Establishing the initial access date requires examining multiple forensic data sources in parallel. Check EDR telemetry for the earliest appearance of attacker tooling: look for the first instance of known malware families, unusual PowerShell execution, or credential dumping indicators in the EDR process tree. Review firewall and proxy logs for C2 beaconing patterns: consistent outbound connections to newly registered domains at regular intervals (C2 heartbeat) often predate the ransomware deployment by days or weeks. Examine Windows Security Event ID 4624 and 4648 logs on domain controllers for the first use of compromised accounts or pass-the-hash patterns. Pull VPN authentication logs for accounts that authenticated from atypical geolocations or IP ranges. The earliest artifact across all sources is the conservative initial access date: any backup taken after this date should be treated as potentially compromised and restored only in an isolated environment with pre-restoration malware scanning before production use.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
