< 30 min
Time before most ransomware families execute VSS deletion commands to destroy shadow copies
512 MB
Default Windows Security event log size: overwrites oldest entries when full during high-volume incidents
90%
Of ransomware cases where memory forensics identified the initial access vector when collected before reboot
0
Commands in this checklist that require third-party tools: all use built-in Windows utilities

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most ransomware incident response guides start with 'contain the affected system.' That is correct, but containment is not the first step: evidence collection is, because the most valuable forensic artifacts disappear within minutes of encryption starting.

This checklist assumes you have confirmed ransomware execution on a Windows system and have physical or remote access to a command prompt. Every command uses built-in Windows tools. No downloads required. Work through steps in order: the earliest steps capture the most volatile evidence.

T+0 to T+5: Volatile Evidence (Collect Before Anything Else)

Do not reboot. Do not run antivirus scans. Do not move files. These actions destroy evidence or trigger additional encryption.

Create a working directory on an external drive or network share you control:

mkdir D:\forensics

Capture running processes (highest priority: disappears on reboot):

tasklist /v /fo csv > D:\forensics\processes.csv
wmic process get Caption,CommandLine,ParentProcessId,ProcessId,CreationDate /format:csv > D:\forensics\wmic_processes.csv

Capture network connections (shows C2 communication and lateral movement paths):

netstat -ano > D:\forensics\connections.txt
arp -a > D:\forensics\arp.txt
ipconfig /all > D:\forensics\network.txt
route print > D:\forensics\routes.txt

Capture active sessions and logged-on users:

query session > D:\forensics\sessions.txt
query user > D:\forensics\users.txt
net session > D:\forensics\net_sessions.txt

These five command groups take under 3 minutes and capture the data most likely to identify the initial access vector, lateral movement paths, and C2 infrastructure.

T+5 to T+20: Event Logs (Export Before Overwrite)

Windows event logs are finite in size. The Security log defaults to 512 MB and overwrites oldest entries when full. During a ransomware incident with high authentication activity, it can fill within minutes. Export now.

Export core event logs:

wevtutil epl Security D:\forensics\Security.evtx
wevtutil epl System D:\forensics\System.evtx
wevtutil epl Application D:\forensics\Application.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" D:\forensics\PowerShell.evtx
wevtutil epl "Microsoft-Windows-TaskScheduler/Operational" D:\forensics\TaskScheduler.evtx
wevtutil epl "Microsoft-Windows-WMI-Activity/Operational" D:\forensics\WMI.evtx

If Sysmon is deployed (highest forensic value if present):

wevtutil epl "Microsoft-Windows-Sysmon/Operational" D:\forensics\Sysmon.evtx

The Security log contains logon events (4624/4625), privilege use (4672), and object access. The PowerShell Operational log captures the download cradle or execution chain used for initial access. TaskScheduler and WMI logs capture persistence mechanisms.

Key event IDs to search for in post-collection analysis:

  • 4624 Type 3: Network logon (lateral movement)
  • 4625: Failed logon (brute force or credential stuffing)
  • 4698: Scheduled task created (persistence)
  • 4720: User account created (attacker backdoor account)
  • 7045: New service installed (common persistence method)
  • 1102: Security audit log cleared (attacker covering tracks)
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

T+20 to T+35: Shadow Copies and Startup Items

Check VSS shadow copies immediately: most ransomware deletes them within 30 minutes:

vssadmin list shadows > D:\forensics\shadows.txt
vssadmin list shadowstorage > D:\forensics\shadow_storage.txt

If shadow copies exist, they are your fastest path to pre-encryption file recovery. Do not attempt to mount them from the infected system: they may be in the process of being deleted. Document their IDs from the output above and use a clean system to mount them later.

WARNING: Do not run vssadmin delete shadows or any command that modifies shadow copies. Do not run System Restore. These destroy recovery options.

Capture startup and persistence locations:

reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D:\forensics\run_hklm.reg
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D:\forensics\run_hkcu.reg
reg export HKLM\SYSTEM\CurrentControlSet\Services D:\forensics\services.reg
reg export HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon D:\forensics\winlogon.reg

List scheduled tasks:

schtasks /query /fo csv /v > D:\forensics\scheduled_tasks.csv

Ransomware persistence mechanisms almost always appear in one of these four locations. Capturing them now documents the persistence mechanism before it is removed by the ransomware itself or by premature remediation.

T+35 to T+60: File System and Network Context

Identify the encryption start time from file modification timestamps in the affected directories. Run this against a sample of encrypted files:

dir C:\Users\ /t:w /s /a > D:\forensics\file_timestamps.txt 2>&1

The earliest modified timestamps cluster around when encryption started. This establishes the timeline for log correlation.

Capture the ransom note: it typically contains the ransomware family name, a decryption ID, and sometimes the C2 contact method:

dir C:\ /b /s /a | findstr /i "readme" > D:\forensics\ransom_notes.txt
dir C:\ /b /s /a | findstr /i ".txt" | findstr /i "ransom\|decrypt\|recover" >> D:\forensics\ransom_notes.txt

The ransom note family identification matters for insurance purposes, for checking decryptor availability on nomoreransom.org, and for law enforcement reporting. If the family is unrecognized or you need to confirm it, static analysis of the ransomware binary with Ghidra and YARA can establish attribution when the ransom note alone is insufficient.

Document the scope before network isolation:

nbtstat -A <gateway_ip> > D:\forensics\network_discovery.txt
net view /all > D:\forensics\network_shares.txt

Isolate after evidence collection is complete. Disable the network interface via Device Manager or pull the ethernet cable. If this is a VM, take a snapshot before isolation to preserve memory state.

What to tell your IR firm when they arrive: Provide the D:\forensics directory, the encryption start time you identified, and the ransom note family. This halves their initial triage time.

The bottom line

The first 60 minutes after ransomware executes is a closing window. VSS shadow copies disappear within 30 minutes in most campaigns. Process lists are gone on reboot. Event logs overwrite during high-activity periods. Collect in this order: running processes and network connections first (T+0 to T+5), then event log exports (T+5 to T+20), then shadow copy documentation and persistence registry keys (T+20 to T+35), then file system timestamps and network scope (T+35 to T+60). Isolate the network only after evidence collection is complete. Every command in this checklist uses built-in Windows utilities: no downloads, no third-party tools, no prerequisites.

Frequently asked questions

What should I do first when ransomware hits?

Do not reboot, do not run antivirus scans, and do not move files. Open a command prompt and immediately run tasklist /v and netstat -ano to capture running processes and network connections before they disappear. These are the most time-sensitive forensic artifacts.

How long do VSS shadow copies survive after ransomware executes?

Most ransomware families execute VSS deletion commands within the first 30 minutes of encryption. Run vssadmin list shadows immediately after detecting the incident and document the shadow IDs before they are deleted. Do not attempt to mount them from the infected system.

What logs should I collect in the first 60 minutes of a ransomware incident?

Priority log collection in the first 60 minutes: (1) Windows Security event log from domain controllers covering the 72 hours before the incident (authentication, account management, policy changes). (2) Firewall and proxy logs showing outbound connections from affected endpoints over the same window. (3) EDR telemetry exports for all affected endpoints, including process execution, network connections, and file modification events. (4) DNS query logs from your DNS server or sinkhole for the affected endpoint IP addresses. (5) Any backup system logs showing when backup jobs last completed successfully. Collect these to offline storage before isolating systems, as isolation may disrupt log forwarding.

How do I preserve forensic evidence during a ransomware incident without slowing containment?

Run memory acquisition and process snapshot first (highest volatility: disappears on reboot), then network state (netstat -ano, arp -a, active connections), then event log export, then disk image of patient zero if time permits. You do not need to image every affected system: prioritize patient zero (first affected system, if identifiable), any confirmed command-and-control endpoints, and servers accessed during the attacker's lateral movement. Use a dedicated forensic workstation with external storage that has never been connected to the affected environment. Avoid running forensic tools from the affected system's own drive.

What is the first command I should run on a ransomware-affected Windows system?

Run tasklist /v /fo csv > c:\evidence\processes.csv immediately -- this captures all running processes with process IDs, user, memory usage, and window title before anything changes. Follow immediately with netstat -ano > c:\evidence\connections.txt to capture all open network connections with PIDs. Do both within the first 5 minutes, before any remediation action. These two outputs establish which process was responsible for the ransomware execution and where it was communicating at the moment of detection. Cross-reference the PIDs across both files: a process with an unusual external connection and a suspicious path is your ransomware executable.

What logs from Active Directory and domain controllers should be collected during ransomware response and why are they critical?

Active Directory logs are often the most important forensic evidence in ransomware incidents because most ransomware groups establish domain persistence before triggering encryption. Priority AD logs: Security event log from all domain controllers, especially Event IDs 4720 (account created), 4728/4756 (member added to privileged group), 4768/4769 (Kerberos ticket requests -- look for Golden Ticket and Kerberoasting indicators), 4625 (failed logons -- reveals password spraying timestamps), and 4648 (explicit credential use -- reveals lateral movement). Export these logs immediately before the attacker triggers a defensive response: netsh advfirewall set allprofiles state on and deleting event logs are common ransomware operator cleanup steps. Also collect: NTDS.dit backup timestamps (was the database recently backed up by a non-scheduled task?), DNS debug logs (reveals all lateral movement destinations), and WMI subscription persistence entries (Get-WMIObject -Namespace root\subscription -Class __EventFilter). Timeline the AD events against the ransomware encryption timestamps to determine the initial access vector and the dwell time before encryption was triggered.

Sources & references

  1. CISA Ransomware Guide
  2. NIST SP 1800-26: Data Integrity: Detecting and Responding to Ransomware
  3. Microsoft: Responding to Ransomware Attacks

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.