0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Ransomware Playbook
The Ransomware Playbook defines the structured process an organization follows to detect, contain, respond to, recover from, and learn from a ransomware incident.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of pre-defined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle. The plan outlined in this playbook is developed to assist the constituents of the South African National Research and Education Network (SA NREN) to respond to Ransomware attacks. A ransomware attack is a cyber threat in which attackers use malware to encrypt files or systems after which a ransom is demanded in order to decrypt the information.
Purpose
The purpose of the SANReN CSIRT Ransomware Playbook is to provide guidance regarding the appropriate and timely response to a ransomware cybersecurity incident or attack.
Scope
This document has been designed for the sole use by the constituents of the SA NREN.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a Ransomware attack in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain documentation | Implement, maintain, and review cybersecurity incident procedures. Maintain and regularly update technical documentation. Establish policies and procedures. Define the roles and responsibilities. | Create a Cyber Incident Response Plan. Establish and maintain a ransomware-specific incident response policy and procedure. Define escalation paths. Have legal counsel and external incident response contacts (SANReN CSIRT and TENET) on retainer. Document network topology. |
| Identify and protect assets | Maintain an understanding of the constituent’s environment and protect identified assets. | Maintain an asset inventory and list of endpoint devices. Keep a list of all company-owned domains. Maintain a list of all company-owned assets. Protect identified assets: Encrypt sensitive data. Ensure robust security on all hosts. Limit lateral movement of malware within networks. Minimise unauthorised access to critical systems. Ensure robust backup and disaster recovery strategies (e.g., offline and immutable backups). |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituency, risks & vulnerabilities. Stay informed about the latest Ransomware threats. | View SANReN CSIRT weekly articles, alerts, and advisories. |
| Security Controls | Deployment of appropriate tools and technologies to detect malware. | Maintain and regularly update endpoint protection and anti-ransomware tools. Deploy anti-virus, anti-malware, and/or anti-spam solutions. Deploy and maintain Endpoint Detection and Response (EDR) solutions across endpoints. Implement least privilege access and network segmentation. Implement least privilege access and enforce Multifactor Authentication (MFA). Enforce VLANs and restrict access based on necessity. Regularly deploy updates and perform patch management. |
| Training | Educate employees regarding Ransomware through awareness campaigns and training. | Internal and external awareness and training sessions. Conduct ransomware tabletop exercises. Regularly train staff on phishing and social engineering attacks. |
Detection and Analysis
Providing the recommended steps to follow to enable the detection of Ransomware and related attacks and conduct the investigation of the collected data to determine the scope and impact of the Ransomware attack.
Escalate findings to the SANReN CSIRT team for further analysis and report identified Indicators of Compromise (IoC) with the CSIRT.
Detect
| Activity | Description | Action(s) |
| Monitor network traffic | Detect unusual data transfers or encryption activity. | Analyse network logs for unusual outbound traffic using appropriate tools. Block suspicious IP addresses and domains. Report and escalate unusual traffic according to existing Cyber Incident Response Plan or established policies and procedures. Work with the SANReN CSIRT and the Tertiary Education and Research Network of South Africa (TENET) for further investigation. Inform the SANReN CSIRT team to alert other constituents. Inform the legal department (it attack has potential legal ramifications). |
| Check for unauthorised processes | Malware may run as unknown processes in the background. | Use task managers to identify and terminate unknown or unusual processes. |
| Security Tool alerts | Identify ransomware-related alerts from security tools. | Investigate alerts from anti-virus, EDR, SIEM, and other behavioural analysis logs. Review system logs for unusual activities and unauthorised access attempts. Mass file rename/delete events. Unauthorized PowerShell/WMIC execution. Unexpected outbound traffic or DNS tunneling. |
| Monitor file system changes | Detect unauthorised modifications to critical files. | Use integrity monitoring tools to detect unauthorised file changes. Configure alerts for file changes and ransomware signs. |
| Monitor user activity | Identify unusual logins or privilege escalations. | Analyse authentication logs and privilege usage. User Reports: Inability to access files. Appearance of ransom notes. Unexpected system behavior (e.g., system slowdown, locked screens). |
| Validate the ransomware incident | Based on the alerts and activities detected, confirm if the ransomware behaviour is genuine (not a false positive). | Located ransom notes (e.g., README.txt, DECRYPT-FILES.html). Identified file extensions and compare against known ransomware variants. Compare against known ransomware IoC feeds (e.g., CISA, MITRE ATT&CK). |
Analyse
| Activity | Description | Action(s) |
| Collect relevant evidence | Capture and preserve the collected evidence. | Export relevant logs (Windows Event Logs, firewall logs, etc.). Securely collect ransomware samples for offline analysis. Document all indicators: file hashes, IP addresses, domain names, file names, and registry keys. Use appropriate frameworks and security vendor databases to cross-reference identified malware with known ransomware cases. |
| Ransomware identification | Identification of the ransomware family by reviewing the ransom demands, the attacker Tactics, Techniques and Procedures (TTPs), and potential decryption options. | Compare ransom note and encryption patterns with public repositories: ID Ransomware NoMoreRansom.org Determine if it’s part of a known ransomware-as-a-service (RaaS) campaign. |
| Determine attack vectors | Identify how the ransomware entered the system. | Analysis techniques: Examine email logs for phishing attempts. Review remote access logs (e.g., RDP, VPN) for anomalies. Look for early-stage dropper or exploit tools. Check for signs of initial compromise weeks before encryption. Examine network traffic and user activity. Common entry points: Email Phishing: Malicious attachments or links. RDP Exploits: Brute force attacks or known vulnerabilities. Vulnerable Software: Unpatched applications or exposed services (e.g., VPNs, web apps). Third-Party Compromise: Managed service provider (MSP) or vendor access misuse. Use asset inventory and scanning tools. |
| Determine scope and impact | Determine the number of impacted users and devices. Map out compromised devices and impacted data. | System Inventory: Identify how many systems are affected (workstations, servers, VMs, cloud assets). Check if backups are encrypted or deleted. Examine if business-critical systems (e.g., business processes, email, active directory) are compromised. Data Impact Analysis: Identify what data has been encrypted (e.g., PII, PHI, financial data). Determine if any exfiltration occurred (check for beaconing, unusual outbound flows). |
| Analyse ransomware activity | Evaluate potential persistence and privilege escalation performed by the ransomware. | Persistence and Privilege Escalation: Look for scheduled tasks, service creation, registry changes (Run, RunOnce, etc.). Identify unauthorized use of administrator credentials or tokens. Examine the use of known tools (e.g., Mimikatz, Cobalt Strike, PsExec). |
| Evaluate lateral movement | Determine the spread of the ransomware within the network. | Review access logs and network segmentation effectiveness in an effort to isolate the ransomware. Use network asset inventory tools to map lateral spread. |
| Documentation and Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Record the following: Incident timeline Systems/users affected Indicators of compromise (IOCs) Attack vector and ransomware family Risk/impact summary Establish appropriate communication methods (e.g., email or website – internal or external). Notify executive management, legal, and communications teams. Inform the SANReN CSIRT and TENET of the discovered findings. If applicable, begin drafting regulatory notifications (e.g., PoPIA). |
Containment, Eradication and Recovery
Outlining the necessary steps to isolate the Ransomware attack and subsequent threats, eliminate and remove the effects of the Ransomware attack, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Contain affected hosts | Identify and isolate affected systems and endpoints. | Remove affected endpoints and systems from the network (disable network interfaces, shut down Wi-Fi). Isolate endpoints from the production network. Block known C2 IPs/domains via firewall. |
| Contain affected accounts | Identify compromised accounts or at-risk credentials. | Reduce access to critical systems or data until the investigation has been completed. Disable affected user accounts and terminate malicious processes. |
| Block malicious activity | Block activity based on identified indicators of compromises (IoCs). | Use encrypted communication channels such as VPNs, TLS, or PGP for sharing sensitive data. This will help verify the integrity of communication endpoints. Update firewall rules and proxies. |
| Restrict network traffic | Minimise lateral movement of ransomware. | Apply segmentation controls and disable unnecessary services. |
Eradication
| Activity | Description | Action(s) |
| Remove the ransomware | Eliminate ransomware from infected systems. | Remove ransomware binaries and artifacts from affected systems. Purge related application or software from the infected device. Delete downloaded attachments, if any Use anti-virus, EDR, and malware removal tools. |
| Reset all credentials | Ensure that attackers cannot regain access. | Force password resets for affected accounts. |
| Rebuild affected systems | Restore compromised devices to a clean state. | Re-image and re-deploy systems where necessary. Apply patches and close exploited vulnerabilities. |
Recovery
| Activity | Description | Action(s) |
| Decryption | Recovery of encrypted systems or data. | Investigate if free decryption tools are available (e.g., NoMoreRansom.org). Do not pay the ransom unless mandated by executive decision and legal approval. |
| Return systems and endpoints | Recover systems based on business impact analysis and business criticality. Re-integrate previously compromised systems and endpoints. Restore suspended services. | Conduct a restoration of affected systems from a trusted backup. Re-install any standalone system from a clean OS backup before updating with a trusted data backup. Validate systems before reconnecting to the network. |
| Update defences | Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Improve the security of user accounts. | Implement necessary patches. Perform a full system anti-malware scan and integrity check. Update anti-virus and anti-malware solutions. Enforce multi-factor authentication (MFA). Closely monitor for reinfection or further malicious activity. |
Post Incident Activity
Recommended steps to conduct after the Ransomware attack has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? Update the ransomware playbook based on lessons learned. |
| Incident reporting | Draft the post-incident report. | Create a detailed incident report: Timeline of the incident Root cause analysis Impact assessment Actions taken Recommendations for improvement Share with the appropriate security response teams (e.g., SANReN CSIRT and TENET). Report the incident to the required stakeholders: Legal, compliance insurers. Law enforcement and regulators (if applicable). |
| Update policies and procedures | Strengthen security policies and procedures based on findings. | Revise policies and plans: Incident response/ disaster recovery Backup IT Security Business continuity |
| User awareness training | Educate employees about potential risks and threats, equipping them with the knowledge and skills to recognize ransomware. | Internal communication (e-mail) or announcement on the internal website. Educate employees: How to recognise a suspicious email. Safe download practices Recognising malware symptoms and patterns Remote work security Browser safety Software update awareness Password hygiene |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Determine whether an incident has occurred – identify indicators such as encrypted files and ransom notes. | |
| 2. | Identify the type of ransomware. | |
| 3. | Isolate affected systems — audit and remove unknown startup programs and scheduled tasks. | |
| 4. | Analyse logs for suspicious activity | |
| 6. | Verify DNS, proxy settings and other relevant network configurations. | |
| 6. | Perform a comprehensive anti-malware and endpoint detection scan. | |
| 7. | Document Indicators of Compromise (IoCs) and report to security management team (SANReN CSIRT and TENET). | |
| 8. | Continuous monitoring for lateral movement or reinfection. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 9. | Isolate infected systems from the network – disable affected accounts, quarantine and isolate affected systems and endpoints . | |
| 10. | Immediately delete or disable malware persistence mechanism. | |
| 11. | Implement firewall rules to block malicious IPs and domains. | |
| 12. | Uninstall malicious software and remove related files and registry entries. | |
| 13. | Perform deep system scans to verify complete removal of malware. | |
| 14. | Patch detected vulnerabilities. | |
| 15. | Conduct thorough inspection of system backups for traces of infection. | |
| 16. | Restore system from clean, verified backups. | |
| 17. | Conduct system integrity check. | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 18. | Conduct a “Lessons Learned” meeting | |
| 19. | Create a post incident report – share with relevant parties. | |
| 20. | Update security policies and procedures. | |
| 21. | Conduct user awareness training |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
