From My SOC Playbook --> Confirming and Containing Ransomware...

Jim Leone

7/24/20252 min read

When ransomware strikes, the first few minutes can make or break your response. Acting swiftly and methodically can contain the damage, preserve vital evidence, and prevent the attack from spreading deeper into the network. This SOC playbook outlines the critical steps to take immediately when ransomware is suspected, along with key pitfalls to avoid.

Identify Early Warning Signs

Ransomware isn't always obvious. Be alert for the following symptoms:

  • Files with strange extensions or encryption

  • Sudden inability to access mapped drives or shared folders

  • Appearance of ransom notes (e.g., READ_ME.txt or DECRYPT.html)

  • Spikes in CPU or disk activity

  • EDR/AV alerts showing unusual behavior, such as PowerShell abuse or file overwrites

  • Reports from users unable to access data or systems

Action --> Treat any of these as high-priority SOC alerts. Investigate quickly and escalate if suspicious patterns appear.

Contain the Threat Immediately

Time is your enemy. Once ransomware detonates, lateral movement can begin within minutes.

Take these actions without delay...

  • Isolate affected systems from the network (pull the plug or disable switch ports)

  • Disable Wi-Fi and Bluetooth if active

  • Kill suspicious processes via EDR tools if they're still running

  • Block outbound traffic from affected hosts (especially to Tor or known C2 infrastructure)

  • Suspend compromised user accounts

Containment buys time for investigation and forensics.

Preserve Evidence

Don’t rush to wipe systems. Digital evidence is vital for attribution, understanding blast radius, and regulatory requirements.

Preserve...

  • Memory (RAM) dumps if possible

  • Ransom notes, encrypted files, and logs

  • EDR telemetry and forensic snapshots

  • Firewall, VPN, and proxy logs

Tip: Don’t reboot infected machines unless absolutely necessary. You risk losing volatile evidence.

Assess Scope and Impact

Identify how far the infection has spread...

  • Which systems are encrypted?

  • Which users/accounts were involved?

  • What lateral movement (RDP, PsExec, SMB) is evident?

  • Are backups intact?

Use log correlation tools, SIEM, and EDR to map the attack path.

Communicate Internally and Activate IR Plan

Notify key stakeholders...

  • SOC/NOC

  • IT Leadership

  • Legal and Compliance

  • Executive Leadership

Activate your incident response plan and begin drafting an executive summary.

Avoid --> Making premature public statements or paying ransom without full legal and leadership involvement.

Watch for Common Mistakes

Even seasoned teams can make these critical errors...

  • Rebooting infected systems too early

  • Starting re-imaging before full containment

  • Failing to secure backups (online backups can be hit too!)

  • Ignoring lateral movement and only cleaning the "obvious" endpoints

  • Overlooking logs that help trace the attacker’s path

Avoiding these can save time, money, and reputation damage.

Aftermath and Recovery

Once containment is confirmed...

  • Begin recovery using offline, verified backups

  • Rotate credentials for all impacted accounts

  • Patch any vulnerabilities or misconfigurations

  • Perform a full root cause analysis and IOC sharing

  • Report to necessary agencies (CISA, FBI, regulators)

Prepare a post-mortem and update your playbooks based on lessons learned.

Ransomware isn’t just a technical issue, it’s a business crisis. Having a pre-defined SOC playbook, trained staff, and rehearsed response workflows is what separates a minor disruption from a full-blown disaster.

If you’re reading this as a "just in case," bookmark it. If you’re reading this during an actual incident, stop and isolate.

The IP HighWay

Stay updated with the latest IT security news.

info@iphwy.com

© 2024. All rights reserved.

Visit my personal page -->