Ransomware Response Checklist Template

This Ransomware Response Checklist (the “Checklist”) is maintained by [Company Name] and is effective as of [Effective Date].

1. Activation Criteria

1.1 Trigger Events. Activate this Checklist if any of the following occur:

• Ransom note detected

• Files encrypted unexpectedly or extensions changed

• Endpoint security alerts indicating ransomware behavior

• Unusual mass file writes/deletes

• Systems become inaccessible with signs of tampering
  1.2 Immediate Owner. Incident Commander: [Name/Role].
  1.3 Incident ID. [Incident ID].

2. Immediate Actions (First 0–60 Minutes)

2.1 Declare Incident and Restrict Access.

• Open an incident channel and restrict access to need-to-know

• Assign Incident Commander and leads (Security/IT/Legal/Comms)
  2.2 Containment (Stop Spread).

• Isolate affected endpoints/servers from the network

• Disable compromised accounts and enforce MFA

• Block suspicious IPs/domains and revoke tokens

• Disable remote access paths suspected of compromise (RDP/VPN)
  2.3 Preserve Evidence.

• Capture volatile data where feasible (running processes, network connections)

• Preserve logs (SIEM, EDR, AD, VPN, cloud logs)

• Snapshot affected systems before remediation if possible

• Document timestamps and actions taken
  2.4 Protect Backups.

• Verify backup integrity and isolate backups from production

• Pause scheduled backup jobs if they risk encrypting backups

• Confirm backup credentials are not compromised
  2.5 Initial Communications (Internal).

• Notify Security, IT Ops, Legal/Privacy, Exec sponsor

• Remind team: no external communications without approval

3. Scope and Impact Assessment (First 1–24 Hours)

3.1 Identify Patient Zero and Entry Point.

• Phishing / malicious attachment

• Exploited vulnerability

• Compromised credentials

• Exposed remote service (RDP/VPN)

• Third-party/vendor access

• Other: [Describe]
  3.2 Identify Affected Systems.

• List infected endpoints and servers

• Identify lateral movement and privilege escalation

• Check domain controllers, backup servers, and admin workstations
  3.3 Data Impact (Potential Breach).

• Determine whether data was exfiltrated (“double extortion”)

• Identify data types affected (PII, credentials, IP)

• Estimate number of records/tenants/customers impacted
  3.4 Operational Impact.

• Critical services down: [List]

• Estimated downtime: [Estimate]

• Safety/availability concerns: [Notes]
  3.5 Engage External Support (If Needed).

• Outside counsel: ☐ Yes ☐ No

• Forensics/IR vendor: ☐ Yes ☐ No

• Cyber insurance: ☐ Yes ☐ No

4. Decision Points (Pay / Not Pay)

4.1 Decision Owners. Final decision by: [Exec + Legal + Security].
4.2 Inputs to Consider.

• Availability and integrity of clean backups

• Scope of encryption and operational impact

• Evidence of data exfiltration

• Legal restrictions and sanctions screening (if applicable)

• Credibility/history of threat actor (if known)

• Risk of repeat compromise
  4.3 Documentation. Record the decision, rationale, and approvals in the incident file.

5. Eradication and Remediation

5.1 Remove Persistence.

• Identify and remove malicious scheduled tasks/services

• Remove unauthorized admin accounts and backdoors

• Re-image compromised endpoints where appropriate
  5.2 Patch and Harden.

• Patch exploited vulnerabilities and disable exposed services

• Restrict admin privileges; enforce least privilege

• Segment networks and restrict lateral movement
  5.3 Credential Rotation.

• Rotate admin credentials, service accounts, API keys, and tokens

• Reset passwords for affected users and enforce MFA

• Rotate keys/certificates if potentially exposed
  5.4 Clean Build Validation.

• Validate golden images and deployment pipelines are clean

• Confirm EDR/SIEM agents are functioning

6. Recovery and Restoration

6.1 Restore from Clean Backups.

• Verify backups are clean and pre-infection

• Restore in a staged environment first when possible

• Scan restored systems before reconnecting to production
  6.2 Rebuild Where Needed.

• Rebuild critical systems from known-good images

• Verify configuration baselines and logging
  6.3 Return-to-Service Checks.

• Confirm no signs of reinfection

• Confirm monitoring/alerting is active

• Confirm business-critical workflows operate normally
  6.4 Customer/User Actions (If Needed).

• Force password resets

• Revoke sessions/tokens

• Communicate mitigation steps through approved channels

7. Notifications and Communications

7.1 Legal/Privacy Assessment. Determine whether incident is a reportable breach under laws or contracts.
7.2 Notification Checklist.

• Identify required contractual notices (customers/partners/vendors)

• Identify regulator notice requirements and timelines

• Prepare customer notices and FAQs (if needed)
  7.3 Comms Owner. [Name/Role].
  7.4 No Public Statements Without Approval. Approved by: [Legal + Comms + Exec].

8. Post-Incident Review

8.1 Lessons Learned Meeting. Hold within [__] days after containment.
8.2 Root Cause Report. Document timeline, entry point, impacted systems, data impact, and actions taken.
8.3 Remediation Plan. Track follow-ups with owners and deadlines in: [Tool].
8.4 Policy and Training Updates. Update playbooks, run tabletop exercises, and adjust controls.

9. Recordkeeping

9.1 Incident File. Store evidence, decisions, and communications drafts in: [Secure location].
9.2 Retention. Retain records for: [__] years or per policy.
9.3 Confidentiality. Share incident materials only on a need-to-know basis.

Signatures

By signing below, the undersigned acknowledge and adopt this Ransomware Response Checklist.

Incident Response Owner: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Executive Sponsor (Optional): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________