This Ransomware Response Checklist (the “Checklist”) is maintained by [Company Name] and is effective as of [Effective Date].
1. Activation Criteria
1.1 Trigger Events. Activate this Checklist if any of the following occur:
-
Ransom note detected
-
Files encrypted unexpectedly or extensions changed
-
Endpoint security alerts indicating ransomware behavior
-
Unusual mass file writes/deletes
-
Systems become inaccessible with signs of tampering
1.2 Immediate Owner. Incident Commander: [Name/Role].
1.3 Incident ID. [Incident ID].
Ransom note detected
Files encrypted unexpectedly or extensions changed
Endpoint security alerts indicating ransomware behavior
Unusual mass file writes/deletes
Systems become inaccessible with signs of tampering
1.2 Immediate Owner. Incident Commander: [Name/Role].
1.3 Incident ID. [Incident ID].
2.1 Declare Incident and Restrict Access.
-
Open an incident channel and restrict access to need-to-know
-
Assign Incident Commander and leads (Security/IT/Legal/Comms)
2.2 Containment (Stop Spread).
-
Isolate affected endpoints/servers from the network
-
Disable compromised accounts and enforce MFA
-
Block suspicious IPs/domains and revoke tokens
-
Disable remote access paths suspected of compromise (RDP/VPN)
2.3 Preserve Evidence.
-
Capture volatile data where feasible (running processes, network connections)
-
Preserve logs (SIEM, EDR, AD, VPN, cloud logs)
-
Snapshot affected systems before remediation if possible
-
Document timestamps and actions taken
2.4 Protect Backups.
-
Verify backup integrity and isolate backups from production
-
Pause scheduled backup jobs if they risk encrypting backups
-
Confirm backup credentials are not compromised
2.5 Initial Communications (Internal).
-
Notify Security, IT Ops, Legal/Privacy, Exec sponsor
-
Remind team: no external communications without approval
Open an incident channel and restrict access to need-to-know
Assign Incident Commander and leads (Security/IT/Legal/Comms)
2.2 Containment (Stop Spread).
Isolate affected endpoints/servers from the network
Disable compromised accounts and enforce MFA
Block suspicious IPs/domains and revoke tokens
Disable remote access paths suspected of compromise (RDP/VPN)
2.3 Preserve Evidence.
Capture volatile data where feasible (running processes, network connections)
Preserve logs (SIEM, EDR, AD, VPN, cloud logs)
Snapshot affected systems before remediation if possible
Document timestamps and actions taken
2.4 Protect Backups.
Verify backup integrity and isolate backups from production
Pause scheduled backup jobs if they risk encrypting backups
Confirm backup credentials are not compromised
2.5 Initial Communications (Internal).
Notify Security, IT Ops, Legal/Privacy, Exec sponsor
Remind team: no external communications without approval
3. Scope and Impact Assessment (First 1–24 Hours)
3.1 Identify Patient Zero and Entry Point.
-
Phishing / malicious attachment
-
Exploited vulnerability
-
Compromised credentials
-
Exposed remote service (RDP/VPN)
-
Third-party/vendor access
-
Other: [Describe]
3.2 Identify Affected Systems.
-
List infected endpoints and servers
-
Identify lateral movement and privilege escalation
-
Check domain controllers, backup servers, and admin workstations
3.3 Data Impact (Potential Breach).
-
Determine whether data was exfiltrated (“double extortion”)
-
Identify data types affected (PII, credentials, IP)
-
Estimate number of records/tenants/customers impacted
3.4 Operational Impact.
-
Critical services down: [List]
-
Estimated downtime: [Estimate]
-
Safety/availability concerns: [Notes]
3.5 Engage External Support (If Needed).
-
Outside counsel: ☐ Yes ☐ No
-
Forensics/IR vendor: ☐ Yes ☐ No
-
Cyber insurance: ☐ Yes ☐ No
Phishing / malicious attachment
Exploited vulnerability
Compromised credentials
Exposed remote service (RDP/VPN)
Third-party/vendor access
Other: [Describe]
3.2 Identify Affected Systems.
List infected endpoints and servers
Identify lateral movement and privilege escalation
Check domain controllers, backup servers, and admin workstations
3.3 Data Impact (Potential Breach).
Determine whether data was exfiltrated (“double extortion”)
Identify data types affected (PII, credentials, IP)
Estimate number of records/tenants/customers impacted
3.4 Operational Impact.
Critical services down: [List]
Estimated downtime: [Estimate]
Safety/availability concerns: [Notes]
3.5 Engage External Support (If Needed).
Outside counsel: ☐ Yes ☐ No
Forensics/IR vendor: ☐ Yes ☐ No
Cyber insurance: ☐ Yes ☐ No
4. Decision Points (Pay / Not Pay)
4.1 Decision Owners. Final decision by: [Exec + Legal + Security].
4.2 Inputs to Consider.
-
Availability and integrity of clean backups
-
Scope of encryption and operational impact
-
Evidence of data exfiltration
-
Legal restrictions and sanctions screening (if applicable)
-
Credibility/history of threat actor (if known)
-
Risk of repeat compromise
4.3 Documentation. Record the decision, rationale, and approvals in the incident file.
Availability and integrity of clean backups
Scope of encryption and operational impact
Evidence of data exfiltration
Legal restrictions and sanctions screening (if applicable)
Credibility/history of threat actor (if known)
Risk of repeat compromise
4.3 Documentation. Record the decision, rationale, and approvals in the incident file.
5.1 Remove Persistence.
-
Identify and remove malicious scheduled tasks/services
-
Remove unauthorized admin accounts and backdoors
-
Re-image compromised endpoints where appropriate
5.2 Patch and Harden.
-
Patch exploited vulnerabilities and disable exposed services
-
Restrict admin privileges; enforce least privilege
-
Segment networks and restrict lateral movement
5.3 Credential Rotation.
-
Rotate admin credentials, service accounts, API keys, and tokens
-
Reset passwords for affected users and enforce MFA
-
Rotate keys/certificates if potentially exposed
5.4 Clean Build Validation.
-
Validate golden images and deployment pipelines are clean
-
Confirm EDR/SIEM agents are functioning
Identify and remove malicious scheduled tasks/services
Remove unauthorized admin accounts and backdoors
Re-image compromised endpoints where appropriate
5.2 Patch and Harden.
Patch exploited vulnerabilities and disable exposed services
Restrict admin privileges; enforce least privilege
Segment networks and restrict lateral movement
5.3 Credential Rotation.
Rotate admin credentials, service accounts, API keys, and tokens
Reset passwords for affected users and enforce MFA
Rotate keys/certificates if potentially exposed
5.4 Clean Build Validation.
Validate golden images and deployment pipelines are clean
Confirm EDR/SIEM agents are functioning
6. Recovery and Restoration
6.1 Restore from Clean Backups.
-
Verify backups are clean and pre-infection
-
Restore in a staged environment first when possible
-
Scan restored systems before reconnecting to production
6.2 Rebuild Where Needed.
-
Rebuild critical systems from known-good images
-
Verify configuration baselines and logging
6.3 Return-to-Service Checks.
-
Confirm no signs of reinfection
-
Confirm monitoring/alerting is active
-
Confirm business-critical workflows operate normally
6.4 Customer/User Actions (If Needed).
-
Force password resets
-
Revoke sessions/tokens
-
Communicate mitigation steps through approved channels
Verify backups are clean and pre-infection
Restore in a staged environment first when possible
Scan restored systems before reconnecting to production
6.2 Rebuild Where Needed.
Rebuild critical systems from known-good images
Verify configuration baselines and logging
6.3 Return-to-Service Checks.
Confirm no signs of reinfection
Confirm monitoring/alerting is active
Confirm business-critical workflows operate normally
6.4 Customer/User Actions (If Needed).
Force password resets
Revoke sessions/tokens
Communicate mitigation steps through approved channels
7. Notifications and Communications
7.1 Legal/Privacy Assessment. Determine whether incident is a reportable breach under laws or contracts.
7.2 Notification Checklist.
-
Identify required contractual notices (customers/partners/vendors)
-
Identify regulator notice requirements and timelines
-
Prepare customer notices and FAQs (if needed)
7.3 Comms Owner. [Name/Role].
7.4 No Public Statements Without Approval. Approved by: [Legal + Comms + Exec].
Identify required contractual notices (customers/partners/vendors)
Identify regulator notice requirements and timelines
Prepare customer notices and FAQs (if needed)
7.3 Comms Owner. [Name/Role].
7.4 No Public Statements Without Approval. Approved by: [Legal + Comms + Exec].
8. Post-Incident Review
8.1 Lessons Learned Meeting. Hold within [__] days after containment.
8.2 Root Cause Report. Document timeline, entry point, impacted systems, data impact, and actions taken.
8.3 Remediation Plan. Track follow-ups with owners and deadlines in: [Tool].
8.4 Policy and Training Updates. Update playbooks, run tabletop exercises, and adjust controls.
9. Recordkeeping
9.1 Incident File. Store evidence, decisions, and communications drafts in: [Secure location].
9.2 Retention. Retain records for: [__] years or per policy.
9.3 Confidentiality. Share incident materials only on a need-to-know basis.
Signatures
By signing below, the undersigned acknowledge and adopt this Ransomware Response Checklist.
Incident Response Owner: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Executive Sponsor (Optional): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________