Ransomware Response & Recovery Procedures | DADavisDesigns

1 Identification & Triage

🚨 CRITICAL: If encryption is observed, assume the threat actor is still active in the network.

✓ Identify Scope: Which systems are encrypted? Check file extensions (e.g., .locked, .crypt).
✓ Check Ransom Note: Locate the text file (e.g., RESTORE_FILES.txt). Do NOT contact the attacker yet.
✓ Snapshot RAM: Capture memory from Domain Controllers if possible before shutdown.

2 Containment

Prevent lateral movement to backups or other critical segments.

✓ Disconnect Backups: Immediately air-gap or unmount backup drives/cloud storage.
✓ Isolate Network: Physically disconnect infected VLANs or switch ports.
✓ Disable User Accounts: Lockout compromised AD accounts and the KRBTGT account.

3 Analysis & Eradication

✓ Determine Strain: Upload the ransom note/encrypted file to ID Ransomware.
✓ Root Cause Analysis: How did they get in? (RDP, Phishing, VPN exploit). Close the hole.
✓ Eradicate: Wipe infected systems. Do not trust them. Rebuild from gold images.

4 Recovery

✓ Verify Backups: Scan backups for malware before restoring.
✓ Phased Restore: Bring critical services (AD, DNS) online first, then applications.
✓ Password Reset: Force a global password reset for all users.