Ransomware Response Playbook

Every IT leader knows ransomware is a matter of when, not if. Yet most organisations still lack a clear ransomware response playbook - a tested, step-by-step plan that tells your team exactly what to do when an attack hits. Without one, precious hours are lost to confusion whilst attackers encrypt your systems and exfiltrate your data.

Having led incident response efforts across multiple organisations, I have seen first-hand how the first 60 minutes of a ransomware attack determine whether you recover in days or weeks. This playbook gives you a practical framework your team can follow under pressure.

Why You Need a Ransomware Response Playbook

The average ransomware attack costs UK organisations over £1.5 million when you factor in downtime, recovery, and reputational damage. NCSC guidance is clear - preparation is everything. Yet too many IT leaders rely on generic disaster recovery plans that were never designed for the speed and complexity of a ransomware incident.

A dedicated ransomware response playbook differs from your standard disaster recovery plan in several critical ways. Ransomware requires forensic preservation, legal notification timelines, and decisions about attacker communication that DR plans simply do not cover.

Phase 1 - Detection and Initial Assessment

The first phase of your ransomware response playbook focuses on confirming the attack and understanding its scope.

Recognising the Signs

Ransomware does not always announce itself with a dramatic ransom note. Early indicators include:

• Unusual file extension changes across network shares
• Spike in CPU usage on servers or endpoints
• Users reporting inability to open files
• Antivirus or EDR alerts for known ransomware signatures
• Unexpected encryption processes in task manager
• Canary files triggering alerts (if you have deployed them)

Immediate Actions (First 15 Minutes)

1. Confirm the attack - Verify this is ransomware rather than a false positive or different malware type
2. Alert your incident response team - Use out-of-band communication (phone calls, not email, as your email may be compromised)
3. Document everything - Start a timeline immediately, noting when the attack was discovered and by whom
4. Do not restart affected machines - Forensic evidence in memory could be lost

Scope Assessment (Minutes 15-60)

Determine how far the attack has spread:

• Which systems are affected?
• Is encryption still actively spreading?
• Are backups accessible and uncompromised?
• Has data been exfiltrated (check for unusual outbound traffic)?

Phase 2 - Containment

Containment is about stopping the bleeding. Every minute of delay means more encrypted systems and potentially more stolen data.

Network Isolation

• Disconnect affected systems from the network immediately - pull cables, disable Wi-Fi
• Isolate network segments to prevent lateral movement
• Block known malicious IPs and domains at the firewall
• Disable compromised user accounts and service accounts
• Consider isolating your entire network from the internet if the attack is widespread

Preserve Evidence

Before you start recovery, preserve forensic evidence:

• Take memory dumps of affected systems where possible
• Capture network logs, firewall logs, and authentication logs
• Screenshot ransom notes and any attacker communications
• Preserve email headers if the attack arrived via phishing

This evidence is essential for law enforcement, your cyber insurance claim, and understanding how the attackers gained access.

Phase 3 - Eradication

Once contained, you need to remove the threat entirely before beginning recovery.

Identify the Attack Vector

Work backwards to find how the attackers got in:

• Was it a phishing email? Check email logs for the initial delivery
• Was it an exploited vulnerability? Review patch status of affected systems
• Was it compromised credentials? Check for brute force attempts or credential stuffing
• Was it a supply chain compromise? Review recent software updates and third-party access

Clean the Environment

• Remove all identified malware, backdoors, and persistence mechanisms
• Reset all passwords, particularly for privileged accounts
• Revoke and reissue certificates if there is any indication they were compromised
• Patch the vulnerability that allowed initial access
• Review all scheduled tasks, startup items, and services for hidden persistence

Phase 4 - Recovery

Recovery is where your preparation pays off - or where its absence becomes painfully obvious.

Backup Validation

Before restoring anything:

• Verify backup integrity - are they encrypted or corrupted too?
• Check backup timestamps - how recent is your last clean backup?
• Test restoration on an isolated system before connecting to production
• Scan restored systems for malware before bringing them online

Prioritised Restoration

Not all systems are equal. Restore in this order:

1. Identity and access management - Active Directory, authentication systems
2. Core infrastructure - DNS, DHCP, networking
3. Business-critical applications - whatever generates revenue or serves customers
4. Communication systems - email, messaging platforms
5. Secondary systems - everything else

The Ransom Question

Every IT leader dreads this decision. NCSC and law enforcement consistently advise against paying ransoms because:

• Payment funds criminal organisations and encourages further attacks
• There is no guarantee you will receive a working decryption key
• Paying marks you as a willing target for future attacks
• You may face legal complications if the attacker is a sanctioned entity

However, this is ultimately a business decision that involves your board, legal counsel, and cyber insurer. Your playbook should document who has the authority to make this decision and under what circumstances it would be considered.

Phase 5 - Post-Incident Review

The attack is over, systems are restored, and there is an overwhelming temptation to move on. Resist it.

Conduct a Blameless Post-Mortem

Within two weeks of recovery, gather everyone involved and review:

• Timeline - What happened and when? Where were the delays?
• Detection - How quickly was the attack identified? Could it have been faster?
• Response - Did the playbook work? What was missing?
• Communication - Were stakeholders informed appropriately and promptly?
• Recovery - How long did restoration take? What slowed it down?

Update Your Defences

Use the lessons learned to strengthen your position:

• Patch the specific vulnerability that was exploited
• Improve detection rules based on the indicators of compromise you observed
• Update your security awareness training to cover the attack vector used
• Review and tighten network segmentation
• Test your updated playbook with a tabletop exercise

Building Your Playbook - Practical Steps

Document Roles and Responsibilities

Your ransomware response playbook must specify:

• Incident Commander - Who leads the response? (Usually IT Director or CISO)
• Technical Lead - Who coordinates the hands-on technical work?
• Communications Lead - Who handles internal and external communications?
• Legal Contact - Who manages regulatory notifications and legal obligations?
• Executive Sponsor - Who makes decisions about ransom payment and business impact?

Establish Communication Channels

Assume your primary communication tools are compromised. Prepare alternatives:

• Personal mobile phones with a pre-shared contact list
• A dedicated Signal or WhatsApp group created before an incident
• Physical meeting point if digital communication fails entirely

Maintain a Contact List

Keep an offline copy of:

• Incident response team members and their personal contact details
• Cyber insurance provider and policy number
• Legal counsel specialising in cyber incidents
• Law enforcement contacts (NCSC, Action Fraud, local police)
• Key vendors and their emergency support numbers
• PR or communications agency if you use one

Test Regularly

A playbook that has never been tested is just a document. Run tabletop exercises quarterly where you walk through a ransomware scenario with your team. Identify gaps, update the playbook, and test again. The more your team practises, the calmer and more effective they will be during a real incident.

Common Mistakes to Avoid

Having seen multiple ransomware incidents, these are the mistakes that cause the most damage:

• Delaying containment to "investigate further" whilst the attack spreads
• Communicating over compromised channels and tipping off the attacker
• Not checking backup integrity before relying on them for recovery
• Skipping the post-mortem and getting hit by the same attack vector again
• Rebuilding without eradicating - attackers often maintain persistent access
• Focusing only on technology and neglecting communication with staff, customers, and regulators

Your Next Steps

If you do not have a ransomware response playbook, start building one this week. If you have one, test it. The organisations that recover fastest from ransomware are not necessarily the ones with the biggest security budgets - they are the ones that practised their response before they needed it.

Print the key steps. Store contact lists offline. Run a tabletop exercise next month. These simple actions could save your organisation millions when the inevitable happens.