Ransomware Playbook - Manual

Master playbook for ransomware incidents. This playbook is a manual playbook.

Ransomware · 47 tasks · 0 inputs · 0 outputs

Flowchart

Alert from Security Product User reported Incident False positive Real incident no yes no start_task start_task Engage Engage Notify management chain Notify management chain Initial triage Initial triage Assess severity Assess severity Assign and involve appropriate personnel Assign and involve approp... Investigation Step 1: Details for this incident Investigation Step 1: Det... Notify IT about the end user details for replacing device Notify IT about the end u... Is the incident reported by end user or an alert from SIEM (or another security product)? Is the incident reported ... Is the incident real or a false positive? Is the incident real or a... Mark the incident as false positive in SIEM Mark the incident as fals... Close the issue in the incident management system Close the issue in the in... Identify the affected endpoint and user Identify the affected end... Inform user about Ransomeware Inform user about Ransome... Execute local containment Execute local containment Document user details in investigation Document user details in ... Collect relevant details about incident Collect relevant details ... Execute initial containment Execute initial containment Investigation Step 2: Identify Source of Infection Investigation Step 2: Ide... Option 1: Investigate whether the ransomeware has been delivered by email Option 1: Investigate whe... Analyze email logs to narrow down suspicious emails Analyze email logs to nar... Collect and analyze suspicious emails Collect and analyze suspi... Analyze suspicious URLs and files collected from emails (malware playbook) Analyze suspicious URLs a... Option 2: Investigate whether the victim’s PC has been infected by an exploit kit/drive-by download Option 2: Investigate whe... Analyze web proxy (or web gateway) logs to find suspicious URL Analyze web proxy (or web... Analyze the URLs from previous task for malicious URL Analyze the URLs from pre... Analyze the URL in a sandbox Analyze the URL in a sandbox Get file details from web logs for downloaded files Get file details from web... Go to : Generating IoCs from URLs and Hashes Go to : Generating IoCs f... Generating IoCs for URLs and Hashes Generating IoCs for URLs ... Generate IOC for malicious URL from SIEM Threat Feed Generate IOC for maliciou... Generate IOC for malicious URL manually Generate IOC for maliciou... Generate IOC from phishing emails Generate IOC from phishin... Deploy the IoCs collected Deploy the IoCs collected Identify other affected devices Identify other affected d... Identify other systems based on URL and hashes Identify other systems ba... Create new incident with the affected systems Create new incident with ... Respond Respond Notify affected user Notify affected user IOC deployment verification IOC deployment verification Remove temporary containment measures Remove temporary containm... Provide end-user remediation guidance and link to training Provide end-user remediat... Is the identified malware known? (with automated remediation steps) Is the identified malware... Document manual remediation steps Document manual remediati... Trigger remediation scripts Trigger remediation scripts Was remediation successful? Was remediation successful? Reimage the entire system and restore from backup Reimage the entire system...