eastbaycyber

Ransomware Response Checklist (IR Quick Guide)

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

A ransomware response checklist is a step-by-step incident response guide to contain ransomware, preserve evidence, restore operations safely, and handle notifications and communications. It helps teams make consistent decisions under pressure while reducing downtime and legal risk.

A ransomware response checklist is your “do this now” guide when encryption, data theft, or attacker-controlled access is suspected. In the first minutes, prioritize containment and evidence preservation; in the next hours, focus on eradication, safe recovery, and legally sound communications.

How it works (use in phases)

Use the checklist in phases. Don’t wait for perfect information—start with containment and preservation, then move to eradication and recovery with strong change control.

1) Declare the incident and mobilize

Goals: establish control, reduce chaos, and ensure decisions are documented.

  • Trigger criteria: ransom note, mass file encryption, unusual file extensions, backup deletion attempts, EDR “ransomware behavior” alerts, domain-wide authentication anomalies.
  • Open an incident bridge (chat + phone) and assign roles:
  • Incident Commander (IC)
  • IT Ops lead (systems/network)
  • Security/IR lead (EDR/SIEM/forensics)
  • Legal/Privacy lead
  • Comms/PR lead (internal + external)
  • Business owner (downtime decisions)
  • Start an incident timeline: who/what/when, every action taken, and evidence collected.
  • Freeze change windows for non-essential work to avoid contaminating evidence.

2) Contain: stop spread and cut off attacker control

Goals: prevent further encryption, data theft, and lateral movement.

  • Isolate impacted endpoints/servers from the network (EDR isolation, VLAN quarantine, unplug NIC as last resort).
  • Disable known-compromised accounts and rotate credentials:
  • Privileged accounts (Domain Admin, backup admins, service accounts)
  • VPN/SSO tokens and API keys (if possible)
  • Block known bad at perimeter quickly (IOC-based blocks), but don’t rely only on IOCs. (If your team needs a shared definition of IOCs for triage, see: what is an ioc)
  • Segment critical services (backup infrastructure, hypervisors, identity providers) away from user subnets.
  • Preserve volatile systems: avoid rebooting if you can capture memory and active connections first.

3) Preserve evidence (before you wipe/rebuild)

Goals: keep options open for root cause, scope, insurance/legal, and potential law enforcement engagement.

  • Capture:
  • Disk images (at least for a few representative “patient zero” systems and key servers)
  • Memory captures for actively infected or suspicious hosts
  • Central logs: EDR, SIEM, firewall, VPN, DNS, AD, email gateway, cloud audit logs
  • Secure evidence with access controls and hashing; record chain of custody.

4) Scope the blast radius and identify the entry point

Goals: understand what’s impacted, what’s at risk, and what must be rebuilt.

  • Determine:
  • Which systems are encrypted vs. only accessed
  • Whether data exfiltration occurred (double-extortion)
  • Lateral movement paths (RDP, SMB, remote tools, GPO, scheduled tasks)
  • Persistence mechanisms (new admin accounts, services, startup items)
  • Prioritize:
  • Identity (AD/Entra ID), hypervisors, backup servers, file servers, ERP/finance, email

5) Eradicate and harden (don’t restore into a still-compromised environment)

Goals: remove attacker access and reduce reinfection risk.

  • Patch exploited vulnerabilities (where confirmed or strongly suspected).
  • Remove persistence and unauthorized tooling.
  • Reset credentials broadly (use a staged approach if identity is in doubt).
  • Enforce MFA everywhere feasible; restrict admin access; review conditional access rules.
  • Disable legacy protocols if possible (e.g., SMBv1) and restrict lateral admin tools (PsExec/WMI where appropriate).

Buying time while you harden: if you’re missing endpoint protection coverage or you need to standardize response actions across Windows devices, consider reviewing options in this comparison: best antivirus for windows business endpoints 2026.
If you need an on-demand scan/cleanup tool during triage on a subset of machines (after isolating them and preserving evidence), Malwarebytes is a commonly used option: Get Malwarebytes →.

6) Recover safely: restore, validate, and monitor

Goals: restore business operations with confidence, not guesswork.

  • Restore from known-good backups (offline/immutable if available).
  • Validate backups before full-scale restore:
  • Check restore points predate compromise
  • Scan restored systems for malware
  • Recover in order: 1. Identity 2. Core networking (DNS/DHCP), management tooling 3. Virtualization/storage 4. Critical business apps 5. User endpoints
  • Add heightened monitoring during and after recovery (30–90 days):
  • New admin creation, anomalous logins, scheduled tasks, unusual outbound traffic

7) Communications, reporting, and decision points

Goals: meet obligations and reduce business harm.

  • Internal comms: clear instructions (“don’t power on devices”, “report ransom notes”, “use out-of-band comms”).
  • External comms: customers/partners as needed; coordinate with legal.
  • Notification: determine if regulated data or personal data was accessed/exfiltrated; evaluate jurisdictional timelines.
  • Ransom payment decision: treat as a business/legal decision; focus on recovery capability, data theft risk, and operational safety. Document rationale.

8) Post-incident: lessons learned and resilience upgrades

Goals: reduce likelihood and impact next time.

  • Conduct a retrospective:
  • Root cause, time to contain, restore time, gaps in telemetry, backups, segmentation, MFA coverage
  • Implement improvements:
  • Immutable/offline backups + routine restore tests
  • Tiered admin model, PAWs/jump hosts
  • Network segmentation and egress controls
  • Email and endpoint hardening, application allowlisting where feasible

Credential hygiene upgrade: after recovery, prioritize strong password management and shared vault controls for IT/admin teams. If you’re evaluating tools, 1Password is a popular option for businesses: Try 1Password →.

When you’ll encounter it

You’ll reach for a ransomware response checklist when you see any of the following:

  • Users report ransom notes or files suddenly have new extensions and can’t open.
  • EDR alerts for mass file modifications, shadow copy deletion, suspicious encryption-like behavior, or known ransomware families.
  • Backup failures spike (backups deleted, repositories encrypted, unusual admin activity on backup servers).
  • Identity anomalies: impossible travel logins, multiple password resets, new privileged accounts, unusual Kerberos/NTLM patterns.
  • Network indicators: sudden SMB/RDP traffic bursts, lateral connections from a single endpoint to many servers, or unusual outbound traffic suggesting exfiltration.
  • Cloud/SaaS compromise: suspicious mailbox rules, mass file deletions/renames in cloud storage, unusual OAuth app consents.

Operationally, you’ll also encounter it during tabletop exercises, cyber insurance readiness reviews, or when building an incident response plan—this checklist becomes the “do this now” companion to a broader IR playbook.

Technical notes

Rapid containment commands and checks (Windows)

# List current SMB sessions (spot lateral movement patterns)
Get-SmbSession | Select ClientComputerName, ClientUserName, NumOpens

# Show recent local admin group changes (quick triage)
Get-LocalGroupMember -Group "Administrators"

# Check for suspicious scheduled tasks
schtasks /query /fo LIST /v | findstr /i "powershell cmd.exe wscript cscript rundll32"

# View active network connections (look for unusual outbound)
netstat -ano

AD and authentication triage pivots

# Recent account creations (requires appropriate auditing/log access)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 50 |
  Select TimeCreated, @{n="NewUser";e={$_.Properties[0].Value}}, Message

# Recent additions to privileged groups (Domain Admins example: 4728/4732 depending on group type)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728} -MaxEvents 50 |
  Select TimeCreated, Message

Linux quick triage (servers, NAS, appliances)

# Recently modified files (possible encryption activity)
find / -xdev -type f -mtime -1 2>/dev/null | head

# Check for suspicious persistence
crontab -l
ls -la /etc/cron.* /etc/systemd/system | head

# Review auth logs (paths vary by distro)
sudo tail -n 200 /var/log/auth.log 2>/dev/null || sudo tail -n 200 /var/log/secure

Log patterns worth searching

- Burst of file rename/write events across many directories in minutes
- vssadmin.exe Delete Shadows /All /Quiet
- wbadmin delete catalog /quiet
- bcdedit /set {default} recoveryenabled no
- wevtutil cl (event log clearing)
- New services or tasks launching powershell/cmd with encoded commands
- RDP logons (4624 type 10) from unusual hosts; repeated 4625 failures then success

Recovery safety checks (minimum)

Before restoring:
- Confirm restore point predates initial compromise time (from timeline)
- Validate backup integrity and perform a test restore in an isolated network
- Ensure compromised credentials are reset and persistence removed
After restoring:
- Re-enable network access gradually (staged rollout)
- Maintain enhanced EDR/SIEM alerting and review for re-compromise indicators

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Containment

Actions to stop spread and limit damage (e.g., isolating hosts, disabling accounts).

Eradication

Removing malware, persistence, and attacker access paths.

Recovery

Restoring systems and services safely and validating integrity.

Indicators of Compromise (IOCs)

Artifacts suggesting compromise (hashes, domains, IPs, filenames). Useful but often incomplete.

Tactics, Techniques, and Procedures (TTPs)

Attacker behaviors (e.g., credential dumping, lateral movement) that guide detections beyond IOCs.

Double extortion

Ransomware combined with data theft and threats to leak stolen data.

Immutable backups

Backup storage designed to prevent alteration/deletion for a retention period.

Least privilege / Privileged Access Management (PAM)

Controls to minimize and protect admin-level access.

Chain of custody

Documentation proving evidence integrity and handling for legal/forensic purposes.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.