Incident Response Steps: Potential Ransomware Infection


This Incident Response Cheat Sheet is for performing live analysis on a system you suspect is infected with ransomware. It is important to follow through each step in sequence as you handle an incident.

Incident Handling Steps 


Step 1: Preparation

Step 2: Identification

Typical Signs of Ransomeware

Ransomware Warning message

Host-Based Identification

Step 3: Containment

Step 4: Eradication

Step 5: Recovery

Step 6: Lessons Learned

A report should be written and made available discussing the following themes:

Ensure that all parties involved in the incident handling process agree to what is written in the report. If someone strongly disagrees, they should write their own report to document the incident from their point of view.

The report(s) should be reviewed by the team and potentially upper management and discussed in a meeting held within two weeks of resuming production.