Ransomware Incident Response Playbook — Containment & Recovery Steps | Vaarta

Hour 1: Containment

1. Isolate affected systems (unplug ethernet, disable WiFi)

2. Do NOT turn off systems (memory may contain decryption keys)

3. Preserve evidence (screenshots, logs, network traffic)

4. Activate incident response team

Hours 2-24: Assessment

Determine attack vector, identify affected systems, assess data exposure, check if backups are intact.

Days 1-7: Eradication

Rebuild from clean backups, reset all credentials, patch vulnerabilities, scan for persistence mechanisms.

Weeks 1-4: Recovery

Restore data from verified clean backups, gradually restore services, monitor for re-infection.

Prevention

Conclusion

Have a documented response plan BEFORE attacks occur. Practice with quarterly tabletop exercises.