fatcousin
// first 10 minutes

ransomware response — quick-start

ransomware response — first 10 minutes. preserve before negotiate. print this, check boxes, then run the primary tools.

checklist

  1. isolate at the network layer — do not power off unless you must preserve memory.
  2. snapshot VMs that are still running before anyone reboots them.
  3. pull Security.evtx + System.evtx from each suspected host — now, not after lunch.
  4. export M365 audit log for 14 days back if identity was involved.
  5. photograph or save the ransom note as plain text — do not forward it.
  6. check shadow copies before backup admin does anything.
  7. preserve Veeam/backup config and job history exports.
  8. save firewall logs for the last 14 days.
  9. identify patient zero before negotiating — onset timer first.
  10. do not pay yet. preserve first.

primary tools

  1. 01ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
  2. 02ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
  3. 03ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
  4. 04ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
  5. 05double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
  6. 06lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
  7. 07backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
  8. 08mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally

go deeper

methodology →proof · ransomware-acme-corpcase type tools →
ready