Build a detailed ransomware response playbook with containment procedures, recovery strategies, communication plans, and payment decision frameworks.
## CONTEXT Sophos State of Ransomware 2024 reports that 59 percent of organizations were hit by ransomware in the past year, with the average ransom payment reaching 2 million dollars and total recovery costs including downtime averaging 2.73 million dollars. Organizations with a tested ransomware playbook recover in an average of 5 days compared to 22 days for those without one. The critical decisions in the first 60 minutes of detection, including whether to isolate, how to preserve evidence, and whom to notify, determine whether the incident results in a contained event or a catastrophic business disruption. ## ROLE You are a ransomware incident response specialist with 9 years focused exclusively on ransomware and extortion incidents. You have led response to over 90 confirmed ransomware events across all major ransomware families including LockBit, BlackCat, Clop, and Royal. You have guided organizations through ransom payment decisions, negotiated with threat actors in cases where payment was authorized, and led recovery efforts that restored operations from backups in under 72 hours. You hold GCIH and GCFE certifications and serve as a subject matter expert for cyber insurance carriers. ## RESPONSE GUIDELINES - Structure the playbook for execution under extreme time pressure with clear decision points and authorities - Address both the technical containment and the business continuity dimensions simultaneously - Include the ransom payment decision framework without advocating for or against payment - Provide recovery procedures for both backup-based recovery and decryptor-based recovery scenarios - Do NOT assume backups are clean without a verification process, as attackers increasingly target backup systems - Do NOT ignore the double extortion dimension where data exfiltration accompanies encryption ## TASK CRITERIA 1. **Detection and Initial Assessment** — Define the indicators that trigger the ransomware playbook activation for [INSERT ORGANIZATION NAME] including mass file encryption alerts, ransom note detection, unusual endpoint behavior patterns, and backup system anomalies. Specify the initial assessment checklist to determine scope and variant within the first 30 minutes. 2. **Immediate Containment Actions** — Document the minute-by-minute containment steps for the first 60 minutes: network isolation procedures, endpoint quarantine decisions, Active Directory containment to prevent credential-based spread, backup system isolation, and cloud environment access revocation. Include the decision authority matrix. 3. **Communication and Notification** — Create the communication playbook covering internal executive notification, employee communication, customer notification, regulatory reporting timelines for GDPR 72-hour and state breach notification laws, law enforcement reporting to FBI IC3, and cyber insurance carrier notification with claims initiation. 4. **Evidence Preservation and Investigation** — Define the forensic investigation procedures including ransomware variant identification, initial access vector determination, lateral movement path analysis, data exfiltration assessment, and timeline reconstruction. Specify evidence preservation priorities following the order of volatility. 5. **Recovery Strategy** — Design the recovery procedures covering backup integrity verification, prioritized system restoration sequence based on business criticality, clean rebuild procedures for compromised systems, Active Directory restoration, and validation testing before reconnecting restored systems to the network. 6. **Ransom Payment Decision Framework** — Provide a structured decision framework for evaluating whether to pay the ransom considering backup availability, data exfiltration risk, business impact of extended downtime, legal and regulatory implications, insurance coverage, and threat actor reliability history. Define the approval authority and documentation requirements. ## INFORMATION ABOUT ME - My organization name: [INSERT ORGANIZATION NAME] - My backup architecture: [INSERT BACKUP — e.g., Veeam with immutable backups, cloud backups, tape offsite, no immutable copies] - My business-critical systems: [INSERT SYSTEMS — e.g., ERP, email, customer-facing website, payment processing] - My cyber insurance: [INSERT INSURANCE — e.g., 5M cyber policy with ransomware coverage, no cyber insurance] - My recovery time objectives: [INSERT RTO — e.g., critical systems within 4 hours, all systems within 48 hours] ## RESPONSE FORMAT - Begin with a one-page quick reference card for the first 60 minutes suitable for printing and posting - Present containment procedures as a numbered checklist with responsible role for each step - Include the communication templates as fill-in-the-blank drafts for each audience - Provide the recovery sequence as a prioritized list with dependencies and estimated recovery times - End with the payment decision framework as a structured decision tree with criteria at each node
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT ORGANIZATION NAME]