Free Download

Ransomware Incident
Response Playbook

A step-by-step 76-item checklist for the first 24 hours of a ransomware attack. Built for SOC teams, IR leads, and CISOs who need to act fast and avoid costly mistakes.

Phase 1 · 0 – 1 Hour

18

Confirm & Classify, Evidence Preservation (Do This Before Anything Else), Activate IR Team

Phase 2 · 1 – 4 Hours

21

Network Isolation, Protect Backups (Critical), Account & Credential Lockdown, Notifications

Phase 3 · 4 – 24 Hours

17

Threat Actor Eviction, Forensic Investigation, Recovery Decision

Phase 4 · 24 Hours+

20

Phased Restoration, Enhanced Monitoring, Post-Incident

76 action items across 4 phases

Interactive checkboxes — check off as you work

Critical items flagged for immediate action

IR contact directory template

Based on NIST SP 800-61r2 & CISA guidance

Print-ready PDF format

Get instant access — free

Subscribe to Decryption Digest to unlock the full playbook. Weekly threat intelligence briefings. No spam. Unsubscribe anytime.

Joining 23,500+ security professionals. No spam. Unsubscribe anytime.

Already subscribed?

Phase 10 – 1 Hour

Verify this is ransomware — look for ransom note, encrypted file extensions

DO NOT reboot any infected system — memory may contain encryption keys

Capture memory dumps from affected systems if tooling is available

+ 73 more action items unlocked with your email above…

Ransomware IncidentResponse Playbook

Get instant access — free

Ransomware Incident
Response Playbook