Ransomware Triage

Investigate potential ransomware activity step-by-step. Identify indicators, assess blast radius, execute containment, and produce a management-ready incident report.

⚡ Takes ~10–15 minutes 📊 Output: Incident report + IOCs 🔒 No login required

No setup needed — just paste and run

  • Mass file encryption detected
  • Shadow copy deletion alert
  • Suspicious file extension changes
1

Initial Indicators

You are a senior SOC analyst triaging a potential ransomware incident. Assume an enterprise environment unless I specify otherwise. Paste any of the following: - EDR alert - File activity logs - Process logs - SIEM alert Analyze for ransomware indicators: 1. Mass file modification or encryption (hundreds of files modified within seconds) 2. File extension changes (.locked, .encrypted, .ransomed, or random extensions) 3. Ransom note creation (README.txt, DECRYPT_FILES.html, HOW_TO_RECOVER.txt) 4. Shadow copy deletion (vssadmin, wmic, bcdedit commands) 5. Suspicious process spawning cmd or PowerShell 6. Lateral movement before encryption (accessing network shares, remote systems) If evidence is not sufficient to confirm ransomware, clearly state: "Ransomware not confirmed based on current evidence." Output format: RANSOMWARE TRIAGE OVERVIEW - Affected System: - Alert Source: - Time of Detection: INDICATORS DETECTED | Indicator | Evidence | Confidence | Severity | IMMEDIATE QUESTION Is encryption still in progress or completed? [PASTE EDR ALERT OR LOGS HERE]
2

Blast Radius Assessment

Based on the ransomware indicators from Step 1, assess the blast radius immediately. Determine: 1. How many systems appear affected? 2. Are network shares or file servers involved? 3. Has the ransomware moved laterally to other hosts? 4. What is the earliest indicator of compromise? If patient zero cannot be determined confidently, state the earliest observable suspicious host instead. 5. What accounts were used to spread the ransomware? Map the infection chain: Patient Zero → Lateral Movement → Affected Systems Then identify: - Systems that must be isolated immediately - Backups that may be at risk - Domain controllers or critical infrastructure showing suspicious activity ⚠️ Flag any domain admin account involvement as CRITICAL SEVERITY immediately.
3

Containment Actions

Generate an immediate containment checklist for this ransomware incident. Prioritize in this order: 1. Stop the spread (highest priority) 2. Preserve evidence 3. Assess recovery options For each action provide: - Exact step to take - Which team owns it: SOC / IT / Management - Time sensitivity: Immediate / Within 1 hour / Within 4 hours 🔴 IMMEDIATE (next 15 minutes): - Network isolation steps - Account lockdown steps - Backup protection steps 🟡 SHORT TERM (within 1 hour): - Evidence preservation - Communication steps - Forensic imaging priority 🟢 RECOVERY PLANNING (within 4 hours): - Backup verification - Clean system identification - Restoration sequence Also identify: - Ransomware family if detectable from indicators - Known decryptors available if any - Law enforcement notification requirements
4

Incident Report

Write a professional ransomware incident report suitable for senior management and legal review. Include: - Executive summary (2-3 sentences, non-technical) - Technical summary (what happened, how, when) - Current status: contained / active / unknown - Business impact assessment. Do not overstate business impact if asset criticality is not known. - Actions taken so far - Recommended next steps Severity: Critical / High Disposition: Confirmed Ransomware / Suspected Ransomware / False Positive TIMELINE | Time | Event | AFFECTED ASSETS | Asset | Type | Status | IOCS | IOC Type | Value | Context | NOTIFICATIONS REQUIRED [ ] Senior Management [ ] Legal / Compliance [ ] Cyber Insurance Provider [ ] Law Enforcement (if required) [ ] Affected customers (if data exfiltrated)

Example Output

Here's what you can expect after completing this workflow:

RANSOMWARE TRIAGE OVERVIEW =========================== Affected System: FILE-SERVER-01 Alert Source: CrowdStrike Falcon EDR Time of Detection: 2026-03-10 03:17 UTC INDICATORS DETECTED =================== | Indicator | Evidence | Confidence | Severity | | Mass file encryption | 4,847 files modified in 3 minutes | High | Critical | | Extension change | Files renamed to .locked | High | Critical | | Shadow copy deletion | vssadmin delete shadows executed | High | Critical | | Ransom note | HOW_TO_RECOVER.txt created in every folder | High | Critical | BLAST RADIUS ============ Patient Zero: DESKTOP-FINANCE-03 Infection Chain: DESKTOP-FINANCE-03 → FILE-SERVER-01 → BACKUP-SERVER-02 (attempted) Systems Isolated: 3 Backups: At risk — backup server targeted CONTAINMENT STATUS ================== IMMEDIATE ACTIONS TAKEN: - FILE-SERVER-01 isolated from network - DESKTOP-FINANCE-03 isolated - Backup server network connection severed INCIDENT REPORT =============== Severity: CRITICAL Disposition: Confirmed Ransomware Ransomware was detected on FILE-SERVER-01 at 03:17 UTC encrypting finance department files. Patient zero identified as DESKTOP-FINANCE-03. Three systems isolated. Cyber insurance provider notified. Law enforcement notification pending legal review.

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!