Ransomware Incident Response
24/7 Emergency Hotline for ransomware incident response: 1 (833) 562-5273
Ransomware incident response is the structured process of stopping encryption, removing attacker access, investigating how the intrusion happened, and restoring operations safely. Modern ransomware is usually “encryption + extortion,” meaning attackers may steal data first, then use pressure tactics to force payment. Your priorities should be: contain, investigate, eradicate, and recover, in that order.
- What ransomware is (and how it evolved)
- Common ransomware timelines
- Common tactics, techniques, and procedures (TTPs)
- High-signal indicators and IOCs to watch for
- Top ransomware groups we handle
- Our ransomware incident response approach
- Hardening checklist and best practices
- Tabletop exercises and simulation training
- FAQ
- 24/7 ransomware help
What Ransomware Is (And How It Evolved)
Ransomware is a category of cyberattack where adversaries disrupt access to data or systems, most commonly by encrypting files, and demand payment. Today’s operations often include data theft, extortion, and business disruption, not just encryption.
Old model: “Encrypt and demand”
Early ransomware primarily focused on encryption and a basic demand note. Recovery sometimes depended on backups and basic containment.
Modern model: “Steal + extort + encrypt”
Many groups now use “double extortion” (threatening data release) and sometimes “triple extortion” (adding customer pressure or DDoS). This changes what “recovery” means because restoring servers doesn’t automatically resolve data exposure risk.
The most important takeaway: ransomware is usually the final stage of a broader intrusion. If you only focus on restoring files, attackers may still have access. The incident can reoccur.
Helpful reference (authoritative): CISA’s StopRansomware program has practical prevention and response guidance: CISA StopRansomware.
Common Ransomware Timelines
Every case is different, but most ransomware incidents follow repeatable phases. Some actors move quickly; others spend time positioning to maximize impact. Your goal is to disrupt the timeline as early as possible.
Phase 1: Initial access
Phishing, stolen credentials, exposed VPN/RDP, unpatched internet-facing systems, or compromised third-party access.
Phase 2: Expansion and persistence
Credential abuse, privilege escalation, lateral movement, deployment of remote tooling, and establishing reliable access paths.
Phase 3: Discovery and data staging
Identifying critical servers, backups, virtualization, identity systems, and sensitive data locations, then staging for exfiltration.
Phase 4: Disruption
Attempting to disable EDR, tamper with backups, delete shadow copies, push encryption broadly, and drop the demand note.
Common Ransomware TTPs
While tools and malware families vary, ransomware intrusions commonly include the same core behaviors. These are the areas we prioritize during investigation and containment.
- Credential access and abuse: suspicious login patterns, impossible travel, new MFA registrations, token theft indicators
- Privilege escalation: new admin group membership, service account misuse, sudden privileges assigned to unknown identities
- Lateral movement: remote service creation, PsExec/WMI usage, scheduled tasks pushed at scale
- Defense evasion: attempts to stop security services, disable logging, or uninstall EDR agents
- Backup and recovery tampering: deletion of shadow copies, targeting backup servers, hypervisors, and storage systems
- Data theft / extortion staging: bulk archive creation, unusual compression activity, large outbound transfers
In most environments, the highest-confidence detection comes from correlation across identity logs, EDR telemetry, network flows, and admin activity, not from a single IOC alone.
High-Signal Indicators And IOCs To Watch For
The most useful ransomware IOCs are often behavioral. Below are patterns that repeatedly show up across many ransomware families. If you have a ransom note, encrypted samples, or EDR detections, Lockard Security can extract reliable case-specific IOCs quickly.
Identity and access indicators
- New privileged accounts or sudden privilege changes
- Unusual authentication patterns for service accounts (especially interactive logins)
- Conditional Access / MFA policy changes you didn’t authorize
- New VPN users, new RDP exposure, or unexpected remote access enablement
Endpoint and server indicators
- Mass file modifications across shares in a short timeframe
- Security tooling tampering (services stopped, agents removed, exclusions added)
- Unexpected admin tooling usage on endpoints (remote exec tools, scripting at scale)
- New scheduled tasks or services created across multiple systems
Recovery destruction behaviors
Commands like these are common across many ransomware events (don’t run them. Hunt for them in logs):
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy ignoreallfailuresNetwork indicators
- Unexpected encrypted outbound connections to new infrastructure or new geographies
- TOR-related traffic or signs of access to anonymized negotiation portals
- Large outbound uploads to cloud storage or file-sharing platforms
Top Ransomware Groups We Handle
Lockard Security responds to ransomware incidents across many families and affiliate programs. Below are several high-impact groups frequently referenced in reporting and real-world cases. Each page includes practical response guidance and threat-specific indicators.
Don’t see your strain listed? That’s normal. Names change, affiliates move, and new variants appear constantly. If you share a ransom note or IOC set, we can identify what you’re dealing with quickly.
Our Ransomware Incident Response Approach
We follow a structured incident response process aligned with NIST 800-61: contain the threat, investigate the intrusion path, eradicate attacker access, and restore operations safely, while preserving evidence for cyber insurance, legal counsel, and regulatory requirements.
1) Immediate triage and containment
Stop encryption, isolate impacted segments, and block attacker access paths (VPN/IdP/firewall/remote tooling).
2) Investigation and scoping
Establish timeline, determine entry point, map lateral movement, and identify impacted systems and sensitive data exposure risk.
3) Threat removal and cleanup
Remove persistence, reset credentials, tighten privileged access, and close vulnerabilities that enabled the intrusion.
4) Recovery and restoration
Validate backups, restore cleanly, confirm systems are safe before reconnecting, and reduce re-encryption risk.
5) Post-incident hardening
Deliver a clear report, actionable hardening plan, and prioritized roadmap to reduce likelihood and impact.
6) Insurance and stakeholder support
Support documentation and communication workflows so recovery doesn’t conflict with claim, legal, or regulatory needs.
Hardening Checklist And Best Practices
Ransomware prevention isn’t one control. It’s layers. The checklist below focuses on the controls that most consistently reduce blast radius.
Identity and access
- Enforce MFA everywhere (VPN, admin portals, email, remote management)
- Reduce standing admin rights (use just-in-time / just-enough access)
- Alert on privilege changes, new MFA enrollments, and suspicious sign-ins
Endpoint and server
- EDR deployed broadly and protected from tampering
- Patch internet-facing systems fast; prioritize VPN, edge devices, and critical apps
- Restrict scripting and remote execution at scale (especially from user endpoints)
Network and backups
- Segment critical systems (AD, backups, virtualization, file servers) from user networks
- Backups should be immutable/offline-capable, tested, and protected with separate credentials
- Monitor for large data egress and unusual compression/archiving activity
If you want a practical plan: we can turn this into a prioritized roadmap tied to your current tooling and staffing, not generic checklists.
Tabletop Exercises And Ransomware Simulation
Tabletop exercises reduce panic during real incidents. They clarify roles, escalation paths, and the “first hour” actions so decisions are fast and consistent. We can facilitate a tabletop or help you build a repeatable internal playbook.
Here’s a ransomware attack simulation video from Lockard Security:
Ransomware Incident Response FAQ
Should we pay the ransom?
Payment decisions involve legal, insurance, and business risk. Technically, paying does not guarantee full decryption or that stolen data won’t be reused. Our role is to help you contain the incident, scope impact, and recover safely so leadership can make an informed decision.
What should we preserve for investigation?
Preserve ransom notes, encrypted file samples, EDR detections, identity logs, VPN logs, and the earliest known timestamps. Avoid wiping systems until scoping is complete.
How fast can you help?
If you’re actively encrypting or under extortion pressure, call the hotline. We’ll triage immediately and guide containment while we start evidence collection.
24/7 Ransomware Incident Response Help
If your organization is facing ransomware encryption, data extortion, or you suspect an active intrusion leading to ransomware, contact us immediately. The faster we contain, the less downtime and cost you typically absorb.
Email: [email protected]
Request Ransomware Incident Response
If you’re still in the “suspicious activity” stage, we can help validate whether you’re seeing pre-ransomware behaviors and prevent encryption entirely.