What causes Ransomware in progress — first 4 hours?

Phishing-delivered initial access → privilege escalation → lateral movement • Exposed RDP / VPN with weak credentials, no MFA • Unpatched edge device (CVE in firewall, VPN appliance) • Compromised MSP supply chain or remote-access tool • Insider misuse (rare but considered)

How do I resolve Ransomware in progress — first 4 hours?

Contain (isolate, disable, capture) • Identify scope and patient zero • Notify required parties (NCSC, ICO if PII, insurer, leadership) • Eradicate (rebuild compromised systems clean) • Recover (restore from immutable backups, validate) • Lessons learned — root cause closed permanently

How do I prevent Ransomware in progress — first 4 hours?

Immutable / air-gapped backups (3-2-1-1-0) • MFA on all remote access — VPN, M365, RMM, vendor tools • EDR with behavioural detection and managed response • Privileged Access Workstation (PAW) for tier-0 admin • Patch SLA for edge devices (≤14 days from vendor disclosure) • Quarterly tabletop incident exercise

P1 · Cyber Incident Response

Ransomware in progress — first 4 hours

Active or suspected ransomware. Goal: contain spread, preserve evidence, protect ability to report accurately under UK GDPR / NIS2.

Indicators

Files renamed with unfamiliar extensions
Ransom note files (README, RECOVER, _decrypt) appearing across shares
Volume shadow copies deleted (vssadmin delete shadows in event log)
Backup repositories targeted, jobs failing
EDR alerts of mass-encryption behaviour or LOLBin abuse
Domain admin account logging in from unexpected workstations

Likely causes

Phishing-delivered initial access → privilege escalation → lateral movement
Exposed RDP / VPN with weak credentials, no MFA
Unpatched edge device (CVE in firewall, VPN appliance)
Compromised MSP supply chain or remote-access tool
Insider misuse (rare but considered)

Diagnostic steps

CONTAIN before investigating. Disconnect from internet at the firewall — not by shutting servers down (memory evidence). Isolate VLANs as needed. Disable VPN. Block external SMB/RDP
Identify Patient Zero — earliest encrypted file timestamp, EDR alert chain, suspicious account logon
Preserve evidence: do NOT wipe affected hosts. Capture memory (KAPE / Velociraptor / FTK Imager) and system logs before any rebuild
Disable compromised accounts; reset credentials for privileged accounts from a clean station; rotate kerberos krbtgt twice (24h apart) for AD compromise
Engage UK NCSC and ICO — 72-hour clock on personal data breaches under UK GDPR. Insurer cyber response team if covered
Begin recovery from immutable / offline backups only — never decrypt and reuse compromised systems for production

Resolution path

Contain (isolate, disable, capture)
Identify scope and patient zero
Notify required parties (NCSC, ICO if PII, insurer, leadership)
Eradicate (rebuild compromised systems clean)
Recover (restore from immutable backups, validate)
Lessons learned — root cause closed permanently

Prevention

Immutable / air-gapped backups (3-2-1-1-0)
MFA on all remote access — VPN, M365, RMM, vendor tools
EDR with behavioural detection and managed response
Privileged Access Workstation (PAW) for tier-0 admin
Patch SLA for edge devices (≤14 days from vendor disclosure)
Quarterly tabletop incident exercise

Tools

EDR / antivirus admin console (Defender for Endpoint, SentinelOne, CrowdStrike, etc.)
KAPE (Kroll Artifact Parser & Extractor)
Velociraptor (forensic triage)
PowerShell ActiveDirectory module — disable accounts en masse, krbtgt rotation
Veeam / Datto / Rubrik immutable backup operations console
Network gear console for traffic isolation

References

NCSC — Mitigating malware and ransomware attacks
NCSC — Incident management collection
ICO — Personal data breach reporting (72h)
NIST SP 800-61r2 — Computer Security Incident Handling Guide
CISA — StopRansomware.gov resources
Engineer Direct guide — First steps after ransomware

ransomwareincident-responsencscicocontainmentforensics