IR-08 — Ransomware Response

OBJECTIVES

Read the incident ticket

Identify patient zero (first infected host)

Find the initial access method

Trace the lateral movement path

Identify the ransomware family

Find the VSS deletion command

Count total encrypted files

Look up the C2 / ransomware hash in intel

Run PowerShell investigation commands

Submit the IR report

🚨

Alert Dashboard

📊

EDR Timeline

🗺️

Network Map

🔒

File Impact

🛡️

Threat Intel

💻

PowerShell

📝

Notepad

📄

IR Report

🚨 CRITICAL — TICKET #IR-2026-0601

RANSOMWARE RESPONSE

MULTIPLE HOSTS AFFECTED · 06:47 UTC · ENCRYPTION ACTIVE

INCIDENT SUMMARY

At 06:47 UTC the helpdesk began receiving calls from employees finding their files renamed with a .locked extension and a ransom note titled README_DECRYPT.txt on their desktops. The EDR platform raised alerts across multiple hosts simultaneously. Encryption appears to be ongoing on some machines.

AFFECTED NETWORK

Host	User	Dept	IP
WKSTN-007	lisa.chan	Finance	10.10.14.7
WKSTN-012	tom.reed	Finance	10.10.14.12
WKSTN-019	sara.jones	HR	10.10.14.19
FILESVR-01	SYSTEM	File Server	10.10.14.50

PRIORITY TASKS

Open Alert Dashboard — get overview of affected hosts
Open EDR Timeline — find patient zero and attack chain
Open Network Map — trace lateral movement path
Open File Impact — count encrypted files, read ransom note
Open Threat Intel — look up IOCs to identify the threat
Complete IR Report

IMMEDIATE ACTIONS (already taken)

WKSTN-007 isolated from network at 06:52 UTC
WKSTN-012 isolated at 06:54 UTC
Encryption still active on WKSTN-019 and FILESVR-01

ALERT DASHBOARD — TICKET #IR-2026-0601 — LIVE

HOSTS AFFECTED

3,847

FILES ENCRYPTED

HOSTS CONTAINED

ENCRYPTION ACTIVE

AFFECTED HOSTS

🖥️

WKSTN-007

lisa.chan / Finance

FIRST ALERT

IP10.10.14.7

STATUSISOLATED

FIRST ALERT06:18 UTC

FILES ENC.1,204

VSS DELETEDYES

OSWindows 11 Pro

🖥️

WKSTN-012

tom.reed / Finance

ISOLATED

IP10.10.14.12

STATUSISOLATED

FIRST ALERT06:31 UTC

FILES ENC.892

VSS DELETEDYES

OSWindows 11 Pro

🖥️

WKSTN-019

sara.jones / HR

⚠ ACTIVE

IP10.10.14.19

STATUSNOT ISOLATED

FIRST ALERT06:44 UTC

FILES ENC.~680 (active)

VSS DELETEDYES

OSWindows 11 Pro

🗄️

FILESVR-01

SYSTEM / File Server

⚠ ACTIVE

IP10.10.14.50

STATUSNOT ISOLATED

FIRST ALERT06:38 UTC

FILES ENC.~1,071 (active)

VSS DELETEDYES

OSWindows Server 2022

RANSOM NOTE — README_DECRYPT.txt

Found on all affected desktops · C:\Users\Public\Desktop\README_DECRYPT.txt

!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your important documents, databases, photos, and backups have been encrypted with military-grade AES-256 encryption. DO NOT: - Rename or move encrypted files (.locked extension) - Try to decrypt with third-party software - Restart or shut down your computer - Contact law enforcement (we will know) TO RECOVER YOUR FILES: 1. Download Tor Browser from: https://www.torproject.org 2. Visit our payment portal: http://lockbitabc4def.onion/pay 3. Enter your victim ID: APEX-8F3A-2026 4. Pay 3.5 BTC within 72 hours After payment confirmation, a decryption key will be provided. After 72 hours the ransom doubles. After 7 days files are permanently lost. LockVault Ransomware Group

EDR TIMELINE — ALL HOSTS — 2026-05-08

0 events

EVENT DETAIL

Click an event to inspect

NETWORK MAP — LATERAL MOVEMENT VISUALIZATION

Patient Zero

Infected

Contained

Clean

Router/Switch

Click nodes for details · Red arrows = lateral movement

FILE IMPACT VIEWER — ENCRYPTED FILES

THREAT INTELLIGENCE — IOC LOOKUP

LOOK UP IP, HASH, OR RANSOMWARE FAMILY

Enter the C2 IP, ransom hash, or ransomware family name found during your investigation.

POWERSHELL — SOC JUMP SERVER — Remote Sessions

Windows PowerShell 7.4.1 — SOC Jump Server

Connected to domain: APEXCORP.LOCAL

# Type "help" for available commands

PS C:\>

NOTEPAD — IR SCRATCHPAD

IR REPORT — TICKET #IR-2026-0601

PATIENT ZERO & INITIAL ACCESS

PATIENT ZERO HOSTNAME

PATIENT ZERO USER

INITIAL ACCESS METHOD

RANSOMWARE FAMILY

SPREAD & IMPACT

LATERAL MOVEMENT METHOD

TOTAL FILES ENCRYPTED

FILE EXTENSION USED

VSS DELETION

RANSOM DETAILS

RANSOM AMOUNT

VICTIM ID IN NOTE

HOSTS NOT YET ISOLATED

BACKUP STATUS

CONTAINMENT

IMMEDIATE CONTAINMENT STEPS

Score: 0 / 8