Campus Ransomware Playbook

If an incident occurs

An educational summary of what authoritative public guidance says people on a college campus should do if they ever face a ransomware incident. This page is for advance reading and planning — not for use during a live incident.

This is not a real-time incident-response service

If you believe an incident is happening right now, contact your campus IT or information-security team immediately using a phone or a known-good device. In the United States, public reporting and assistance are also available from the U.S. Cybersecurity & Infrastructure Security Agency at cisa.gov/stopransomware/report-ransomware and the FBI Internet Crime Complaint Center at ic3.gov.

This page summarizes published guidance from sources such as NIST SP 800-61r3, CISA #StopRansomware, and FBI IC3. It is not professional incident-response advice and is not a substitute for trained responders, qualified counsel, or your institution’s policies and contracts.

What public guidance generally recommends

The items below paraphrase guidance from CISA, NIST, and the FBI. Your institution’s policies, contracts, insurance terms, and applicable law take precedence.

If a ransom note, mass file renames, or unavailable files are reported

  1. CISA and the FBI generally recommend disconnecting affected devices from the network (Wi-Fi off, Ethernet unplugged) rather than powering them off, to preserve evidence in memory.
  2. Public guidance recommends not deleting the ransom note, files, or related emails, since they may be needed for investigation and potential decryption.
  3. Authoritative sources advise contacting your IT or security team using a separate phone or device, not the affected one.
  4. CISA, FBI, and most insurers recommend against unilaterally paying or negotiating, and against downloading “decryption” tools from web search results.

If a person reports clicking a phishing link or entering credentials

  1. Most published guidance recommends moving to a different, known-good device.
  2. It generally recommends changing the affected password, reviewing account recovery information, and reporting the message to IT/security.
  3. Sources advise preserving the original message as evidence rather than deleting it.

If a department leader sees a system become unavailable

  1. Public guidance commonly recommends pausing sensitive workflows — payments, banking changes, and sensitive data exports — until IT/security confirms it is safe to resume.
  2. Sources recommend using pre-arranged out-of-band contact lists (printed or phone-stored) rather than potentially affected systems.
  3. They also recommend waiting for official guidance before making public statements and ignoring unverified rumors.

What incident-response teams typically do (background reading only)

For pre-incident familiarity — actual response should be led by trained personnel and qualified counsel, following your institution’s plan.

  1. NIST SP 800-61r3 describes triggering the documented IR plan and coordinating through an out-of-band channel.
  2. CISA #StopRansomware describes isolating affected network segments, disabling compromised identities, and revoking sessions and tokens.
  3. Both sources describe preserving evidence (e.g., memory and disk images) before reimaging where feasible.
  4. Most guidance describes engaging legal counsel, the cyber-insurance hotline, and law enforcement — in the U.S., CISA and FBI IC3.
  5. It also describes coordinating with communications on cadence and channels and keeping a written timeline of decisions.

By role — background reading

Each role page summarizes what published guidance says that role might do before, during, and after an incident. These are educational summaries for planning, not live-incident instructions.