Response
An educational summary of how published guidance organizes the response phases that follow a ransomware incident. The phases below paraphrase NIST SP 800-61r3 and the CISA #StopRansomware guide.
For planning and study — not for live-incident use
This page is an educational synthesis of public guidance. If you believe an incident is occurring right now, contact your campus IT or information-security team using a phone or known-good device, and consider reporting to CISA and the FBI IC3. Nothing here is professional incident-response advice or a substitute for trained responders, qualified counsel, your institution’s plan, or applicable law.
Contain
Stop the spread fast, then preserve evidence.
- Isolate affected hosts and segments; disable compromised identities.
- Revoke active sessions and rotate exposed credentials/secrets.
- Block known command-and-control infrastructure.
- Preserve memory and disk images before any reimaging.
- Avoid powering off systems unless directed by IR — volatile evidence matters.
Communicate
Coordinate honest, timely messages internally and externally.
- Use out-of-band channels; assume primary email may be unsafe.
- Activate the pre-approved holding statement.
- Engage legal counsel, insurer, and law enforcement (e.g., FBI/CISA) early.
- Brief students, faculty, staff, vendors, and the board on a defined cadence.
- Direct everyone to a single source of truth.
Recover
Restore services in priority order — into a hardened environment.
- Rebuild from known-good images; do not reintroduce unpatched systems.
- Validate backups before relying on them; restore in priority order.
- Rotate secrets, certificates, and service-account credentials.
- Hunt for persistence before declaring recovery complete.
- Run focused communications about service restoration timelines.
Learn
Treat the incident as data. Improve before the next one.
- Hold a blameless after-action review with all involved roles.
- Produce a written AAR with tracked remediation actions and owners.
- Update detections, runbooks, and this playbook.
- Brief leadership, the board, and accreditors as required.
- Recognize and rest the responders.
Common pitfalls described in published guidance
- Powering off systems can destroy volatile memory used for forensics; CISA and NIST guidance generally recommend disconnecting from the network instead.
- Restoring backups into a still-compromised environment may reintroduce the attacker; published guidance recommends hardening before restore.
- Ad-hoc communication through potentially compromised channels; sources recommend out-of-band communication and a single source of truth.
- Treating ransom as a technical decision. Most guidance treats it as strategic, legal, and ethical — to be coordinated with counsel, insurer, and law enforcement.
- Skipping the after-action review. Reports often note that the biggest improvements are funded the week after an incident, not months later.
Find your role’s response background reading
Student
During-incident background reading for this role.
Faculty (incl. adjuncts and researchers)
During-incident background reading for this role.
Staff and department personnel
During-incident background reading for this role.
IT and Security teams
During-incident background reading for this role.
Senior leadership and administrators
During-incident background reading for this role.
Communications, public affairs, and legal
During-incident background reading for this role.