Planet Red

RansomWare PlayBook

Physical Host
Containment

Disconnect devices identified with malware from the network. You may need to ask the contact to pull out the network cable, disconnect the WiFi radio.
If it cannot be determined if the host is still connected to the network, the host may need to be switched off at the power.

Eradication

Examine the malware to identify the type (e.g. rootkit, ransomware, etc.) and establish how it infected the device. This will help you to understand how to remove it from the device.

Recovery

Once the malware has been removed a full system scan must be performed using the most up-to-date signatures available, to verify it has been removed from the device.
If the malware cannot be removed from the device (as is often the case with rootkits) it should be rebuilt using original installation media or images. Prior to restoration from back-up media/images you must verify that the back-up media/images are not infected by the malware.
Protect the system(s) to prevent further infection by implementing fixes and/or patches to prevent further attack.