ransomware defense

Building Ransomware Playbook with CISA Framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

cisacomplianceincident-responsenistplaybookransomware
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • An organization needs to create or update its ransomware incident response playbook following CISA guidelines
  • A security team is conducting a ransomware readiness assessment against the CISA StopRansomware framework
  • Compliance requires documenting ransomware response procedures aligned with NIST CSF and CISA recommendations
  • During tabletop exercises to validate that the organization's ransomware response steps match industry best practices
  • After a ransomware incident to update the playbook with lessons learned and close identified gaps

Do not use as a substitute for legal counsel regarding ransom payment decisions, breach notification timelines, or regulatory obligations specific to your jurisdiction.

Prerequisites

  • Familiarity with the CISA StopRansomware Guide (cisa.gov/stopransomware/ransomware-guide)
  • NIST Cybersecurity Framework (CSF) understanding (Identify, Protect, Detect, Respond, Recover)
  • Inventory of critical assets, backup infrastructure, and communication channels
  • Defined roles and responsibilities for incident response team members
  • Python 3.8+ for playbook generation and compliance checking automation
  • Access to organization's asset inventory and backup configuration documentation

Workflow

Step 1: Preparation Phase (CISA Part 1 - Prevention)

Establish ransomware-specific defenses before an incident:

CISA Preparation Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━
[ ] Maintain offline, encrypted backups tested for restoration
[ ] Create and exercise a cyber incident response plan (IRP)
[ ] Implement network segmentation between IT and OT networks
[ ] Enable MFA on all remote access and privileged accounts
[ ] Deploy endpoint detection and response (EDR) on all endpoints
[ ] Disable or restrict RDP; require VPN for remote access
[ ] Maintain a software/hardware asset inventory
[ ] Apply patches within 48 hours for internet-facing systems
[ ] Configure email filtering and disable macro execution by default
[ ] Conduct regular phishing awareness training
[ ] Implement application allowlisting (AppLocker/WDAC)
[ ] Test backup restoration quarterly and document RTO/RPO

Step 2: Detection and Analysis Phase

Identify ransomware indicators and assess scope:

Detection Indicators:
━━━━━━━━━━━━━━━━━━━━
- Mass file rename operations with new extensions (.locked, .encrypted)
- Ransom notes appearing in directories (README.txt, DECRYPT.html)
- Volume Shadow Copy deletion (vssadmin delete shadows)
- Abnormal CPU usage from encryption processes
- EDR/AV alerts for known ransomware signatures
- Network connections to known C2 infrastructure
- Unusual lateral movement via SMB or PsExec
- Sysmon Event ID 11 (file creation) spikes
 
Initial Analysis Steps (CISA):
  1. Take system images and memory captures of affected devices
  2. Identify patient zero and initial access vector
  3. Determine the ransomware family (ID Ransomware, ransom note analysis)
  4. Assess encryption scope: which systems, shares, and data are affected
  5. Check if data exfiltration occurred (double extortion indicator)

Step 3: Containment Phase

Stop the spread and preserve evidence:

Immediate Containment (First 1-4 hours):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Isolate affected systems from the network (disable NICs, VLAN quarantine)
2. If unable to disconnect, power down affected systems
3. Disable shared drives to prevent encryption spread
4. Reset credentials for compromised accounts (especially admin/service accounts)
5. Block known ransomware IOCs at firewall/proxy (C2 domains, IPs)
6. Preserve forensic evidence (memory dumps, disk images, logs)
7. Engage legal counsel and prepare breach notification if data exfiltrated
 
Extended Containment:
  - Identify and patch the initial access vector (phishing, RDP, VPN vuln)
  - Audit all Active Directory accounts for persistence (scheduled tasks, services)
  - Check for backdoors or additional malware beyond the ransomware payload

Step 4: Eradication and Recovery Phase

Remove the threat and restore operations:

CISA Recovery Steps:
━━━━━━━━━━━━━━━━━━━
1. Rebuild affected systems from known-clean images (do NOT decrypt in place)
2. Restore data from offline backups (verify backup integrity first)
3. Reset ALL passwords including service accounts, krbtgt (twice, 12h apart)
4. Scan restored systems with updated AV/EDR before reconnecting to network
5. Re-enable services in priority order based on business criticality
6. Monitor restored systems intensively for 72 hours for reinfection
 
Recovery Priority Matrix:
  P1 (0-4h):  Domain controllers, DNS, authentication infrastructure
  P2 (4-24h): Email, critical business applications, databases
  P3 (1-3d):  File servers, departmental applications
  P4 (3-7d):  Non-critical systems, development environments

Step 5: Post-Incident Activity

Document lessons learned and improve defenses:

Post-Incident Report Template:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Executive summary: What happened, impact, resolution
2. Timeline: Detection to full recovery with timestamps
3. Root cause analysis: Initial access vector and propagation path
4. Scope: Number of systems, data volumes, business impact in hours/dollars
5. Response effectiveness: What worked, what failed, what was missing
6. Recommendations: Specific technical and procedural improvements
7. Compliance actions: Notification timeline, regulatory obligations met
8. Updated playbook: Revisions based on lessons learned

Verification

  • Validate playbook completeness against CISA StopRansomware checklist items
  • Conduct tabletop exercise using the playbook with all stakeholders
  • Verify backup restoration procedures work within documented RTO targets
  • Test communication plans including out-of-band channels
  • Confirm legal and regulatory notification procedures are current
  • Review and update the playbook at least annually or after any incident

Key Concepts

Term Definition
CISA StopRansomware Guide Joint CISA/MS-ISAC/NSA/FBI guide providing ransomware prevention best practices and response checklists
RTO/RPO Recovery Time Objective (max downtime) and Recovery Point Objective (max data loss); critical metrics for backup planning
Double Extortion Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless paid
Patient Zero The first system compromised in an incident; identifying it reveals the initial access vector
Tabletop Exercise Simulated incident scenario walked through by the response team to validate the playbook without live systems

Tools & Systems

  • CISA StopRansomware Guide: Primary framework for ransomware response planning and prevention
  • NIST CSF: Cybersecurity Framework providing the Identify/Protect/Detect/Respond/Recover structure
  • ID Ransomware: Service for identifying ransomware families from encrypted files and ransom notes
  • MITRE ATT&CK: Technique framework for mapping ransomware TTPs to detection opportunities
  • Velociraptor: Endpoint visibility tool for rapid triage and forensic artifact collection during incidents
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md3.1 KB

API Reference: CISA Ransomware Playbook Framework

CISA StopRansomware Guide

Primary Resource

URL: https://www.cisa.gov/stopransomware/ransomware-guide
PDF: https://www.cisa.gov/sites/default/files/2025-03/StopRansomware-Guide%20508.pdf

Guide Structure

Part Content Focus
Part 1 Ransomware and Data Extortion Prevention Best Practices Preparation
Part 2 Ransomware and Data Extortion Response Checklist Response

CISA Reporting

Report an Incident

URL: https://report.cisa.gov

FBI Internet Crime Complaint Center

URL: https://www.ic3.gov

NIST Cybersecurity Framework Mapping

NIST Function Ransomware Application
Identify Asset inventory, risk assessment, data classification
Protect Backups, MFA, patching, email filtering, AppLocker
Detect EDR alerts, SIEM monitoring, anomaly detection
Respond Containment, forensics, notification, communication
Recover Backup restoration, system rebuild, validation

ID Ransomware Service

Identify Ransomware Family

URL: https://id-ransomware.malwarehunterteam.com/
Upload: Encrypted file sample + ransom note

Response

Returns ransomware family name, available decryptors, and known TTPs.

CISA Preparation Checklist Controls

Control ID Control Priority
PREP-01 Offline encrypted backups Critical
PREP-02 Incident response plan Critical
PREP-03 Network segmentation High
PREP-04 Multi-factor authentication Critical
PREP-05 Endpoint detection and response High
PREP-06 RDP restrictions Critical
PREP-07 Patch management High
PREP-08 Email security (DMARC/DKIM/SPF) High
PREP-09 Application allowlisting Medium
PREP-10 Security awareness training Medium

Response Phase Timelines (CISA Recommended)

Phase Target Timeline Key Actions
Detection 0-2 hours Identify scope, capture evidence
Containment 1-4 hours Isolate systems, block IOCs
Eradication 1-7 days Rebuild, restore, reset credentials
Recovery 1-4 weeks Monitor, validate, document
Post-Incident 30-90 days Lessons learned, playbook updates

Regulatory Notification Timelines

Regulation Timeline Authority
GDPR 72 hours Data Protection Authority
HIPAA 60 days HHS Office for Civil Rights
SEC 4 business days Securities and Exchange Commission
PCI DSS Immediately Card brands / acquiring bank
State breach laws Varies (30-90 days) State Attorney General

MITRE ATT&CK Ransomware Techniques

Technique ID Name Phase
T1486 Data Encrypted for Impact Impact
T1490 Inhibit System Recovery Impact
T1489 Service Stop Impact
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1059.001 PowerShell Execution
T1566.001 Spearphishing Attachment Initial Access

Scripts 1

agent.py11.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""CISA ransomware playbook builder and compliance checker agent.

Generates a structured ransomware incident response playbook aligned with the
CISA StopRansomware Guide. Assesses organizational readiness against CISA
checklist items and produces gap analysis reports.
"""

import json
import sys
from datetime import datetime

CISA_PREPARATION_CHECKLIST = {
    "PREP-01": {
        "control": "Offline encrypted backups",
        "description": "Maintain offline, encrypted backups of critical data tested quarterly",
        "cisa_ref": "StopRansomware Guide Part 1, Section 1",
        "priority": "Critical",
    },
    "PREP-02": {
        "control": "Incident response plan",
        "description": "Create, maintain, and exercise a cyber incident response plan with ransomware annex",
        "cisa_ref": "StopRansomware Guide Part 1, Section 2",
        "priority": "Critical",
    },
    "PREP-03": {
        "control": "Network segmentation",
        "description": "Implement network segmentation between IT, OT, and critical asset zones",
        "cisa_ref": "StopRansomware Guide Part 1, Section 3",
        "priority": "High",
    },
    "PREP-04": {
        "control": "Multi-factor authentication",
        "description": "Enable MFA on all remote access, privileged accounts, and email",
        "cisa_ref": "StopRansomware Guide Part 1, Section 4",
        "priority": "Critical",
    },
    "PREP-05": {
        "control": "Endpoint detection and response",
        "description": "Deploy EDR on all endpoints with automated response capabilities",
        "cisa_ref": "StopRansomware Guide Part 1, Section 5",
        "priority": "High",
    },
    "PREP-06": {
        "control": "RDP restrictions",
        "description": "Disable or restrict RDP; require VPN with MFA for remote access",
        "cisa_ref": "StopRansomware Guide Part 1, Section 6",
        "priority": "Critical",
    },
    "PREP-07": {
        "control": "Patch management",
        "description": "Apply patches within 48 hours for internet-facing systems, 30 days for internal",
        "cisa_ref": "StopRansomware Guide Part 1, Section 7",
        "priority": "High",
    },
    "PREP-08": {
        "control": "Email security",
        "description": "Configure email filtering, disable macros by default, implement DMARC/DKIM/SPF",
        "cisa_ref": "StopRansomware Guide Part 1, Section 8",
        "priority": "High",
    },
    "PREP-09": {
        "control": "Application allowlisting",
        "description": "Implement AppLocker or WDAC to restrict unauthorized executables",
        "cisa_ref": "StopRansomware Guide Part 1, Section 9",
        "priority": "Medium",
    },
    "PREP-10": {
        "control": "Security awareness training",
        "description": "Conduct regular phishing simulation and security awareness training",
        "cisa_ref": "StopRansomware Guide Part 1, Section 10",
        "priority": "Medium",
    },
}

RESPONSE_PHASES = {
    "detection": {
        "name": "Detection and Analysis",
        "steps": [
            "Identify initial indicators (mass file renames, ransom notes, EDR alerts)",
            "Take system images and memory captures of affected devices",
            "Identify patient zero and initial access vector",
            "Determine ransomware family using ID Ransomware or sample analysis",
            "Assess encryption scope: systems, shares, data classification impacted",
            "Check for data exfiltration indicators (double extortion)",
            "Notify incident response team and escalate per IRP",
        ],
        "time_target": "0-2 hours",
    },
    "containment": {
        "name": "Containment",
        "steps": [
            "Isolate affected systems (disable NIC, VLAN quarantine, firewall block)",
            "If unable to disconnect, power down affected systems immediately",
            "Disable shared drives and mapped network shares",
            "Reset credentials for compromised and service accounts",
            "Block known IOCs at firewall and proxy (C2 domains, IPs, hashes)",
            "Preserve forensic evidence (do not wipe or rebuild yet)",
            "Engage legal counsel for breach notification assessment",
            "Activate out-of-band communication channel for response team",
        ],
        "time_target": "1-4 hours",
    },
    "eradication": {
        "name": "Eradication and Recovery",
        "steps": [
            "Rebuild affected systems from known-clean images",
            "Restore data from verified offline backups",
            "Reset ALL domain passwords including krbtgt (twice, 12h apart)",
            "Scan restored systems with updated AV and EDR before reconnection",
            "Re-enable services in priority order (DC/DNS first, then business apps)",
            "Monitor restored systems for 72 hours for reinfection signals",
            "Validate data integrity of restored files against known checksums",
        ],
        "time_target": "1-7 days",
    },
    "post_incident": {
        "name": "Post-Incident Activity",
        "steps": [
            "Conduct root cause analysis with full incident timeline",
            "Document lessons learned with all response team stakeholders",
            "Update incident response playbook based on findings",
            "Implement new controls to address identified gaps",
            "File regulatory notifications within required timeframes",
            "Report to CISA at report.cisa.gov and FBI at ic3.gov",
            "Schedule follow-up review in 30, 60, and 90 days",
        ],
        "time_target": "1-4 weeks",
    },
}


def assess_readiness(current_controls):
    """Assess ransomware readiness against CISA checklist."""
    results = {"total_controls": len(CISA_PREPARATION_CHECKLIST), "implemented": 0,
               "gaps": [], "score": 0.0, "details": []}

    for ctrl_id, ctrl in CISA_PREPARATION_CHECKLIST.items():
        status = current_controls.get(ctrl_id, "not_implemented")
        is_implemented = status in ("implemented", "partial")
        if is_implemented:
            results["implemented"] += 1
        else:
            results["gaps"].append({
                "id": ctrl_id,
                "control": ctrl["control"],
                "priority": ctrl["priority"],
                "cisa_ref": ctrl["cisa_ref"],
            })
        results["details"].append({
            "id": ctrl_id,
            "control": ctrl["control"],
            "status": status,
            "priority": ctrl["priority"],
        })

    results["score"] = round(
        (results["implemented"] / results["total_controls"]) * 100, 1
    )
    return results


def generate_playbook(org_name="Organization"):
    """Generate a full ransomware response playbook."""
    playbook = {
        "title": f"Ransomware Incident Response Playbook - {org_name}",
        "framework": "CISA StopRansomware Guide + NIST CSF",
        "version": "1.0",
        "generated": datetime.now().isoformat(),
        "preparation": CISA_PREPARATION_CHECKLIST,
        "response_phases": RESPONSE_PHASES,
        "escalation_matrix": {
            "severity_1_critical": {
                "criteria": "Encryption active, spreading across network, critical systems affected",
                "notify": ["CISO", "CEO", "Legal Counsel", "External IR Firm", "CISA", "FBI"],
                "response_time": "Immediate",
            },
            "severity_2_high": {
                "criteria": "Encryption contained to single segment, no critical systems affected",
                "notify": ["CISO", "IT Director", "Legal Counsel"],
                "response_time": "Within 1 hour",
            },
            "severity_3_medium": {
                "criteria": "Ransomware detected but not yet executed (pre-encryption)",
                "notify": ["SOC Manager", "IT Director"],
                "response_time": "Within 4 hours",
            },
        },
        "communication_plan": {
            "internal": "Use out-of-band channel (Signal, phone tree) - assume email compromised",
            "external_stakeholders": "Prepared holding statement; legal review before public disclosure",
            "regulatory": "GDPR 72h, HIPAA 60d, SEC 4 business days, state-specific breach laws",
            "cisa_reporting": "Report to report.cisa.gov within 24 hours",
        },
    }
    return playbook


def generate_markdown_playbook(playbook):
    """Render playbook as Markdown document."""
    lines = [f"# {playbook['title']}", "", f"**Framework:** {playbook['framework']}",
             f"**Version:** {playbook['version']}", f"**Generated:** {playbook['generated']}", ""]

    lines.append("## Preparation Checklist (CISA Part 1)")
    lines.append("")
    for ctrl_id, ctrl in playbook["preparation"].items():
        lines.append(f"- [ ] **{ctrl_id}**: {ctrl['control']} - {ctrl['description']} "
                      f"[{ctrl['priority']}]")
    lines.append("")

    lines.append("## Response Phases (CISA Part 2)")
    lines.append("")
    for phase_id, phase in playbook["response_phases"].items():
        lines.append(f"### {phase['name']} (Target: {phase['time_target']})")
        lines.append("")
        for i, step in enumerate(phase["steps"], 1):
            lines.append(f"{i}. {step}")
        lines.append("")

    lines.append("## Escalation Matrix")
    lines.append("")
    for sev, details in playbook["escalation_matrix"].items():
        lines.append(f"### {sev.replace('_', ' ').title()}")
        lines.append(f"- **Criteria:** {details['criteria']}")
        lines.append(f"- **Notify:** {', '.join(details['notify'])}")
        lines.append(f"- **Response Time:** {details['response_time']}")
        lines.append("")

    return "\n".join(lines)


if __name__ == "__main__":
    print("=" * 60)
    print("CISA Ransomware Playbook Builder Agent")
    print("Playbook generation and readiness assessment")
    print("=" * 60)

    if len(sys.argv) < 2:
        print("\nUsage:")
        print("  python agent.py generate [org_name]     Generate playbook")
        print("  python agent.py assess <controls.json>  Assess readiness")
        print("  python agent.py checklist               Print CISA checklist")
        sys.exit(0)

    command = sys.argv[1]

    if command == "generate":
        org = sys.argv[2] if len(sys.argv) > 2 else "Organization"
        playbook = generate_playbook(org)
        md = generate_markdown_playbook(playbook)
        output_file = f"ransomware_playbook_{org.lower().replace(' ', '_')}.md"
        with open(output_file, "w") as f:
            f.write(md)
        print(f"\n[+] Playbook generated: {output_file}")
        print(f"[+] Contains {len(CISA_PREPARATION_CHECKLIST)} preparation controls")
        print(f"[+] Contains {len(RESPONSE_PHASES)} response phases")
        print(f"\n{md[:500]}...")

    elif command == "assess":
        if len(sys.argv) < 3:
            print("[!] Provide a JSON file with current control statuses")
            print('    Format: {"PREP-01": "implemented", "PREP-02": "not_implemented", ...}')
            sys.exit(1)
        with open(sys.argv[2]) as f:
            controls = json.load(f)
        results = assess_readiness(controls)
        print(f"\n--- Ransomware Readiness Assessment ---")
        print(f"  Score: {results['score']}% ({results['implemented']}/{results['total_controls']})")
        if results["gaps"]:
            print(f"\n  Critical Gaps:")
            for gap in results["gaps"]:
                print(f"    [{gap['priority']}] {gap['id']}: {gap['control']}")
        print(f"\n{json.dumps(results, indent=2)}")

    elif command == "checklist":
        print("\n--- CISA Ransomware Preparation Checklist ---")
        for ctrl_id, ctrl in CISA_PREPARATION_CHECKLIST.items():
            print(f"  [{ctrl['priority']:8s}] {ctrl_id}: {ctrl['control']}")
            print(f"             {ctrl['description']}")
    else:
        print(f"[!] Unknown command: {command}")
Keep exploring