✅ Ransomware is a business continuity problem. We pair prevention with immutable backups and a guided restore test so your execs know the real RTO/RPO—before an incident. Here’s our comprehensive Ransomware Runbook.

Sidechain Security — Encryption-First, Evidence-Forward

Scope & Roles

• Incident Commander (IC): Security lead. Owns decisions, timeline, comms.
• SecOps Lead: EDR/XDR, SIEM, containment actions.
• IT/Platform: Backups, restores, imaging, network changes.
• Identity Owner: IAM/MFA, credential resets, privileged access.
• Legal/Privacy: Counsel, notifications, law enforcement, insurer.
• Comms Lead: Internal & external messaging.
• Business Owner(s): Prioritize systems; downtime decisions.

---

PREVENT (Hardening & Readiness)

1. Identity & Access
   • MFA everywhere (users, admins, VPN, third parties).
   • Tiered admin model; eliminate standing domain admin.
   • Just-in-time privileged access; session recording for break-glass.
   • Passwordless (where feasible), strong conditional access.
2. Endpoints & Email
   • EDR/XDR on ≥95% of endpoints/servers; block macros; application allow-listing on servers.
   • Secure email: DKIM/DMARC, attachment/link detonation, impersonation protection.
   • Quarterly phishing simulations + micro-trainings.
3. Data Protection & Keys
   • Encrypt crown-jewel datasets (DB/volume/object); tokenization for high-churn PII.
   • Governed keys (KMS/HSM): time-boxed decrypt grants; approvals; log key use.
   • Block mass-encrypt behavior (canary files; rate-limit unusual encrypt ops).
4. Backups & Recovery
   • 3-2-1-1-0: 3 copies, 2 media, 1 offsite, 1 immutable/air-gapped, 0 errors verified.
   • Quarterly restore tests with measured RTO/RPO; protect backup consoles with MFA/network allow-lists.
5. Surface Reduction & Patch
   • Patch internet-facing services fast; WAF/bot protection; disable unused RDP/VPN; least-privilege on file shares.
   • Asset inventory & attack surface scans (external + internal).
6. Monitoring & Detections
   • Send EDR, identity, KMS/key-use, backup, and endpoint logs to SIEM.
   • Detections for: shadow copy deletion, mass file renames, archive tools at scale, known ransomware notes/extensions, vssadmin/wbadmin/bcdedit misuse, credential dumping, unusual decrypt spikes.
7. Readiness Artifacts
   • IR runbooks (this document), contact tree, war-room templates, legal/insurer hotlines, tabletop schedule(quarterly).
   • Evidence Pack template: encryption posture, key rotation, approvals, denied decrypts, last restore report.

• Prevent – Owner & Metrics
  • Owners: Identity (IAM), SecOps (EDR/XDR/SIEM), Platform (Backups), Data (Encryption/Keys).
  • KPIs: MFA ≥99%; EDR coverage ≥95%; encryption coverage ≥90% (60 days) → ≥95%; backup immutability 100%; quarterly restores 100% pass.

---

DETECT (Triage & Containment)

1. Triage (within minutes)
   • Declare severity (SEV-1 if encryption confirmed or active spread).
   • Open war-room (chat + bridge) and incident ticket; assign IC and scribe.
   • Collect initial indicators: ransom notes, extensions, canary triggers, SIEM alerts, EDR hits, failed decrypt logs, unusual admin actions.
2. Immediate Containment
   • EIsolate endpoints showing encryption (EDR network containment).
   • Disable compromised accounts; rotate creds/keys/tokens suspected.
   • Block C2 and spread paths (firewall/EDR network rules, kill known processes).
   • Freeze backup operations to prevent infected backups; verify immutability.
3. Evidence Preservation
   • Preserve disk images and memory from patient-zero & two additional victims.
   • Snapshot affected VMs/storage where safe (read-only).
   • Lock and export relevant logs (EDR, SIEM, IAM, KMS/key-use, backup).
   • Record timeline (who/what/when), impacted systems, data at risk.
4. Scope & Path to Entry
   • Determine initial access (phish, credential reuse, exposed RDP/VPN, vulnerable service).
   • Check lateral movement (PSExec/WinRM, SMB beaconing), privilege escalation attempts, and persistence(scheduled tasks, services).

• Detect – Owner & Metrics
  • Owners: SecOps (containment), Identity (account actions), Platform (backup freeze).
  • KPIs: MTTD ≤ 15 min, MTTC (contain) ≤ 60 min, infected asset count trend flattening within 1 hour.

---

---

RECOVER (Eradicate, Restore, Notify, Improve)

1. Eradication
   • Remove persistence; reimage infected systems from known-good gold images.
   • Patch exploited vulnerabilities; tighten policies (e.g., disable legacy protocols).
   • Rotate secrets/keys potentially exposed; revoke suspicious decrypt grants.
2. Restoration (Clean & Staged)
   • Prioritize services by business impact (tier 0/1 first).
   • Restore from pre-incident immutable backups into clean network segments.
   • Validate integrity (hashes), rejoin identity, verify application health and data consistency.
   • Monitor closely for re-infection indicators for ≥24–48h.
3. Communications & Legal
   • Counsel-led: law enforcement contact, regulator/customer notifications if required.
   • Single source of truth messaging; no technical speculation in public statements.
   • Ransom negotiations only via counsel/insurer policy; preserve all notes.
4. Business Resumption
   • Progressive un-isolation; scale up restored services.
   • Post-restore access reviews; re-enable third-party connections with MFA proofs.
5. After-Action & Improvements (within 5-10 business days)
   • Root cause & contributing factors; control gaps mapped to owners/ETAs.
   • Update detections (add IOCs/TTPs), tighten IAM, segment noisy shares, close EDR policy gaps.
   • Refresh Evidence Pack (restore report, denied decrypts, approvals, rotations).
   • Executive summary: impact, downtime, data risk, cost, and prevention plan.

• Recover – Owner & Metrics
  • Owners: Platform (restore), Identity (key/secret resets), Legal/Comms, IC.
  • KPIs: RTO/RPO met for tier-1 systems; MTTR (business-critical) within target; 30/60/90-day closure of critical findings.

---

Quick Reference Checklists

1. “Pull the Cord” (first 60 minutes)
   • Declare SEV-1, open war-room, assign IC & scribe.
   •  Isolate affected hosts; kill ransomware processes; block C2.
   •  Disable suspected accounts; reset high-risk credentials.
   •  Freeze backups; verify immutable copies.
   •  Preserve evidence: images, memory, logs, timelines.
   •  Notify legal/privacy; check insurance policy requirements.
2. Data & Keys
   • Confirm encryption coverage on impacted datasets.
   •  Revoke decrypt grants not needed; audit denied decrypt spikes.
   •  Rotate or disable key versions if compromise suspected (envelope pattern).
   •  Capture key-use logs for incident period.
3. Restore Gate
   • Clean segment ready; known-good snapshot verified.
   •  Malware & persistence scans pass.
   •  IAM hardening in place; break-glass sealed.
   •  Backups integrity verified; restore test completed.

---

Detection Ideas (for SIEM/EDR Team)

• Process patterns:
  • vssadmin delete shadows, wbadmin delete catalog, bcdedit /set {default} recoveryenabled No
  • Mass file rename/extension changes; abnormal 7-Zip/WinRAR use on servers.
• Filesystem signals: Honey/canary file modifications; sudden surge in high-entropy files.
• Identity signals: Off-hours admin logins, impossible travel, burst of token grants.
• Key-use signals: Denied decrypt spikes; decrypts from unusual services/regions.

---

Artifacts to Produce (for Execs/Auditors)

• Incident timeline & decision log
• Affected systems & data (by tier)
• Root cause & lessons learned
• Restore report (RTO/RPO, validation steps)
• Evidence Pack (encryption coverage, rotations, approvals, denied decrypts, backup/restore proof)
• Communications sent (internal/external), counsel sign-offs

---

How Sidechain Slots In

• Key Management & HSM: Quorum approvals, rotation on rails, key-use telemetry.
• Data Encryption: Coverage tracking, tokenization, automatic evidence.
• Cloud Data Protection: BYOK/CMEK across clouds; standardized controls.
• Workshops/Drills: Ransomware tabletop + guided restore with timed outcomes.

---

Sidechain Security – Security you can prove.