Under attack? Call 1300 112 313
Client PortalInsightsContact
Home / Insights / Guide
Checklist · 7 min

Ransomware containment checklist

Use this checklist to stabilise a ransomware event while preserving evidence and supporting recovery decisions.

Quarantine, do not reboot

When ransomware strikes, the instinct is to shut everything down. Resist it. Powering off systems purges volatile memory that may contain the encryption keys, the malware process details, and network indicators needed for investigation.

Use EDR isolation features to network-quarantine affected endpoints. If EDR is not available, physically unplug network cables but leave systems powered on. Mark each isolated system with its hostname, IP, user, and the time it was isolated.

Sever tier-1 connections immediately

Disable VPN tunnels connecting branch offices or remote workers to the core network. Disconnect cloud backup services from the primary Active Directory immediately — ransomware operators increasingly target backups to prevent recovery. If your backup credentials are stored in the same AD that has been compromised, assume the backups are at risk.

Identify the variant

Note the file extension changes on encrypted files and any ransom notes dropped on the desktop or in file directories. These details help the threat intelligence team identify the ransomware family, which determines whether free decryptors exist and what the attacker's typical behaviour pattern looks like.

Upload a sample of the ransom note (not encrypted files) to services like ID Ransomware to identify the variant. Do not upload sensitive company files to any public analysis service.

Assess the blast radius

Before you start recovery, understand how far the encryption spread. Check file shares, cloud storage, database servers, and backup repositories. Map which systems are encrypted, which are clean, and which are unknown. This determines your recovery strategy and timeline.

Evidence preservation during containment

  • Capture memory dumps from affected systems before any remediation
  • Export EDR console data — alert timelines, process trees, network connections
  • Preserve firewall and proxy logs from the 72 hours preceding detection
  • Save the ransom note text and any attacker communication channels
  • Document every containment action taken, by whom, and at what time

Do not negotiate without preparation

If the organisation considers engaging with the attacker, involve legal counsel and a professional negotiation firm first. Do not use personal email addresses. Do not reveal the organisation's name, insurance coverage, or financial position. Do not make any commitments in writing without legal review.

Need help applying this?

Turn the guide into an action plan.

Tenodex can assess your current state, prioritise the practical work and help implement the operating model.

Book a Briefing