Playbook: Detect, Contain, and Remediate Ransomware

Ransomware is one the leading threats facing organizations today. With volumes of malicious inbound emails and already infected devices within your environment, regaining control over ransomware can be tedious and time-consuming.

The Phantom security automation and orchestration platform can help you investigate, block, and contain ransomware threats. The platform with an expanded Ransomware playbook could also automate the remediation of infected devices. Deal with the volume of ransomware threats you face by using the Phantom platform to scale your investigations and response to meet the challenge.

ransomware-playbookScreenshot of the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests either a suspicious file or file hash from your current security infrastructure and triggers the Ransomware playbook, automating key investigation and containment steps:

  • get file – Downloads the file sample from a repository.
  • detonate file – Submits the file sample for sandbox analysis.
  • block ip – Configures your infrastructure to block access to IP addresses associated with the ransomware.
  • block hash – Configures your infrastructure to block access to files matching the hash of a malicious sample.
  • hunt file – Looks for indications of other infected devices in your environment.
  • terminate process – Terminates any instances of the malware actively executing.
  • quarantine device – Place the infected devices in quarantine to prevent it from infecting other devices.
  • list connections – Examine a device’s active connections / add newly discovered malicious IPs to the block ip action.
  • disable user – Disable the user’s account to prevent further malware propagation.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition.

Chris Simmons

Chris Simmons

Posted by


Show All Tags
Show Less Tags