book

Learning Ransomware Response & Recovery

by W. Curtis Preston, Michael Saylor

January 2026

Intermediate to advanced

522 pages

15h 3m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Preface
Why This BookA Different TackBringing in the CavalryMike’s StoryHow This Book Is OrganizedConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments (Curtis)Acknowledgments (Mike)
I. Identify
1. What Is Ransomware?
What Is Ransomware?How Do You Get Ransomware?After the Initial InfectionHow Ransomware Avoids DetectionEncryption and ObfuscationPolymorphismFileless Malware TechniquesExploiting Legitimate ToolsStealthy Command-and-Control ChannelsDelaying ExecutionBehavioral EvasionBypassing Endpoint SecurityAnti-Analysis TechniquesSelf-Destruction and Anti-Forensic TechniquesA Brief History of RansomwareThe Evolution of RansomwareDouble ExtortionUnderstanding the Attackers: Initial Access BrokersUnderstanding the Typical Attack SequenceReconnaissanceInitial AccessExecution and InstallationExpanding Scope and Data GatheringRansom DemandNegotiation and PaymentDecryption and RecoverySummary
2. Your Backup System Is Under Attack
Why Is the Backup System Under Attack?Quick Chat About RTO and RPOThreat Actors Love/Hate BackupsHow Threat Actors Disable the Backup/DR SystemThe Backup System as an Attack SurfaceHow Did We Get Here?Disk Backups Made It WorseSounds Pretty BleakSummary
II. Protect
3. Backup and Recovery Basics
Backup or Disaster Recovery?The Same SystemA Different ProcessDefining Backup System RequirementsWhat Does Your Organization Do?IT Does Not Determine RequirementsRequirements and Service LevelsDesign, Implement, and Document Your SystemBackup and Recovery BasicsRecovery TestingDeduplicationBackup LevelsMetricsItem Versus Image-Level BackupsBackup Selection MethodsBackup MethodsIs Everything Backup?Two Ways to RestoreThe Bottom LineDeciding on a Backup MethodDo You Need to Change?Tips for Considering a New Backup SystemCloud ConsiderationsBackup and Archive MythsSummary
4. Stop Most Ransomware
Table StakesContinuously Update Your PatchesEnforce MFA or PasskeysEnforce Solid Password ManagementPeople, Process, and TechnologyKnow Your EnvironmentWhat to DocumentMaking Your Inventory ActionableProcess: Policies and ProceduresConfiguration Policies and ImplementationAuthentication and Encryption PoliciesPatch and Vulnerability ManagementTechnology: Technical Controls and MonitoringSystem HardeningEmail FilteringDetect and MonitorPeople: Building Your Human DefenseEmployee TrainingTesting and ReinforcementSummary
5. Minimize the Blast Radius
Know ThyselfPreparing for a Ransomware IncidentEndpoint Security: The First Line of DefenseDeploying Endpoint Detection and Response ToolsUsing Next-Gen Anti-Malware SolutionsImportance of Endpoint HardeningNetwork Security: Limiting Lateral MovementNetwork Segmentation: Containing the Blast RadiusFirewalls and Traffic ControlNetwork Monitoring and Behavioral AnalyticsDNS FilteringNetwork Vulnerability AssessmentsAccess Control and Privilege ManagementImplementing the Principle of Least PrivilegeEnforcing Multifactor AuthenticationData Protection StrategiesData Classification and SegmentationData EncryptionBackup and Recovery StrategiesData Loss PreventionDatabase-Level ProtectionsShadow Copies and Volume SnapshotsFile Access Controls and MonitoringVirtualizationSummary
6. Get Ready for Battle
Table Stakes: Do These Five Things FirstEngage with Cyber ProfessionalsFind a Blue Team NowGet a Red Team TooFind a Cyber Insurance CarrierIdentify Forensic ToolsForensic Imaging ToolsLog Analysis PlatformsLearn Your ToolsSecure the Backup SystemTaking Backups Out of the EquationRole-Based AdministrationSecure Your LoginsUpdate Your Backup SoftwareSegregate All Backup InfrastructureShut Off Remote Desktop ProtocolLock Down SMBSecure Backup StorageUse Direct Storage Connections (Like Veeam’s Direct SAN Access)Store Backups in Dedicated Backup AppliancesUse Object Storage Instead of File SharesUse Immutable StorageEncrypt All BackupsAt-Rest EncryptionIn-Flight EncryptionKey ManagementWatch Everything: Monitoring Your Backup EnvironmentCreate a Disaster Recovery PlanFull Hot SiteCold Site RecoveryCloud RecoveryFailbackSummary
7. Make Your Incident Response Plan
Table Stakes: Before Writing Your IRP1. Get Executive Sponsorship2. Name Names, Not Job Titles3. Write the Templates Now—Not During the Crisis4. Contract the Help Before You Need It5. Know What Tools You’ve Got (and Where to Find Them)Cybersecurity Resources Around the WorldWho’s Got Your Back?Free Frameworks and ToolsEarly Warning SystemsWhat They Do When You’re Actually Under AttackHow to Actually Use This StuffThe Bottom LineSetting Objectives and ScopeDefining the Goals of the Incident Response PlanWhat Does the Incident Response Plan Cover?Metrics of EffectivenessMatching the Plan to Business Priorities?Assembling Your Incident Response TeamSorting Out Who Does WhatWho’s Calling the Shots?Making Sure You’re Covered 24/7Cross-Training and Alternate PlansTeaming Up with Outside HelpDetection and Initial Response ProceduresInitial Detection and AssessmentFirst MovesContainment and Evidence Preservation ProceduresForensic Evidence PreservationCommunication and Coordination ProceduresNotification, Communication, and Escalation ProtocolsEngaging External Response and SupportRecovery and Investigation ProceduresData Recovery and Remediation: Assessing the Damage and Recovery ScopeRestoring Data from BackupsRebuilding and Restoring SystemsDeciding on Ransom PaymentEvaluating Decryption Options (and Possibly Life Choices)Forensic Investigation and Root Cause AnalysisPost-Incident Review and Continuous ImprovementConducting a Post-Incident ReviewUpdating the Incident Response PlanConducting a Root Cause AnalysisTraining and Awareness UpdatesTesting and Refining the PlanPlanning an Annual Ransomware Tabletop ExerciseDefining Exercise Goals and ObjectivesSelecting ParticipantsScenario DevelopmentFacilitating the ExerciseConducting a Ransomware War GameSetting Up the War Game EnvironmentPlaying in a SandboxEvaluating Team PerformanceUpdating the Incident Response PlanTracking Progress and MaturitySummary

III. Detect
8. Detection Tools
Introduction to Detection SystemsAn Undetected AttackThe Numbers Are ScaryExtended Detection and ResponseSecurity Information and Event ManagementCore FunctionsTypical SIEM DeploymentXDR Versus SIEMDetection Tool IntegrationHuman IntegrationElements of IntegrationDetecting Ransomware with BackupsBackup System Events and AnomaliesSteps to Leverage Your Backup SystemLog Everything and Secure Your LogsLogs for Your Primary EnvironmentLogs for Your Backup EnvironmentWhere to Store Your LogsManaged Service ProvidersExpertise Without the Hiring HeadacheFaster Deployment24/7 MonitoringTuning and MaintenanceMulti-Client IntelligenceFlexible ScalingCompliance SupportMaking the MSP Relationship WorkThe Future of DetectionSummary
IV. Respond
9. The First 12 Hours
The Initial Shock: First Hours of the AttackDiscovery and PanicScrambling to AssessDecision-Making Under PressureContainment DilemmasThe Ransom Dilemma: Legal Landmines and Empty PromisesStakeholder ConflictsYou SurvivedPractical Exercises SummaryCase Study ReviewSummary
10. The Marathon
Keeping the Business Running During CrisisThe Business Continuity Blind SpotZapMart’s Holiday Sales CrisisChange Healthcare’s Patient Care EmergencyMaria’s Bakery’s Customer Service ChallengeNorthforge’s Engineering Productivity CrisisBusiness Continuity StrategiesBusiness-Driven PrioritizationDegraded Operations and Manual WorkaroundsCommunication: The Bridge Between Crisis and CustomersThe Revenue Versus Security Trade-OffSurvival TipExercise: Plan Your Degraded OperationsThe Bottom Line on Business ContinuityThe Human Toll: Stress, Communication, and MoraleEmotional RollercoasterCommunication BreakdownsMaintaining MoraleUnexpected Curveballs: What Plans Don’t Prepare You ForTechnical SurprisesExternal PressuresResource ConstraintsLessons from the Trenches: Making It ThroughWhat WorksWhat BreaksBuilding ResilienceExercise: Reflect and ImprovePractical Exercises SummarySummaryLessons Learned Template
11. Analyzing the Breach
Beginning the InvestigationWhy Analysis MattersGuidance for Small and Medium-Sized BusinessesResource ConstraintsLimited Tooling and VisibilityKnowledge GapsTool ComplexityBudget LimitationsLack of PreparationSandboxing for Behavior AnalysisReal-World Applications of SandboxingPractical Sandboxing Tools and TechniquesAdvanced Sandboxing ConsiderationsBest Practices for Effective SandboxingIdentifying the Ransomware VariantStep 1: Examine the Ransom NoteStep 2: Check File Extensions and System ArtifactsStep 3: Analyze Logs and Network TrafficStep 4: Leverage Threat Intelligence FeedsAssessing the Attack’s ScopeStep 1: Inventory Infected SystemsStep 2: Detect Lateral MovementStep 3: Confirm Data ExfiltrationExploring Decryption and Remediation OptionsStep 1: Check for Public DecryptorsStep 2: Use Forensic Tools for RemediationStep 3: Evaluate Payment Risks (Last Resort)Summary
12. Advanced Analysis and Forensics
Advanced Analysis TechniquesStep 5: Craft YARA Rules (Advanced)Step 6: Monitor Dark Web Leak SitesExpanding Identification: Reverse-Engineering Ransomware SamplesWhy Reverse Engineering MattersHow to Reverse-Engineer SafelyExpanding Scope Assessment: Cloud-Specific AnalysisWhy Cloud Scoping MattersHow to Scope Cloud InfectionsSurvival TipExpanding Decryption: Negotiating with AttackersWhy Negotiation Is RiskyHow to Negotiate (If You Must)Risks of NegotiationBest Practices for NegotiationExercise: Plan a NegotiationExpanding Advanced Analysis: Volatility TutorialVolatility TutorialBest Practices for Volatility AnalysisVolatility WorkflowPost-Analysis ReportingBuilding a ReportSample ReportExecutive SummaryIncident OverviewResponse ActionsLessons LearnedNext Steps and RecommendationsRegulatory and Stakeholder ConsiderationsSummary
13. Contain the Attack
What Is Containment and Eradication?The Importance of ContainmentThe Containment Versus Forensics DilemmaThree ApproachesMake the DecisionWhere to Start ContainmentSnapshot, Suspend, or Pause All Infected VMsStep 1: Suspend VMs ImmediatelyStep 2: Copy VM Files to Isolated Forensic StorageStep 3: Document EverythingCreate a Panic Button ScriptThe Suspend Versus Shutdown DistinctionTesting Your Suspension ProcessIdentify Critical SystemsRapid Forensic ImagingImmediate Containment ActionsStep 1: Isolate Infected DevicesStep 2: Disable Attack VectorsStep 3: Block External CommunicationStep 4: Automate ContainmentVerification and MonitoringForensic Disk PreservationThe Final Shutdown DecisionPull the PlugSummary
14. Eradicate the Threat
Clean, Wipe, or ReplaceCleaningWipingReplacingMaking the DecisionReinstall the Operating SystemClean Data DisksSummary
V. Recover
15. Restore and Recover
The Goals of RecoveryPrioritize Your RestoresChoose a Restore Method for OS and AppsFull System RestoreReinstall and ReconfigureReimageChoose a Restore Method for DatabasesChoose a Restore Method for SaaS ApplicationsThe SaaS Recovery ChallengeThe Delete-and-Restore ApproachSaaS Recovery Timeline ExpectationsApplication-Specific ConsiderationsChoose a Restore Method for FilesystemsRestore Before Infection, Followed by Many Individual RestoresCurated RestoreUse a Sandbox Area for All RestoresScan for MalwareScanning During the RestoreScanning After RestoreRestore Your OS and DataPick Your Restore PointTest FunctionalityMonitor for Any Network ActivityRecover to the CloudWhy Recover to the Cloud?Planning Your Cloud RecoverySetting Up Temporary Cloud InfrastructureNetworking ConsiderationsData Transfer ChallengesFailover and Failback ConceptsUnderstanding FailoverManaging the Transition PeriodPlanning Your ReturnTesting Failback ProceduresLong-Term ConsiderationsSummary
16. Post-Mortem Analysis
The Importance of Post-Mortem AnalysisPsychological and Organizational ImpactHuman FactorsCommunicating Post-Mortem Results to EmployeesDocumenting What HappenedKey Elements to DocumentTools for DocumentationBest Practices for DocumentationConducting the Post-Mortem MeetingStep 1: Planning the Post-Mortem MeetingStep 2: Structuring the Post-Mortem MeetingStep 3: Facilitating Open DiscussionStep 4: Documenting the MeetingRegulatory and Legal ConsiderationsLearning from Your MistakesCommon MistakesPrioritizing Improvements with Limited ResourcesTurning Mistakes into OpportunitiesAdapting Your Incident Response PlanKey Components to UpdateKey Monitoring AreasImplementing Monitoring ToolsRegular Audits and TestingSharing Threat IntelligenceRecommendations for Long-Term ResiliencePost-Mortem Analysis Case StudiesThe Lorenz AttackHealthcare Breach (2023)Summary
Index
About the Authors

Content preview from Learning Ransomware Response & Recovery

Chapter 9. The First 12 Hours

It’s 8 a.m. on a Thursday, and your phone starts blowing up with calls from people: “All my files are locked! My computer is locked! And my files aren’t working!” Moments later, a red skull flashes across your screen, demanding $500,000 in bitcoin. Your heart races, stomach sinks, eardrums begin pounding, the office erupts in chaos with employees panicking, and you’re left wondering if your backups are safe. This is the gut-punch reality of a ransomware attack, a high-stakes marathon where every decision feels like it could save or sink the organization, and your job.

No playbook, not even the IRT framework you put together from Chapter 7, fully prepares you for the fog of war you’ve become immersed in. The miscommunications, ethical dilemmas, and surprises that test your fortitude and that neatly organized IRP. The plan where you prioritized critical systems, strategized on directions for isolating the infection, and communicated clearly. But in the heat of the attack, you’re battling incomplete or outdated information, emotional overload, and a ticking clock. This chapter pushes you into the heart of a ransomware response, hour by hour, decision by decision, when you really feel the fog of war. Through real-world stories, practical lessons, and interactive exercises, you’ll feel the chaos, learn to navigate tough calls, and discover how to keep you and your team afloat (Mike’s PTSD got worked up just writing this intro).

Join with others dealing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Incident Response Techniques for Ransomware Attacks

Publisher Resources

ISBN: 9781098169572Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Ransomware Response & Recovery

by W. Curtis Preston, Michael Saylor

Chapter 9. The First 12 Hours

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.