Ransomware Investigate and Contain


This playbook investigates and contains ransomware detected on endpoints.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection, SOC Automation


Endpoint Compromise

Security Impact

Reacting quickly is imperative when dealing with ransomware. By leveraging this playbook the entire incident response process can be automated, and additional hosts can be found and quarantined.

Alert Volume

Very Low


Stage 5

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

Several searches can be used to detect the presence of ransomware in the environment. This playbook is designed to investigate a file using a sandbox and if determined to be ransomware, immediately take action to block network communications, and quarantine devices.

   How To Respond

When potential ransomware is detected this playbook can be used to further investigate, or changes can be made to the playbook to automatically take action to quarantine a device and block network communications. Note also this playbook will hunt for additional infected hosts using any observed file hashes.


Ransomware Investigate and Contain Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data