Playbook: Detect, Block, Contain, and Remediate Ransomware

Today’s post continues an ongoing series on Phantom playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom platform. 

Ransomware is one the leading threats facing organizations today. With volumes of malicious inbound emails and already infected devices within your environment, regaining control over ransomware can be tedious and time consuming.

The Phantom security automation and orchestration platform can help you investigate, block, and contain ransomware threats. The platform with an expanded Ransomware playbook could also automate the remediation of infected devices. Deal with the volume of ransomware threats you face by using the Phantom platform to scale your investigations and response to meet the challenge.

ransomware-playbookScreenshot from the Phantom platform’s new visual playbook editor.

As shown in the above diagram, the Phantom platform ingests either a suspicious file or file hash from your current security infrastructure and triggers the Ransomware playbook, automating key investigation and containment steps:

  • get file – Downloads the file sample from a repository.
  • detonate file – Submits the file sample for sandbox analysis.
  • block ip – Configures your infrastructure to block access to IP addresses associated with the ransomware.
  • block hash – Configures your infrastructure to block access to files matching the hash of a malicious sample.
  • hunt file – Looks for indications of other infected devices in your environment.
  • terminate process – Terminates any instances of the malware actively executing.
  • quarantine device – Place the infected devices in quarantine to prevent it from infecting other devices.
  • list connections – Examine a device’s active connections / add newly discovered malicious IPs to the block ip action.
  • disable user – Disable the user’s account to prevent further malware propagation.

Note that this is an example. Playbooks are customizable for your particular Standard Operating Procedures (SOPs). You can also reconfigure the playbook to match the Phantom Apps and Assets that your organization uses.

You can get this playbook from either the Phantom Community or directly from the Phantom Platform. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.

View other articles in this Playbook series here.

Chris Simmons
Director, Product Marketing
Phantom