RB-001 — Ransomware / Mass Encryption Event

Classification: CONFIDENTIAL — Internal Use Only Document: security/runbooks/rb-001-ransomware.md · v1.0 · 2026-03-16 · GPUS-IT Severity: P1 · Immediate response required

---

Indicators of compromise

• Files renamed with unusual extensions (.locked, .encrypted, ransom*)
• Sudden spike in disk I/O on vmstorage or any server
• Ransom note files (README.txt, DECRYPT.txt) appearing in directories
• Fail2ban / auditd showing mass file write activity from unexpected process

---

Response steps

Step 1 — Isolate immediately

Do NOT shut down — preserve memory forensics. Isolate at firewall level first.

# Isolate affected host at firewall
sudo firewall-cmd --panic-on

# If workstation: disconnect network cable / disable WiFi physically

Step 2 — Notify Director of Cyber Security

Escalate immediately. Open incident ticket. Do not attempt remediation alone.

• Activate IRP (Incident Response Plan)
• Preserve all evidence before any changes
• Document timeline from first indicator

Step 3 — Assess scope

# Check which servers are reachable
ping -c 2 192.168.120.1  # SKY
ping -c 2 192.168.120.2  # RAIN
ping -c 2 192.168.120.3  # SUN
ping -c 2 192.168.120.4  # WIND

# Check NAS for encryption indicators
ls /mnt/nas-backup/ | head -20
find /mnt/nas-backup -name "*.locked" -o -name "*.encrypted" 2>/dev/null | head -10

# Verify GCS backups are intact (from a clean host)
gcloud storage ls gs://gpus-infra-backups-wdc/sky/
gcloud storage ls gs://gpus-infra-backups-wdc/sky/$(date +%Y-%m-%d)/

Step 4 — Find last clean backup date

# List available GCS backup dates
gcloud storage ls gs://gpus-infra-backups-wdc/sky/ | grep -E '[0-9]{4}-[0-9]{2}-[0-9]{2}'

# Check backup log for last successful run before incident
grep "Backup finished" /var/log/gpus-backup.log | tail -10

# Check Lynis scan for pre-incident baseline
ls /var/log/lynis/lynis-summary-*.json | sort | tail -5

Step 5 — Restore from GCS

Follow the Backup & Restore Runbook. Restore order: SKY → RAIN → SUN → WIND.

# Example: restore SKY from GCS
RESTOREDATE=2026-03-15  # Last known clean date
mkdir -p /tmp/restore/sky
gcloud storage cp "gs://gpus-infra-backups-wdc/sky/${RESTOREDATE}/*.tar.gz" /tmp/restore/sky/
cd /tmp/restore/sky/
tar -xzf named-${RESTOREDATE}.tar.gz -C /
tar -xzf dhcp-${RESTOREDATE}.tar.gz -C /
tar -xzf etc-${RESTOREDATE}.tar.gz -C /

Step 6 — Post-incident steps (mandatory)

# On every restored server:
sudo aide --update && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Re-sign DNSSEC on SKY/RAIN
sudo rndc sign wdc.us.gl3
sudo rndc sign 120.168.192.in-addr.arpa

# Log the incident
echo "$(date) [IR] RB-001: Ransomware incident resolved. Restored from ${RESTOREDATE} GCS backup." \
  >> /var/log/asset-inventory.log

# Run Lynis scan to verify restored state
sudo /usr/local/sbin/gpus-lynis-scan.sh

Step 7 — Root cause analysis

Within 5 business days:

• Identify patient zero (which host, which user, which vector)
• Document full attack timeline from auditd and ELK logs
• Identify gaps that allowed lateral movement
• Update controls and retest

---

Related documents

• Backup & Restore Runbook
• Disaster Recovery Plan
• Tabletop Playbooks