> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Ransomware containment: alert to clean restore

> A SIEM detection fires on lateral movement and SMB encryption activity. Contain the blast radius across cloud and network in minutes, snapshot evidence, restore from clean backups, and run the customer through a calm executive briefing.

Wazuh detects encryption-pattern file writes on three Windows file servers at a customer site, and Defender flags lateral SMB to two more. The MSP needs to contain the spread within minutes — at the switch, the firewall, and Entra ID — preserve evidence for the cyber-insurance investigation, restore the affected shares from clean backups, and have the customer's executive team in a structured call within the hour.

## Systems involved

| System                                | Role                                                          |
| ------------------------------------- | ------------------------------------------------------------- |
| Wazuh / Microsoft Defender / Sentinel | Source detections and timeline.                               |
| Studio terminal                       | SSH to access switches for port shutdown and VLAN quarantine. |
| FortiGate / Palo Alto                 | East-west and north-south containment rules.                  |
| Microsoft Entra ID                    | Disable suspect accounts, revoke sessions.                    |
| Veeam / Datto                         | Snapshot inventory, identify clean restore points.            |
| VMware vCenter / Hyper-V              | VM snapshot capture for forensics.                            |
| Microsoft Teams `#sec-ir`             | Internal IR channel.                                          |
| ServiceNow IRM                        | Customer incident record and case file.                       |
| Gmail                                 | Customer executive comms and law-enforcement liaison.         |
| Studio Procedures                     | `Ransomware containment` runbook.                             |

## Walkthrough

<Steps>
  <Step title="Verify the detection in 60 seconds">
    Copilot pulls the Wazuh and Defender alerts onto one timeline. The encryption pattern matches a known family, the source IP traces to a single contractor laptop on the guest VLAN, and SMB traffic to three file servers is active right now.
  </Step>

  <Step title="Quarantine at the switch">
    SSH to the access switch the contractor laptop is on. Copilot identifies the port from the MAC table and stages a `shutdown` and a VLAN move into the quarantine VLAN. Approval prompt; you approve and execute.
  </Step>

  <Step title="Cut east-west at the firewall">
    Push deny rules at the FortiGate between the guest VLAN and the file server VLAN. Block SMB to all of `10.10.20.0/24` from anything outside the file server segment for the duration of the incident.
  </Step>

  <Step title="Disable suspect accounts">
    Through the Graph connector, disable the contractor's account and the two service accounts seen in the lateral movement. Revoke all sessions and tokens. The action is logged with timestamps for the case file.
  </Step>

  <Step title="Snapshot the affected hosts">
    Through the vCenter connector, take a snapshot of each of the five affected VMs without rebooting them. The snapshots become the forensic image set for the investigators.
  </Step>

  <Step title="Identify clean restore points">
    Through the Datto connector, list backups for the five servers. Copilot highlights the last verified-good restore points before the encryption pattern began and proposes the restore order: domain controllers and DNS first, then file servers, then dependent services.
  </Step>

  <Step title="Open the IR record and brief the customer">
    Copilot opens the ServiceNow IRM record, attaches the alert evidence, the snapshot list, and the restore plan. Drafts a one-page executive briefing for the customer CEO and CIO: scope, containment status, restore plan, ETA, and the next update time.
  </Step>

  <Step title="Run the executive call">
    Open a shared Studio session with the customer's executive team. Screen the timeline diagram, the containment status, and the restore plan. Recording on. The call ends with assigned actions and a 30-minute next-update commitment.
  </Step>

  <Step title="Restore and validate">
    Trigger the Datto restore in the agreed order. After each restore, run the validation procedure: services back, AD healthy, file shares mounting, no encrypted-pattern writes recurring.
  </Step>

  <Step title="Hand to forensics">
    Hand the case file and the snapshot images to the appointed DFIR firm through the ServiceNow record. Internal `#sec-ir` channel keeps a running log for the rest of the incident lifecycle.
  </Step>
</Steps>

## Where Studio earns its keep

* Containment fires at the switch, the firewall, and Entra ID from one workspace in minutes — not from three engineers logging into three consoles.
* The restore order is a clean dependency plan, not a guess from a backup admin under pressure.
* The customer executive call has a screen they can read — timeline, status, plan, ETA — instead of a phone call about feelings.
* Every action is timestamped in the case file from the moment it ran. The cyber-insurance investigation has a proper paper trail without anyone reconstructing it.

## Related

<CardGroup cols={2}>
  <Card title="Procedures" icon="workflow" href="../../procedures" arrow="true" cta="Save the runbook">
    Author `Ransomware containment` so the steps are pre-staged for the next time.
  </Card>

  <Card title="Shared sessions" icon="users" href="../../shared-sessions" arrow="true" cta="Run the call">
    Bring the customer's exec team into a recorded session for the structured update.
  </Card>
</CardGroup>