Incident Timeline
At 02:47 UTC, our SIEM detected unusual file modification patterns consistent with ransomware activity. This post-mortem documents our response process.
Phase 1: Detection & Triage
- SIEM Alert: Mass file encryption detected
- Incident ticket created, severity: P1
- Network isolation of affected segment initiated
Phase 2: Containment
- Isolated 12 affected workstations
- Identified patient zero through EDR telemetry
- Blocked C2 IP ranges at perimeter firewall
Lessons Learned
- Backup testing is as important as backup creation
- Network segmentation limited blast radius significantly