Skip to main content


Note: Post Intrusion Ransomware Investigation is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

This pack is used to identify, investigate, and contain ransomware attacks.

Pack Workflow#

When a ransomware attack is detected, for example by your endpoint protection service, this pack is used to identify, investigate, and contain the ransomware attack.

When the incident is created in XSOAR, the Post Intrusion Ransomware Investigation playbook extracts account and endpoint information, which is used in the investigation.

The Ransomware pack requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database.

If defined, relevant stakeholders will be notified of the attack automatically.

For a proper recovery process, it is essential to determine the incident timeline, which is a manual task executed in the playbook. Prior attacker actions must be investigated, as data encryption is the final step in the attack.

The playbook includes options to further investigate the activity of the user whose files were encrypted, and identify additional endpoints that experienced the attack.

If auto-remediation is approved, the malicious indicators from the ransom note are automatically blocked. Alternatively, the containment can be done manually.

In This Pack#

The Ransomware content pack includes several content items.


There is one playbook - Post Intrusion Ransomware Investigation: This playbook helps you better understand the status of the attack by collecting the information needed from your environment, performing the required investigation steps, containing the incident, and displaying the data with the Post Intrusion Ransomware incident layout. The playbook inputs are:

  • AutoIsolation: Indication whether to perform auto-isolation for the infected endpoint. Default is False.
  • NotificationEmail: A comma-separated list of email addresses to notify if there is a possibility of the ransomware spreading and infecting other endpoints. Can be a CSV list.
  • EmailBody: The notification email sent to the specified email addresses in case of an attack. The default message includes a general notice and the incident ID.

Incident Types#

There is 1 incident type - Post Intrusion Ransomware.

Incident Fields#

There are 12 incident fields.

Incident fieldDescription
Ransomware Approximate Number Of Encrypted EndpointsThe number of endpoints found encrypted by the ransomware.
Ransomware Cryptocurrency AddressThe ransomware cryptocurrency address.
Ransomware Cryptocurrency Address TypeThe type of the ransomware cryptocurrency.
Ransomware Data Encryption StatusIndication whether data is currently encrypted or not.
Ransomware EmailThe email address for communication with the ransomware operators group.
Ransomware Encrypted File OwnerThe user who encrypted the files across the domain.
Ransomware NoteThe ransom note. Sample ransom note available here.
Ransomware Onion AddressThe onion service addresses for communication with the ransomware operators group.
Ransomware Recovery ToolThe name of the recovery tool for the ransomware, if available.
Ransomware StrainRansomware ID.


There are 2 automations in this pack.

  • RansomwareDataEncryptionStatus: Returns the Ransomware Data Encryption Status in the Post Intrusion Ransomware Investigation playbook and the Post Intrusion Ransomware layout.
  • RansomwareHostWidget: Returns the Ransomware Approximate Number Of Encrypted Endpoints in the Post Intrusion Ransomware incident/layout.


There is 1 layout - Post Intrusion Ransomware

There are 5 sections in the layout to display the information collected about the attack and the indicators extracted.

Layout sectionsDescription
Ransomware DetailsDisplays the information collected about the attack. For example, the ransomware strain, the number of estimated encrypted endpoints, and whether a recovery tool is available.
IndicatorsLists the indicators extracted from the ransom note and information about them. You can drill down into each indicator by viewing it in the Indicator Quick View.
Ransomware Data Encryption StatusIndication whether data is currently encrypted or not.
Hosts CountThe number of endpoints found encrypted by the ransomware.
War Room updatesWar Room note entries.

Before You Start (prereqs)#

In order to use this pack you need to configure an instance of the following integrations. See the documentation for each integration for detailed instructions.

  • Fetch incidents integration: the integration you are using to fetch and ingest ransomware incidents, for example, Palo Alto Networks Cortex XDR.
  • Active Directory Query V2: Includes the Active Directory Investigation playbook, which investigates changes and manipulation in Active Directory Access Control Lists (ACLs).
  • Rasterize: Converts URLs, PDF files, and emails to an image file or PDF file - used for ransom note manipulation.
  • Cryptocurrency: Classifies Cryptocurrency indicators as suspicious when ingested.

Pack Configurations#

You need to perform the following step before you start using the Post Intrusion Ransomware Investigation playbook to handle ransomware attacks.

Incident Mapping#

When using a 3rd party tool to identify and ingest ransomware attacks (such as Palo Alto Networks Cortex XDR), you need to map the Usernames and Hostnames fields. For more information about mapping, see Classification & Mapping.

For example, for Palo Alto Networks Cortex XDR the users and hosts fields should be mapped to XSOAR Usernames and Hostnames fields, respectively.

Testing the Pack#

After you install the pack and perform all required prerequisites, test the pack to make sure everything works. There are two ways to test this pack, either manually create an incident or ingest an incident of type Post Intrusion Ransomware.

Manual Test#

The section in the Post Intrusion Ransomware Investigation playbook that includes endpoint and account enrichment can't be executed during the manual test. Therefore, the endpoint can't be isolated, nor can the account be disabled.

  1. Create a new incident.
  2. Configure the Post Intrusion Ransomware Investigation playbook inputs.
  3. Use the sample ransom note available here.

Ingestion Test#

  1. Configure an instance of the integration that you will use to ingest and create incidents of type Post Intrusion Ransomware.
  2. Map the corresponding fields from the integration to Usernames and Hostnames.
  3. Verify that the Post Intrusion Ransomware Investigation playbook is the default playbook and configure its inputs.
  4. Start ingesting the incidents.


Integrations required for this pack.

Sample Ransom Note#

Your files are encrypted.
All encrypted files for this computer has extension: .1401
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?
Our encryption algorithms are very strong and your files are very well protected, you can’t hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
For us this is just business and to prove to you our seriousness, we will decrypt you some files for free,
but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.
Сontact us:
Download and install tor-browser:
Personal Code:
BTC Wallets