Ransomware incident response playbook 2025: A standard guide from VNCERT/CC and CyberCX

The surge of ransomware attacks is becoming a top threat to the operational stability of organizations and enterprises in Vietnam. To support the cybersecurity community with a standardized response process, the Vietnam Cybersecurity Emergency Response Team/Coordination Center (VNCERT/CC), in collaboration with CyberCX, has released the Ransomware Incident Response Handbook.

This is a strategic document under the framework of the Australian Government’s Vietnam Information Security Capacity Building Program, with the latest update as of January 2025.

Why do organizations need to own this ransomware response handbook?

Ransomware is not merely file-encrypting malware; it is a complex attack campaign involving intrusion, privilege escalation, data exfiltration, and multi-extortion.

In the context of AI Search models like Search Generative Experience (SGE) and Google Enhanced Overview (GEO) reshaping how cybersecurity information is accessed in 2026, possessing a standardized playbook is a vital factor for businesses to maintain sustainability and continuous updates.

This document provides not only technical steps but also directions for national response priorities:

• Protecting human life and safety.

• Maintaining/restoring the operation of national critical systems.

• Collecting digital evidence for forensic investigation.

• Timely recovery to return operations to normal.

The 4 golden stages in ransomware incident response

The handbook establishes a closed-loop response roadmap, helping incident response (IR) teams avoid confusion when facing dangerous variants such as Conti or Petya.

1. Investigation stage

The goal is to research and analyze the attacker and the infiltrating ransomware variant.

• Immediate isolation: Block system connections via EDR, local firewalls, or physical disconnection (unplugging Ethernet cables, turning off Wi-Fi).

• Scoping: Assess the impact on servers, storage systems (SAN), and the status of backups.

• Vulnerability tracking (CVE): Investigate whether Common Vulnerabilities and Exposures were exploited through reputable sources such as NVD (NIST), MITRE, and VulDB.

2. Containment stage

Minimize the lateral movement of the attacker within the network.

• Resetting access: Reset passwords for compromised accounts, especially the KRBTGT account (the default account from Microsoft Active Directory) and domain administrator accounts.

• Out-of-band communication: Switch to secure communication channels if there is suspicion that hackers have compromised the internal email or chat systems.

3. Eradication stage

Ensure that threat actors no longer have access to the system.

• Develop an eradication plan based on established asset priorities.

• Use Safe Mode to run anti-virus software if devices are screen-locked.

4. Recovery stage

Restore data and identify the root cause to improve the system in the future.

• Verify the integrity of backups before restoration to avoid cases where malware has been residing in the backup for months.

Catalog of technical documents and key indicators

A cybersecurity expert must master Indicators of Compromise (IoC) and technical data to perform effective forensic investigations. The handbook requires full collection of:

• System logs: Firewall logs, user behavior, Windows security data.

• Malicious files: Original malware files, PowerShell scripts, live memory.

• Extortion information: Bitcoin wallet addresses, hacker contact emails, TOR links to data leak sites.

To determine decryption capabilities without paying the ransom, experts can refer to the international No More Ransom project.

Ransomware negotiation and payment issues

One of the most valuable parts of the document is Appendix E on Ransomware Negotiation. Although authorities do not encourage paying the ransom, the handbook provides objective perspectives on the pros and cons of interacting with hackers.

• Biggest disadvantage: There is no guarantee that hackers will provide the decryption key after receiving payment; furthermore, this action encourages future attacks.

• Recommendation: If an organization decides to communicate with the attacker, it should hire a professional third-party negotiation team.

Proposed proactive solutions

In addition to following the Playbook when an incident occurs, businesses need to prioritize preventive measures to mitigate risks. Conducting periodic information security assessments and deploying centralized cybersecurity monitoring systems are key to early detection of intrusion signs before ransomware can execute encryption.

Is your organization ready to respond to ransomware? Download the standard document now to build the most robust protection plan.

-----

References:

• Ransomware Incident Response Handbook - CyberCX & VNCERT/CC (2025).

• NIST SP 800-61r2 - Computer Security Incident Handling Guide.

• Australian Cyber Security Centre (ACSC) - Incident Response Guidance.