April 2, 2020

Playbook for Malware outbreak

By Sridhar Pippari

The Malware (Malicious code) response procedures will include validating malware, understanding the impact, and determining the best containment approach. The remediation process ends with containing and removing the malware from systems. The spread of the malware has to be contained.

Preferably all investigation and analysis activities must be performed in a lab environment with limited internet connectivity or a dedicated internet connection that is not attributable, to ensure the perpetrators are not made aware that they have been discovered. Most often the method of infection is through a phishing email.

Malicious code refers to all software or otherwise executable instructions on a computer, device or information system with the specific purpose of malicious activity, destruction, or are primarily leveraged to facilitate other malicious activity.


Playbook from a Fintech company. Windows system.
Look at different best practice playbooks for same threat.


  • Determine Containment Procedures
    1. Determine the appropriate network containment methodologies that will prevent the malware from communicating with the attacker infrastructure and from spreading further throughout the network.
    2. Identify the infection vector and validate that all controls would block the attack at every phase. If any control would not prevent the attack at that phase, have the control updated.
      1. URLs are categorized as a blocked category in the Proxy
      2. AV has a signature to detect the payload
      3. Sandboxing technology has detection capabilities
      4. Email Security would block a future email with the same characteristics
  • Implement Containment – Apply containment procedures to all compromised systems at the same time.
  • Determine Recovery actions for all systems The following removal procedures should be attempted . A ticket should be created and assigned to IT Ops to action the following requests. The ticket number should be recorded in the investigation record.
    1. AV Cleanup – Determine if the AV is able to fully clean up and restore the system. If so, provide instructions to IT Ops to update the pattern file on the endpoint and run a scan. IT Ops must provide evidence that the expected malware was detected and cleaned to the IT Security team for verification. A scan result of “Clean” or “No Results” does not mean the system is no longer compromised, and should be verified a second time by the IT Security team.
    2. Manual Removal – If the AV solution is incapable of removing this particular malware, the IT Security team may determine manual removal methods depending on the malware family. Provide these instructions to the IT Ops to remove the malware.
    3. Ransomware – If there exist instructions to decrypt the system based on the Ransomware family, attempt to perform the decryption at this time on one test system. If successful, perform the decryption routine on all compromised systems. Otherwise, restore any encrypted data by recovering from backups.
    4. Re-Image – If the malware is unable to be removed from the machine, instruct IT Ops to have the machine re-imaged.
  • Update the Investigation Record The investigation record will be updated with all actions performed.





March 13, 2020: Initial Version