Ransomware | Marketplace

Details
Content
Dependencies
Version History

This pack is used to identify, investigate, and contain ransomware attacks.

When a ransomware attack is detected, for example by your endpoint protection service, this pack can help you better understand your position and exposure against the threat actor group by collecting the needed information from your environment, performing the required investigation steps, containing the incident, and visualizing the data with its custom Post Intrusion Ransomware layout.

What does this pack do?

The main features of the semi-automated Post Intrusion Ransomware Investigation playbook included in the pack are:

Performs automated user and host data enrichment.
Performs automated endpoint isolation and user revocation.
Provides guidance to retrieve the necessary files to identify the ransomware strain.
Extracts indicators from the ransomware note, including cryptocurrency and onion addresses.
Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user.
Performs Active Directory forensics.
Automatically blocks malicious indicators.
As part of this pack, you will get out-of-the-box playbook, incident type, incident fields and a layout to display all of the information gathered during the ransomware investigation performed by the playbook.

Integrations

Integrations required for this pack.

Fetch incidents integration: the integration you are using to fetch and ingest ransomware incidents, for example, Palo Alto Networks Cortex XDR.
Active Directory Query V2 - (see the documentation)
Rasterize - (see the documentation)
Cryptocurrency - (see the documentation)
For more information, visit our Cortex XSOAR Developer Docs

What does this pack do?

The main features of the semi-automated Post Intrusion Ransomware Investigation playbook included in the pack are:

Performs automated user and host data enrichment.
Performs automated endpoint isolation and user revocation.
Provides guidance to retrieve the necessary files to identify the ransomware strain.
Extracts indicators from the ransomware note, including cryptocurrency and onion addresses.
Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user.
Performs Active Directory forensics.
Automatically blocks malicious indicators.
As part of this pack, you will get out-of-the-box playbook, incident type, incident fields and a layout to display all of the information gathered during the ransomware investigation performed by the playbook.

Integrations

Integrations required for this pack.

Fetch incidents integration: the integration you are using to fetch and ingest ransomware incidents, for example, Palo Alto Networks Cortex XDR.
Active Directory Query V2 - (see the documentation)
Rasterize - (see the documentation)
Cryptocurrency - (see the documentation)
For more information, visit our Cortex XSOAR Developer Docs

Automations

Name	Description
RansomwareDataEncryptionStatus	A Widget script - checks for the data encryption status in post ransomware investigation playbook and layout.
RansomwareHostWidget	Entry widget that returns the number of affectefd hosts in a Post Intrusion Ransomware incident.

Incident Fields

Name	Description
Ransomware Recovery Tool
Ransomware Approximate Number Of Encrypted Endpoints
Ransomware Data Encryption Status
Ransomware Strain	Strain of the ransomware
Ransomware Email	Email address for communication with the ransomware operators group
Ransomware Cryptocurrency Address	Ransomware Cryptocurrency Address
Ransomware Onion Address	Onion service address for communication with the ransomware operators group
Ransomware Encrypted File Owner	User who encrypted the files across the domain
Ransomware Cryptocurrency Address Type	Type of the Cryptocurrency
Ransomware Note

Incident Types

Name	Description
Ransomware
Post Intrusion Ransomware

Layouts

Name	Description
Post Intrusion Ransomware	Post Intrusion Ransomware Incident layout

Playbooks

Name	Description
Post Intrusion Ransomware Investigation	Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: Encrypted file owner investigation Endpoint forensic investigation Active Directory investigation Timeline of the breach investigation Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)
Ransomware Playbook - Manual	Master playbook for ransomware incidents. This playbook is a manual playbook.

Name

Description

Post Intrusion Ransomware Investigation

Provides the first step in the investigation of ransomware attacks.
The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database.
You will be guided with further investigation steps throughout the playbook, some of the key features are:

Encrypted file owner investigation
- Endpoint forensic investigation
- Active Directory investigation
- Timeline of the breach investigation
- Indicator and account enrichment

Playbook settings and mapping:
For the full operation of the playbook, the following data should be mapped to the relevant incident fields.
Username - Usernames (common incident field)
Hostname - Hostnames (common incident field)

Ransomware Playbook - Manual

Master playbook for ransomware incidents. This playbook is a manual playbook.

Automations

Name	Description
RansomwareHostWidget	Entry widget that returns the number of affectefd hosts in a Post Intrusion Ransomware incident.
RansomwareDataEncryptionStatus	A Widget script - checks for the data encryption status in post ransomware investigation playbook and layout.

Incident Fields

Name	Description
Ransomware Strain	Strain of the ransomware
Ransomware Cryptocurrency Address Type	Type of the Cryptocurrency
Ransomware Data Encryption Status
Ransomware Encrypted File Owner	User who encrypted the files across the domain
Ransomware Recovery Tool
Ransomware Note
Ransomware Approximate Number Of Encrypted Endpoints
Ransomware Email	Email address for communication with the ransomware operators group
Ransomware Onion Address	Onion service address for communication with the ransomware operators group
Ransomware Cryptocurrency Address	Ransomware Cryptocurrency Address

Incident Types

Name	Description
Ransomware
Post Intrusion Ransomware

Playbooks

Name	Description
Post Intrusion Ransomware Investigation	Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: Encrypted file owner investigation Endpoint forensic investigation Active Directory investigation Timeline of the breach investigation Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant alert fields. Username - Usernames (common alert field) Hostname - Hostnames (common alert field)
Ransomware Playbook - Manual	Master playbook for ransomware alerts. This playbook is a manual playbook.

Name

Description

Post Intrusion Ransomware Investigation

Encrypted file owner investigation
- Endpoint forensic investigation
- Active Directory investigation
- Timeline of the breach investigation
- Indicator and account enrichment

Playbook settings and mapping:
For the full operation of the playbook, the following data should be mapped to the relevant alert fields.
Username - Usernames (common alert field)
Hostname - Hostnames (common alert field)

Ransomware Playbook - Manual

Master playbook for ransomware alerts. This playbook is a manual playbook.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Optional Content Packs (5)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR

1.0.20 - 8994397 (May 13, 2026)

Scripts

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.13.8428455.

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44128

Download

1.0.19 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.0.18 - 6238358 (December 11, 2025)

Scripts

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.12.6204436.

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

1.0.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.16 - 4856079 (September 11, 2025)

Playbooks

Post Intrusion Ransomware Investigation

Updated the input description "AutoBlockIndicators".

Related pull requests:
- 41245

Download

1.0.15 - 4583601 (August 20, 2025)

Scripts

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.8.3296088.

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40710

Download

1.0.14 - R3414854 (May 15, 2025)

Scripts

RansomwareDataEncryptionStatus

Metadata and documentation improvements.

RansomwareHostWidget

Metadata and documentation improvements.

Related pull requests:
- 39095

Download

1.0.20 - 8994397 (May 13, 2026)

Scripts

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.13.8428455.

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44128

Download

1.0.19 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.0.18 - 6238358 (December 11, 2025)

Scripts

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.12.6204436.

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

1.0.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.16 - 4856079 (September 11, 2025)

Playbooks

Post Intrusion Ransomware Investigation

Updated the input description "AutoBlockIndicators".

Related pull requests:
- 41245

Download

1.0.15 - 4583601 (August 20, 2025)

Scripts

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.12.8.3296088.

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40710

Download

1.0.14 - R3414854 (May 15, 2025)

Scripts

RansomwareDataEncryptionStatus

Metadata and documentation improvements.

RansomwareHostWidget

Metadata and documentation improvements.

Related pull requests:
- 39095

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	May 13, 2026

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.