* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Playbook of the Week: Aut... # Playbook of the Week: Automated Ransomware Response with Cortex XSOAR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automated-ransomware-response-with-cortex-xsoar%2F) [](https://twitter.com/share?text=Playbook+of+the+Week%3A+Automated+Ransomware+Response+with+Cortex+XSOAR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automated-ransomware-response-with-cortex-xsoar%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automated-ransomware-response-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Automated+Ransomware+Response+with+Cortex+XSOAR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-ransomware-response-with-cortex-xsoar/&ts=markdown) \[\](mailto:?subject=Playbook of the Week: Automated Ransomware Response with Cortex XSOAR) Link copied By [Yvonne Le](https://www.paloaltonetworks.com/blog/author/yvonne-le/?ts=markdown "Posts by Yvonne Le") Jun 27, 2022 4 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown) [Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) [XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown) With ransomware attacks more prevalent than ever across various industries, the need for fast and efficient response is crucial to incident responders. To help combat this growing threat, Cortex XSOAR has just the content pack to help security teams be more effective in dealing with these nefarious bad actors. According to the Palo Alto Networks [Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html?utm_source=google-rapp-amer-rapp&utm_medium=paid-search&utm_campaign=Unit_42-Americas-EN-Search-Lead_Gen-US/CA_Q4&utm_content=593884840443-c&utm_term=ransomware%202021&sfdcid=7014u000001hKM8AAM&_bt=593884840443&_bm=e&_bn=g&gclid=EAIaIQobChMInPiP-aPA-AIVajytBh0l6QF6EAAYAyAAEgI9m_D_BwE), the average ransom demand in cases handled by Unit 42 increased 144% year-over-year from 2020 to 2021, making ransomware attacks one of the fastest-growing cyber threats in recent history. Ransomware was also the third most used cyberattack method in 2021, accounting for 10% of all data breaches. This explosive uptick in attacks is expected to continue in 2022 and beyond. In order to better deal with these attacks, the [Cortex XSOAR's ransomware content pack](https://xsoar.pan.dev/marketplace/details/Ransomware) can help accelerate incident response and orchestrate threat intelligence by enabling SecOps teams to standardize and speed up the post-intrusion response processes. This content pack automates the majority of the ransomware response steps, allowing the incident response and SecOps teams to review and add guidance and input wherever necessary. With this pack, incident responders can better understand their position and exposure against threat actors by collecting the required information from their environment, executing the investigation steps, containing the incident, and visualizing the data with its custom post-intrusion ransomware layout. ![Ransomware dashboard found within the Cortex XSOAR Platform](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/SAr-ivgtshxntnRX962WzrcjqkaiaUqeeP9aALuIzcE51N2-qJ9MeWBh3pVv5Fws6cEhOfhfsM1Zl8OJGHBkoYFo_j-WE6jM4sMR5RQ7O5Oj70A6Bcv8aORFwmtO.png) ### **How the Ransomware Content Pack Works** When a ransomware attack is detected by one of several alert sources such as Cortex XDR, this pack automatically triggers the **post-intrusion ransomware investigation and response playbook** to identify, investigate, and contain the ransomware attack. This semi-automated playbook helps you better understand the status of the attack by collecting the information needed from your environment, performing the required investigation steps, containing the incident, and displaying the data with the Post Intrusion Ransomware incident layout. The ransomware content pack requires the ransom note and an example of an encrypted file to identify the ransomware variant and find the most appropriate recovery tool via the online database. Plus, all the relevant stakeholders are automatically notified of the attack. The playbook includes a manual task for determining the incident timeline that is an essential part of the recovery process. Since the data encryption is the final step in the attack, prior attacker actions are investigated. The playbook includes options to further investigate the activity of the user whose files were encrypted and identify additional endpoints that experienced the attack. If auto-remediation is approved, the malicious indicators from the ransom note are automatically blocked. Alternatively, the containment of affected files can be done manually as well. ![Expanded view of the advanced forensics investigation task of the Ransomware playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/Task-Details.png) *Expanded view of the advanced forensics investigation task of the Ransomware playbook* ### **Ransomware Content Pack Main Features:** * Performs automated user and host data enrichment * Performs automated endpoint isolation and user revocation * Provides guidance to retrieve the necessary files to identify the ransomware strain * Extracts indicators from the ransomware note, including cryptocurrency and onion addresses * Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user * Performs Active Directory forensics * Automatically blocks malicious indicators *To learn more about the associated integrations, playbooks, scripts, commands, and automations, please refer to the* [*Palo Alto Networks Developer Doc*](https://xsoar.pan.dev/docs/reference/packs/ransomware)*.* ### **Conclusion** With the help of the ransomware content pack and the core capabilities and integrations available within Cortex XSOAR, SecOps, incident response, and threat intel teams can work more efficiently and effectively to respond to the growing ransomware threat. Teams can save countless hours of manual labor trying to piece disparate sources of information together from multiple tools. Cortex XSOAR automates the process of user investigation, endpoint isolation, notifications, enrichment, and threat hunting by orchestrating across SIEM, firewalls, endpoint security, and threat intelligence sources so that response teams can quickly shut down the ransomware. By doing so, we minimize the risk and potential of losing important data, and limit the financial impact of ransom demands and its impact on the entire enterprise. **To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)** **We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events)** **for upcoming ones.** ### **Please Suggest Other Ideas or Vote!** If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: [https://xsoar.ideas.aha.io/ideas](https://xsoar.ideas.aha.io/ideas) *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-3cxdesktopapp-supply-chain-attack/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automated Rapid Response to Microsoft Outlook for Windows Vulnerability](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-microsoft-outlook-for-windows-vulnerability/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automating Your Threat Intelligence with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automating Attack Surface Management with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-attack-surface-management/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Automating Cortex XDR Investigation and Response](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-cortex-xdr-investigation-and-response/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language