Ransomware is one of the most significant threats facing organisations in Trinidad and Tobago. A single attack can disrupt operations, cause financial loss, destabilise the economy, and damage your organisation’s reputation. TT-CSIRT — the national focal point for cyber incident management and response — has prepared this guide to help organisations respond quickly and effectively.
Source: Guidance adapted from the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Important: follow the first three phases (Detection → Containment → Analysis) in sequence.
Quick phase overview (sequential)
- Phase 1 — Detection & Analysis: Identify and isolate affected systems; preserve evidence.
- Phase 2 — Containment: Prevent spread, disable exposed services and credentials.
- Phase 3 — Extended Analysis: Investigate persistence, exfiltration, and root cause.
- Phase 4 — Recovery: Rebuild, restore from clean backups, and confirm full remediation.
- Phase 5 — Reporting: Notify TT-CSIRT and (optionally) TTPS CSMU for criminal investigation support.
Identify and isolate impacted systems
- Determine which systems were impacted and immediately isolate them from the network.
- If multiple systems or subnets are affected, take the network offline at the switch level where feasible.
- If taking the network offline is not possible, unplug affected devices from Ethernet or disconnect them from Wi-Fi.
- Use out-of-band communications (for example, phone calls) to coordinate the response and avoid alerting attackers who may be monitoring email or chat systems.
- Only if unable to disconnect: power down infected devices to prevent further spread.
Please Note:
Powering down systems may erase volatile forensic evidence (system memory, certain logs). Do this only when isolation via network disconnection is not possible.
Triage impacted systems
- Identify and prioritise critical systems for restoration (health/safety systems, revenue systems, core services).
- Keep an inventory of unaffected systems so they can be de-prioritised during recovery.
- Develop and document an initial understanding of what occurred based on available evidence.
- Engage stakeholders — IT, managed security providers (MSSPs), cyber insurance contacts, and senior leadership — and share relevant findings.
- Capture evidence: take system images and memory captures of representative affected devices (workstations, servers) and collect logs, malware binaries, and other indicators of compromise (IoCs).
- Preserve highly volatile evidence (e.g., system memory, Windows Security logs, firewall log buffers) to assist forensic analysis.
- Consult TT-CSIRT and TTPS CSMU regarding possible decryptors; researchers sometimes publish decryptors for certain variants.
- Research trusted guidance (government advisories, reputable vendors) for the specific ransomware variant and follow recommended steps.
- Where safe to do so, kill or disable execution of confirmed ransomware binaries and remove associated registry values or files.
- Identify systems and accounts used in the initial breach (including email accounts) and contain them to prevent further access.
Limit spread and secure entry points
- Disable or isolate compromised remote access: VPNs, remote-access servers, remote desktop, and single sign-on (SSO) systems if they are implicated.
- Disable or rotate credentials that may have been exposed; enforce MFA where possible.
- Investigate server-side encryption activity: check sessions and open files on servers, file ownership, and ransom notes to map which users or systems are involved.
- Review relevant logs: Windows Security logs, SMB logs, TerminalServices/RemoteConnectionManager logs, and any SMB/RDP event logs for suspicious authentication or access events.
- Run network captures (e.g., Wireshark) on impacted servers with appropriate filters to detect IPs actively writing or renaming files.
- Check antivirus, EDR, IDS/IPS logs for related detections to identify precursor malware or lateral movement.
- Look specifically for precursor or secondary malware (TrickBot, Dridex, Emotet) commonly linked to ransomware operations.
Investigate persistence, exfiltration, and root cause
- Identify outside-in and inside-out persistence mechanisms: rogue accounts, backdoors, scheduled tasks, malicious PowerShell, PsExec usage, or Cobalt Strike implants.
- Deploy endpoint detection and response (EDR) tools and perform deeper audits of local and domain accounts and centralized logs.
- Determine whether ransomware was manually deployed (an attempt to hide earlier compromise) and map lateral movement.
- Investigate for signs of data exfiltration or extortion tactics; many attackers exfiltrate data before encryption and may threaten public release.
- If evidence of exfiltration exists, document what data was accessed and notify legal/cyber insurance as appropriate.
Rebuild, restore, and strengthen
- Rebuild systems based on a prioritisation of critical services using known clean, pre-configured images where possible.
- Remove malicious persistence mechanisms and ensure compromised accounts and credentials are remediated before reconnecting systems.
- Once the environment is fully cleaned and rebuilt, issue password resets for affected systems and accounts.
- Apply patches, update software, and close security gaps that enabled initial access.
- Restore data from offline, verified backups (preferably encrypted and isolated). Prioritise critical services when restoring.
- Carefully avoid re-infecting clean systems during recovery — consider using a separate recovery network/VLAN to keep restored systems isolated until validated.
- Declare the ransomware incident over once remediation and validation criteria are met.
- Document lessons learned, update incident response plans, and run exercises to validate improvements.
- Share relevant indicators of compromise (IOCs) and lessons learned with TT-CSIRT to help protect other organisations.
Phase 5 — Reporting
Reporting a Cyber Attack
If your organisation is affected by ransomware, report the incident promptly. TT-CSIRT and TTPS CSMU provide technical and investigative support.
1. Report to TT-CSIRT (Technical Assistance)
What TT-CSIRT can provide:
- Confidential guidance to evaluate, triage, and remediate incidents.
- Remote or on-site assistance to identify the extent of compromise and recommended containment strategies.
- Analysis of logs, malware samples, and phishing emails submitted voluntarily.
- Click here for Online Form
- Email: contacts@ttcsirt.gov.tt
- Tel : +1 868 623 5439
2. Report to Law Enforcement (TTPS CSMU)
What TTPS CSMU can provide:
- Assistance with evidence collection (system images, malware samples) and criminal investigations.
- Email: cybercrime@ttps.gov.tt
- Tel 1 : +1 (868) 612-0742
- Tel 2 : +1 (868) 715-2072
Disclaimer: This guidance is for informational purposes and adapted from CISA. Contact TT-CSIRT or TTPS CSMU directly for case-specific assistance. Sharing IOCs or samples should be done securely and only with authorised responders.
