Ransomware behaviour alert on WS-LAP-011 — please investigate
TKT-0006
Urgent
In Progress
Incident Response
- Created By
- a.wilson
- Created
- 2026-05-12 12:23
- Last Updated
- 2026-05-13 16:26
- Assigned Analyst
- Marcus Webb
- Category
- Incident Response
- Messages
- 6
Conversation
a.wilson
Customer
2026-05-12 12:23
We've noticed some concerning activity and would like the SOC team to investigate urgently.
Subject: Ransomware behaviour alert on WS-LAP-011 — please investigate
Please provide an initial assessment as soon as possible. Our IT team is standing by to assist with any containment actions needed.
Subject: Ransomware behaviour alert on WS-LAP-011 — please investigate
Please provide an initial assessment as soon as possible. Our IT team is standing by to assist with any containment actions needed.
Marcus Webb
SOC Analyst
2026-05-12 14:44
Good news — our analysis confirms this is a true positive. We've implemented the containment measures and will send a full incident summary within 24 hours.
a.wilson
Customer
2026-05-12 18:20
Thanks. Could you also check if any other accounts were affected?
Marcus Webb
SOC Analyst
2026-05-12 20:10
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.
a.wilson
Customer
2026-05-12 23:56
The affected user has confirmed they changed their password. Can you verify MFA is active?
Marcus Webb
SOC Analyst
2026-05-13 02:51
Thank you for raising this. I've reviewed the alert and can confirm we're investigating. I'll update you within the hour.