SOP-05: Ransomware Alert Response

Critical SOC ransomware response playbook. Covers sub-5-minute isolation decision, KQL patient zero detection, shadow copy deletion confirmation, fleet-wide encryption scan, Entra ID lockdown, C2 beacon identification and block, and 6-point recovery gate checklist.