Ransomware attacks are becoming increasingly common and dangerous. When a business is hit by ransomware, it can be devastating – resulting in complete shutdown of operations, data theft, and demands for large ransom payments. Having a clear checklist of steps to take after an attack can help get things under control as quickly as possible and mitigate damage. Here we outline the key things you should do right away if your organization is hit with ransomware.
Assess the Impact
The very first thing to do is quickly determine the scope of the incident. Here are some key questions to answer:
- What systems/devices are infected or compromised?
- Is access blocked to critical data and systems?
- Are there indicators of data theft or exfiltration?
- What business functions are affected?
This will give you an initial damage assessment so that high priority issues can be triaged.
Isolate Infected Systems
Any infected endpoints should immediately be isolated from the network to prevent lateral spread of the infection. This means disconnecting wired connections and disabling wireless access. Network segmentation solutions like firewalls can also be used to isolate compromised systems.
Disable External Network Access
To prevent attackers from maintaining persistence in the environment, disable all external network access to affected systems. Block incoming and outgoing connections on networking devices. This includes disconnecting VPN connections, disabling remote access tools like RDP, and even physically disconnecting from the internet if necessary.
Secure Backups
Make absolutely sure that backups – especially critical systems and data – are secure and unaffected by the attack. Ensure no backup stores have been encrypted or compromised. This gives you a recovery dataset in case primary systems must be rebuilt.
Assemble Incident Response Team
Bring together key technology, security, business leadership, communications, legal, and other stakeholders to form an incident response team. Establish clear goals and objectives for containment and remediation. Appoint roles and responsibilities and establish a regular cadence for updates and communications.
Analyze Malware
If possible, analyze the ransomware variant involved and how it behaves. This can provide insight into decryption possibilities, as well as how to stop ongoing execution and spread. Sandboxing, reverse engineering, and threat intelligence feeds can be useful here.
Report the Incident
Notify appropriate parties – leadership, technology teams, employees, customers, partners, authorities, etc. Follow applicable regulatory compliance reporting requirements as well. Keep communications regular as the situation develops.
Engage 3rd Party Help
Consider bringing in outside cybersecurity and incident response expertise for assistance. They can help provide technology, threat intelligence, strategy, and staff augmentation.
Recover Data from Backups
With backups verified as uncompromised and isolated from infection, data restoration can begin. Prioritize critical systems and information stores first. This process will take time but is necessary to restore business functions after technical infrastructure is secured.
Decrypt Data Where Possible
For some ransomware variants, decryption may be possible without paying the ransom. Free decryption tools exist for strains like GandCrab and some old versions of others. Threat intelligence feeds can inform which strains have known decryption methods.
Rebuild Infected Systems
In most cases, the only way to ensure an infected endpoint is clean is to completely rebuild it. Safely reimage or reinstall the operating system from a trusted source to fully eliminate malware remnants. Then restore data from clean backups.
Restore Integrity of Backups
After data is restored, ensure backups are recaptured and secure from reinfection. All backup systems should be hardened to prevent recurrence.
Create New Access Credentials
To prevent continued account compromise, reset passwords and create new keys/certificates where applicable for user and system accounts that may have been accessed during the incident.
Undo System Configuration Changes
Ransomware often makes configuration changes to increase permissions, disable security tools, or maintain persistence. Undo any identified malicious configuration modifications.
Strengthen Security Posture
With business functions restored, take time to identify security gaps and harden defenses to prevent repeat compromise. This should include technology, process, and awareness initiatives.
Improve Security Controls
Implement additional controls to block malware delivery, detect threats quickly, limit lateral movement, and protect critical assets. Example technologies include:
- Email security gateways
- Web content filtering
- Endpoint detection and response
- Privileged access management
- Network segmentation and microperimeters
- Application allowlisting
- Encrypted backups
Develop Incident Response Playbooks
Detail response procedures in customized playbooks aligned to different breach scenarios. This improves consistency and efficiency when the next incident occurs. Include roles, actions, communications, tools, integrations, and automation.
Increase Security Awareness
Ransomware often spreads through social engineering and phishing. Expand staff education programs to recognize risks and avoid taking actions that expose the environment. Simulated phishing campaigns can test effectiveness.
Review Third Party Security
Scrutinize security measures of critical suppliers and partners, especially those with remote access to your network and systems. Ensure their access is appropriate and safeguarded.
Establish Data Classification
Implement a data classification scheme that labels information based on sensitivity to business impact. This enables protective controls to be concentrated on the most critical data.
Review Security Policies
Examine and update information security policies and procedures where needed. Look to address gaps that contributed to the breach. Get sign off from leadership on policy updates and ensure wide staff awareness.
Determine Ransom Payment
Deciding whether or not to pay a ransom demand is complex. Here are some considerations when making this decision:
Calculate Total Business Impact
Estimate the full financial damage caused by business outage, lost revenue, recovery efforts, reputational harm, fines, legal liability, and other downstream impacts. This provides context on ransom amount.
Assess Decryption Capabilities
If it’s a known ransomware variant with free decryption tools available, paying the ransom is less worthwhile. But if data restoration is not feasible otherwise, the business impact may necessitate payment.
Evaluate Likelihood of Decryption
There is no guarantee criminals will provide working keys after the ransom is paid. Assess the trustworthiness of the attackers based on intelligence and past incidents.
Consult Legal Counsel
Discuss the legal implications of ransom payment, including anti-money laundering laws, terrorism financing risks, and reporting requirements. Understand if payment legally exposes the organization further.
Consider Reputational Risks
Public perception may be negatively impacted if customers learn your organization directly funded cybercriminals. This reputational damage may have additional business impacts.
Involve Law Enforcement
Notify law enforcement and discuss the merits of paying or not paying based on the specific threat actors involved. They may advise restricting payments to avoid emboldening further crimes.
Evaluate Insurance Coverage
If cyber insurance policies cover ransom payments, the decision becomes easier. But most carriers are restricting this coverage, so review your current policy details closely.
Establish Payment Decision Chain
Designate senior executives responsible for making the final call on paying ransoms based on the considerations above. Ensure the process is transparent and collaborative.
Improve Incident Response Processes
Each breach provides learnings to enhance incident response plans. Formalize improvements to limit future impact and strengthen resilience.
Update Incident Response Plans
Document lessons learned from the ransomware response and incorporate procedural, policy, and technology changes into the incident response plan.
Expand Communication Plans
Analyze how internal and external communications were handled during the incident and identify improvements to ensure timely and transparent messaging in the future.
Increase Response Training
Conduct tabletop exercises for ransomware scenarios to practice and refine response plan execution. Provide focused training for key incident response team members.
Review Third Party Dependencies
Assess reliance on external providers for critical IT and business services and address risks. Ensure 3rd parties maintain robust security posture and incident response capabilities as well.
Build Threat Hunting Capabilities
Implement threat hunting processes to identify early indicators of compromise. This provides faster discovery of advanced attacks like ransomware.
Enhance Recovery Automation
Automate data backups, system rebuilds, configuration restoration, and other recovery processes to improve resilience if ransomware evades defenses.
Shorten Insurance Renewal Cycle
Rather than renewing annually, move to more frequent cyber insurance renewal cycles (e.g. quarterly). This allows coverage adjustments based on evolving risk exposure.
Conclusion
Recovering from a ransomware attack has many phases, from initial triage to strengthening defenses against future recurrence. Having a comprehensive checklist covering technical, business, and legal considerations is invaluable for effectively responding and managing the consequences. With the right preparation and mitigation in place, organizations can limit the damage and avoid rewarding attacker extortion.