How to Respond to a Ransomware Cyberattack?

The COVID-19 pandemic has triggered a shift in working practices that hackers are using to their advantage. 

In particular, ransomware attacks have increased 72%, so it’s just a matter of time before we experience one. In such a case, it’s imperative to be prepared for a potential cyberattack.

Losing control of your business is devastating, and leads to damaging the reputation or future of your business. A timely, and well-developed response can make the difference on whether your business makes it or not.

Inspired by the “The Incident Handlers Handbook”, by Patrick Kral published by *SANS Institute, here are important steps for a complete Ransomware Incident Procedure. 

Note*. SANS Institute is the most trusted and by far the largest source for cybersecurity training in the world.

1. Prevention Phase:

The incident prevention is the most crucial phase compared to all of the others, as it will determine how well your team will respond in the event of a crises. Therefore, everyone at a business should know which procedures to follow in order to eradicate these incidents as fast as possible. To address your preparation, ask yourself the following questions:

How are staff trained and prepared? What tools and resources are they armed with to respond to a ransomware incident? Do you provide any Security Awareness training for the personnel? Have you renewed you Cyber-Breach Insurance policy? Have you run a Cyber risk/vulnerability Assessment?

Does my preparedness procedure cover the different methods of infection?

1. Phishing
2. Compromised Websites
3. Malvertising
4. Exploit Kits
5. Downloads
6. Messaging Applications
7. Brute Force via RDP

2. Identification:

This phase deals with the detection and determination of a ransomware attack attempt in the organization.

How do you recognize and detect a ransomware incident? How do you go about understanding the strain of ransomware, attack vector, attack group and real motivation, through gathering data and performing initial analysis?

This particular phase gathers information from various sources, such as log files, error messages, and other resources, which may produce evidence to confirm a ransomware incident occurred. 

3. Containment phase:

With ransomware, it’s imperative that infected systems are quickly contained to limit the spread.

How will you contain the incident from spreading to network shares and other connected devices?

Actions to consider:

1. Shutting the network down
2. Turning off the systems port at the switch
3. Utilizing network access control NAC to isolate the system
4. Implementing the quarantine feature of your EDR Solution

4. Eradication phase:

Ransomware might not be the only malware on the system, just the noisiest – consider that the detected attack may be a pivot or diversion. 

How will you perform a forensic analysis of data to determine the cause of the incident, remove the ransomware from infected devices, patch vulnerabilities and update protection? 

It’s extremely important to look thoroughly for any other hidden, infected content. The IT department in charge should provide a forensic analysis to determine the cause of the incident, remove the ransomware from infected devices, patch vulnerabilities and update protection. 

5. Recovery phase:

After your devices are cleaned from the ransomware, they should be introduced back into production carefully, to prevent a relapse.

How will you return to normal operations? 

Reimaging or restoring from backup may not work if the ransomware lay dormant during the last image or backup cycle, or if part of the ransomware attack was to see and destroy back-ups. With ransomware you should consider:

1. How to identify and encrypt using communicates
2. How to quickly and easily rebuild affected devices and servers
3. Whether payment is an option. Can you pay, do you have access to bitcoin, do you need a middleman?

6. Post-Incident phase:

The most critical phase after all of the others is Lessons Learned. 

Any incident should require complete documentation of what occurred, and any additional information that may help prevent or resolve future incidents.

What have you learned that will help you prevent an incident like this from happening again?

1. How will you document the incident? Detail improvements to the Incident Response Plan, additional security controls, preventative measures or new security initiatives?
2. How can you monitor to prevent relapses? What indicators of compromise do you need to collect and how do you use them in any monitoring technology?
3. How can you improve and update organizational threat intelligence feeds?
4. How will you understand and quantify the financial impact on the organization, in terms of labor time, down-time, regulatory fines and possibly ransoms paid?

If you follow these steps,  your business will have a well-rounded plan to protect itself from ransomware threats. Please keep in mind, prevention is highly valued during desperate times, and you wouldn’t want your business to pay the price.