The COVID-19 pandemic has triggered a shift in working practices that hackers are using to their advantage.
In particular, ransomware attacks have increased 72%, so it’s just a matter of time before we experience one. In such a case, it’s imperative to be prepared for a potential cyberattack.
Losing control of your business is devastating, and leads to damaging the reputation or future of your business. A timely, and well-developed response can make the difference on whether your business makes it or not.
Inspired by the “The Incident Handlers Handbook”, by Patrick Kral published by *SANS Institute, here are important steps for a complete Ransomware Incident Procedure.
Note*. SANS Institute is the most trusted and by far the largest source for cybersecurity training in the world.
The incident prevention is the most crucial phase compared to all of the others, as it will determine how well your team will respond in the event of a crises. Therefore, everyone at a business should know which procedures to follow in order to eradicate these incidents as fast as possible. To address your preparation, ask yourself the following questions:
How are staff trained and prepared? What tools and resources are they armed with to respond to a ransomware incident? Do you provide any Security Awareness training for the personnel? Have you renewed you Cyber-Breach Insurance policy? Have you run a Cyber risk/vulnerability Assessment?
Does my preparedness procedure cover the different methods of infection?
This phase deals with the detection and determination of a ransomware attack attempt in the organization.
How do you recognize and detect a ransomware incident? How do you go about understanding the strain of ransomware, attack vector, attack group and real motivation, through gathering data and performing initial analysis?
This particular phase gathers information from various sources, such as log files, error messages, and other resources, which may produce evidence to confirm a ransomware incident occurred.
With ransomware, it’s imperative that infected systems are quickly contained to limit the spread.
How will you contain the incident from spreading to network shares and other connected devices?
Actions to consider:
Ransomware might not be the only malware on the system, just the noisiest – consider that the detected attack may be a pivot or diversion.
How will you perform a forensic analysis of data to determine the cause of the incident, remove the ransomware from infected devices, patch vulnerabilities and update protection?
It’s extremely important to look thoroughly for any other hidden, infected content. The IT department in charge should provide a forensic analysis to determine the cause of the incident, remove the ransomware from infected devices, patch vulnerabilities and update protection.
After your devices are cleaned from the ransomware, they should be introduced back into production carefully, to prevent a relapse.
How will you return to normal operations?
Reimaging or restoring from backup may not work if the ransomware lay dormant during the last image or backup cycle, or if part of the ransomware attack was to see and destroy back-ups. With ransomware you should consider:
The most critical phase after all of the others is Lessons Learned.
Any incident should require complete documentation of what occurred, and any additional information that may help prevent or resolve future incidents.
What have you learned that will help you prevent an incident like this from happening again?
If you follow these steps, your business will have a well-rounded plan to protect itself from ransomware threats. Please keep in mind, prevention is highly valued during desperate times, and you wouldn’t want your business to pay the price.
This article is intended to provide some useful information about the complexity of a ransomware incident and areas to handle and manage the actual risk environment. Please be aware that these issues are not limited and requires the advisory of a cybersecurity expertise team.
Found this information useful? Don’t forget to share!