Phase 1: Assess
Step 1: Confirm the extent of the attack
Assess the extent of the ransomware attack by focusing on what has been encrypted and/or potentially exfiltrated. Providing an answer to this question is critical to activating a response plan.
This response plan will also provide useful insights on internal and external questions your leadership, employees and clients might have.
Setting up a response plan is hard if you don’t know the extent of the attack. Try to document what data was on the encrypted machines and look for data that may have been exfiltrated.
Key Notes & Recommendations:
– Rebuilding systems is NOT the first step in your response plan.
Phase 2: Damage Control
Step 2: Isolate affected devices
When ransomware strikes, it’s essential to isolate affected devices as much as possible to prevent any further spread. Assume attackers are already well-embedded in your environment by the time the ransomware attack is performed, so acting fast to contain the impact will be key.
Start by isolating the infected devices and removing them from the network. Plug network cables out, and stop network connections (including WiFi networks).
If your network permits it and is properly segmented, you can also disconnect the infected network segment.
Key Notes & Recommendations:
– Isolate affected devices as much as possible to prevent any further spread.
– Do NOT turn OFF the infected devices, avoid shutting down systems.
– Do NOT start recovery operations as long as the extent of the attack is unknown.
Step 3: Setup a separate communication channel
Sensitive communications on the development and update(s) of the incident should be done on a separate and secured channel.
Assume that mail systems (if still functional) are also breached and that the attacker has access to those, which means that communication should be limited to the strict minimum. Analyse which systems might be used to communicate internally and externally. Set up a secure communication channel with your technical team, and leadership team.
Temporarily using an external conferencing system (Secure communication tool) and creating separated groups is advisable. You might want to set up a group with the technical managers, a group containing communications responsible, and a group towards leadership. Half of the work in dealing with a ransomware incident will be about coordination and communication.
Step 4: Setup a crisis management team
Set up a crisis management team that will agree upon business priorities, communication strategy, and legal questions and help in resolving prioritisation conflicts when restoring business functions will need to be addressed.
Appoint a crisis manager who will act as the liaison with your technical team(s) and the crisis management team.
Phase 3: Attack Mitigation
Step 5: Activate the cyber-incident response team
Check if incident response is part of the insurance contract.
Step 6: Communicate as often as possible
In case communication systems are unavailable please consider temporary solutions like setting up a communication webpage, or SMS-based mass notification systems.
Step 7: Take care of any legal obligations
Take into consideration any contractual obligation(s) your business may be subject to.
Step 8: Assess the integrity of the backup(s)
If the backup system is secure, which means you have an independent and verified copy of your data, avoiding ransomware payment is the recommended and best option. So you should have confirmation that the backups have not been compromised or accessed (immutable backups are a must).
Step 9: Coordinate a response to the attacker
Paying the attacker is highly discouraged, and should only be the last resort.
Step 10: Implement mitigation action(s)
Do not open Internet connectivity for all users, focus first on the users required to restore your IT operations of your crisis management functions.
Patch, reset, and update known vulnerable systems touched by the attack. Perform a full reset of all passwords and implement, if not done so, Multi-Factor Authentication. Focus first on Privileged accounts and services (Admin accounts, Admin services).
Implement security monitoring services (SOC service), and activate an Endpoint Detection solution of the critical systems like the Authentication, Authorization systems, the systems that are Internet-Facing. The point is that you want to have (better) visibility on activities that are happening on your network.
Phase 4: Rebuild the System
Step 11: Start rebuilding the system
Do not restore a system based on backups close to or after the attack.
Act on the previous points first and then, only then, start activities to rebuild your system from backups.
Take care not to re-infect clean systems during recovery. Once the system is restored, be sure to check it so that nothing malicious is left on it before adding it back again into your network. Rebuilt your systems based on a prioritisation of critical services, restore servers first then endpoints. Keep a copy of your encrypted data, as a free decryption tool for your ransomware strain might become available in the future.
Remove or completely isolate legacy systems and protocols.
Phase 5: Enhance the maturity level of the cybersecurity function
Step 12: Review and add additional protection(s)
Take time to analyse and document the attack in detail, and put new controls, processes, procedures and solutions in place to prevent a subsequent attack.