Ransomware Response Checklist
Or, Ransomware! What Do I Do Now?!?
If you’re reading this and your systems have been infected by ransomware then you (or someone in your company) will need to take some immediate actions. Keep calm. It may help to remember that yours is not the first company to suffer a ransomware attack and other companies have successfully weathered this storm. However, whether you’ve already prepared for ransomware through isolated back-ups and a disaster recovery plan, or this is the first time you’ve googled “ransomware response”, you are in for some long days ahead. Ensuring that the following post-infection measures are quickly taken will be crucial to your recovery effort.
Isolate Infected Systems: Your immediate concern should be limiting further damage. Some ransomware can spread laterally through unprotected systems, so it is important to identify and then isolate or disconnect the infected machines. Infected systems should be left as they are, and not rebooted until the particular strain of ransomware is known. Some strains will delete data with each restart in an effort to penalize the victim.
Conduct Notifications: Once your system has been rendered safe from further damage it’s time to notify the appropriate corporate stakeholders. A ransomware attack can impact a surprising number of areas within your company. Although corporate structures will differ, it is in a company’s best interest to ensure that the following roles are kept informed and not caught off guard during a ransomware response effort:
IT Leadership: If this isn’t you, and the CIO, or the IT leadership role isn’t already out of bed, this is the first call you’ll want to make after confirming an attack has occurred. Typically, IT leadership coordinates ransomware response and will ensure the remaining notifications and steps are conducted. If your company doesn’t have a CIO or other IT leadership role, and you’re reading this, you’re likely on the hook.
The C-suite: The company owners or board will ultimately be responsible for weighing the risks and deciding on a course of action. Even if you don’t have all the information about the attack yet, letting them know sooner is generally better than later.
Legal: Legal is a critical and often overlooked stakeholder in ransomware response. Contractual obligations surrounding breaches will need to be examined, and customers may need to be notified. This is particularly true of Government contracts. Legal will be your point of contact for your Cyber Insurance underwriter, if you have one. Legal should also be part of any engagement with Law Enforcement, discussed below. If you don’t have a legal department, it may be beneficial to seek legal guidance prior to engaging Cybersecurity expertise. Call principia/RAID and we can walk you through your next steps. In addition to our Cybersecurity experts, we have attorneys on staff with significant Cybersecurity and incident response experience and can advise you on the way forward.
Communications or Marketing: It’s possible that your company will begin to receive inquiries about the attack, or your company may even want to proactively issue a statement. Your group comms team should be adequately informed to prepare a response or publish a coordinated message.
Law Enforcement: The decision whether to voluntarily notify Law Enforcement is a business decision and should be the subject to a risk analysis by the relevant stakeholders in your company. Given the likelihood of contractual disclosure requirements or insurance policy requirements, you may be obligated to notify Law Enforcement anyway. Law Enforcement can be an incredibly valuable resource to your company’s response effort, but there may be reasons your company would elect to not engage them, such as concerns about undue publicity or damage to your corporate reputation. If you need to notify Law Enforcement, its as easy as calling the nearest FBI field office and asking to speak with the Cyber Squad Supervisory Special Agent. As noted above, this should preferably be done in conjunction with your legal team.
As you review this list you may find that your company does not have all of these specific functions or roles. In those cases, the responsibility again falls to you as incident responder to delegate the notification or conduct it yourself. It is highly recommended to engage a knowledgeable Cybersecurity third party. In some cases, it may be beneficial to make this engagement through an attorney. If you don’t already have either of these relationships, start one now: call principia/RAID and we will walk you through your next steps. Whether you need expert technical advice or Legal Guidance, principia/RAID has the necessary experience and strategic industry partnerships to answer all of your questions.
Gather Information: Ransomware’s attack vector is typically email, but your IT team should confirm this and identify the strain of ransomware impacting your systems. This will allow you to determine whether remediation and data recovery techniques are already publicly available. This activity should also include determining the extent of the exposure or loss of your corporate data. The criticality of the compromised data and breadth of the compromise will take center stage in almost every one of the many phone calls and meetings you’re going to have in the near future. If you don’t have this basic information, you will not be able to develop an effective recovery plan, discussed below.
Recovery Plan: You will need develop a recovery plan to restore your company’s lost functionality and fix the holes used to compromise your systems. Use the information gathered above to create a plan that should include a timeline and the necessary dedicated resources. Whether the plan is formally written or simply conceptual, it should be communicated to the stakeholders and it needs to address:
Recovery and Reconstitution of any backed-up data. If useable backups of your compromised data exist, the plan should address recovery of this data and quantify the time, if any, during which useable data was lost. If the corporate decision has been made to pay the ransom, plans should be made to safely reconstitute any information. Any keys, or tools provided by the bad actors should be handled with appropriate caution.
Remediation Methods for the vulnerabilities that allowed your systems to be compromised. Your recovery plan should be designed to bring your business back to its pre-compromise state. This includes cleansing your system of the ransomware and patching any related security holes.
If you don’t have back-ups of the compromised data, the extent and value of the data loss will dictate whether you’ll need further interaction with the bad actors who compromised your system. Your recovery plan should be designed to bring your business back to its pre-compromise state.
Evaluate the need to pay the ransom: Although this is arguably part of a recovery plan discussion, it is important enough to warrant its own section in this checklist. To be clear, the prevailing guidance is to not pay a ransom. That’s not such an easy position to take if you don’t have back-ups of your now inaccessible corporate data. If you don’t have back-ups of the compromised data, the extent and value of the data loss will be a major factor in the decision to pay or not.
Here’s what you should also know about paying ransom: You’re dealing with criminals and there is a risk that, even after paying a ransom, your data will not be returned or decrypted. Even if your data is returned, ransomware groups have begun sharing the data with competitors or foreign states so your data could already be exposed and your IP lost. This risk is, to a certain degree, determined by the group that has compromised your systems. Ransomware actors can be identified by their tools and techniques used to compromise your system. And some groups are historically more “trustworthy” than others. This is why identifying the strain and vector of infection is so important. Some ransomware infections already have decryption tools readily available, which could eliminate the need to pay the ransom. Again, it is highly recommended to engage a knowledgeable Cybersecurity third party. If you don’t already have that relationship, start one now: call principia/RAID and we will walk you through your next steps.
Assess your Cybersecurity: Your work isn’t done even after your recovery plan has patched the vulnerability that allowed the compromise, and your company is back to business as normal. The fact that your systems were compromised in the first place is an objective indicator that your Cybersecurity needs improvement.
Whether you need to automate patching, limit local administrative rights or move closer to a zero trust operating model, you should take a long hard look at the events that led to the compromise. If tuning your IT security isn’t something you feel comfortable with, call principia/RAID and let’s talk about a Cybersecurity road map for your company.