Ransomware Response Checklist
Or: Ransomware! What Do I Do Now?!?
If you’re reading this and your systems have been infected by ransomware then you (or someone in your company) will need to take some immediate actions. Keep calm. It may help to remember that yours is not the first company to suffer a ransomware attack and other companies have successfully weathered this storm. However, whether you’ve already prepared for ransomware through isolated back-ups and a disaster recovery plan, or this is the first time you’ve googled “ransomware response”, you are in for some long days ahead. Ensuring that the following post-infection measures are quickly taken will be crucial to your recovery effort.
Isolate Infected Systems: Your immediate concern should be limiting further damage. Identify and then isolate infected machines. Do not restart infected machines until the strain of ransomware is known.
Conduct Notifications: A ransomware attack can impact a surprising number of areas within your company:
IT Leadership: Typically, IT leadership coordinates ransomware response. If your company doesn’t have a CIO or other IT leadership role, and you’re reading this, you’re likely on the hook.
The C-suite: The company owners or board will ultimately be responsible for weighing the risks and deciding on a course of action.
Legal: Contractual obligations surrounding breaches will need to be examined. Legal will be your point of contact for your Cyber Insurance underwriter, and any engagement with Law Enforcement.
Communications or Marketing: Your group comms team should be adequately informed in order to prepare or publish a coordinated message.
Law Enforcement: You may be obligated to notify Law Enforcement of your breach. Law Enforcement can be an incredibly valuable resource to your company’s response effort, but there may be reasons your company would elect to not engage them.
It is highly recommended to engage a knowledgeable Cybersecurity third party. If you don’t already have this relationship, start one now: call principia/RAID and we will walk you through your next steps.
Gather Information: Your IT team should confirm the infection vector and identify the strain of ransomware impacting your systems.
Recovery Plan: Develop a recovery plan to restore your company’s lost functionality and fix the holes used to compromise your systems. It needs to address:
Recovery and Reconstitution of any backed-up data.
Remediation Methods for the vulnerabilities that allowed your systems to be compromised.
Your recovery plan should be designed to bring your business back to its pre-compromise state.
Evaluate the need to pay the ransom: To be clear, the prevailing guidance is to not pay a ransom. If you don’t have back-ups of the compromised data, the extent and value of the data loss will be deciding factors in the decision to pay or not.
Assess your Cybersecurity: Your work isn’t done even after your recovery plan has patched the vulnerability that allowed the compromise, and your company is back to business as normal. You should take a long, hard look at the events that led to the compromise and adjust your security accordingly.
If tuning your IT security, isn’t something you feel comfortable with, call principia/RAID and let’s talk about a Cybersecurity road map for your company.
For a more indepth look at this checklist, check out Isaac's Blog Here.