Ransomware attacks have surged, with a reported increase of 62% in 2023 alone. It’s not a matter of if, but when a ransomware attack might strike your business. Being prepared with a well-developed response can make the difference between recovery and devastation. Here’s a comprehensive guide to responding to a ransomware cyberattack, inspired by “The Incident Handler’s Handbook” by Patrick Kral published by the SANS Institute.
Prevention Phase
The prevention phase is crucial as it determines how well your team will respond in the event of a crisis. Everyone in the business should know the procedures to follow to stop incidents quickly. Consider the following questions to address your preparation:
- What tools and resources does staff have to respond to a ransomware incident?
- Do you provide Security Awareness training for personnel?
- Have you renewed your Cyber Insurance policy?
- Have you run a Cyber risk/vulnerability Assessment?
Methods of Infection to Cover:
- Phishing
- Compromised Websites
- Malvertising
- Exploit Kits
- Downloads
- Messaging Applications
- Brute Force Attacks
Identification Phase
This phase deals with detecting and determining a ransomware attack attempt within the organization. Key questions include:
- How do you recognize and detect a ransomware incident?
- How do you identify the strain of ransomware, attack vector, attack group, and real motivation through data gathering and initial analysis?
Gather information from various sources such as log files, error messages, and other resources to confirm a ransomware incident.
With ransomware, it’s imperative that infected systems are quickly contained to limit the spread. Consider the following actions:
- Shutting the network down
- Turning off system ports at the switch
- Utilizing network access control to isolate the system
- Implementing the quarantine feature of your EDR Solution
Eradication Phase
Ransomware might not be the only malware on the system. It’s essential to consider that the detected attack may be a pivot or diversion. Key steps include:
- Performing a forensic analysis of data to determine the cause of the incident
- Removing the ransomware from infected devices
- Patching vulnerabilities and updating protection
The IT department should thoroughly check for any other hidden, infected content and provide a forensic analysis.
Recovery Phase
After your devices are cleaned from the ransomware, they should be reintroduced into production carefully to prevent a relapse. Key considerations:
- Restoring from backup
- Identifying and encrypting communication
- Quickly and easily rebuilding affected devices and servers
- Deciding whether to pay the ransom
Post-Incident Phase
The most critical phase after dealing with an incident is learning from it. Key steps include:
- Documenting the incident and any additional information that may help prevent or resolve future incidents
- Detailing improvements to the Incident Response Plan, additional security controls, preventative measures, or new security initiatives
- Monitoring to prevent relapses and collecting indicators of compromise for use in monitoring technology
- Understanding and quantifying the financial impact on the organization, including labor time, downtime, regulatory fines, and possibly ransoms paid
Following these steps ensures your business has a well-rounded plan to protect itself from ransomware threats. Prevention is highly valued during desperate times, and it’s crucial to be prepared rather than pay the price.