In ransomware events, prompt containment is critical and staying calm and following the pre-agreed steps your business has is essential. Communication should be done in parallel to response, and must be timely, relevant, and to the appropriate stakeholders. Different personnel and teams would be actioning these steps and sometimes in parallel. It is important for businesses to have an agreed plan of action in the event of a ransomware incident. it is also important to stay calm.
In the words of the late Douglas Adams 'Don't Panic'.
 |
| From Hitch Hiker's Guide to the Galaxy - image owner unknown |
Ransomware event actions
Notice in the below that communcation is at every step? This is very important. During a ransomware event there will be many stakeholders, (both internal and external) impacted, and various personnel and teams involved in responding to the incident. Despite the best intentions to stay calm, there will be panic, and there will be pressure from various areas to fix this, find answers and get things back to normal. It is important that communication is clear, calm and provided to the relevant people in a timely manner.
1. Stay Calm, isolate the compromised assets - communicate
Your goal here is to obtain as many details as possible, quickly, isolate the compromised machine/s, and then create a Sit-Rep to communicate to the relevant parties. Try to get a photo fo the ransome screen it may be useful later! Turning the compromised assets off helps prevent infection of other machines and communciation to the C2. (the command and control computer that gives the malware instructions). Ensure relevant network personal are notified and provided with concise instructions.
2. Investigate/ Analyse – communicate
What is the scope of this incident? – All machines? The entire network? One team? One person/ one computer? When was this first noticed? What is the malware and how did it infect the assets? What was the vector?3. Contain and Eradicate -communicate
Make sure relevant people are informed, do you need to notify your businesses' media team? Will you be making a police report? Cyber security teams may need to access the compromised assets to analyse further, infrastructure areas may need to locate their backups (hopefully they have them!) and ensure the back up is clean. The network and any compromised assets neet to be throughly cleansed of the malware, to ensure it isn't sitting there waiting to return. Check for exploitable vulnerabiblties and ensure everything is patched, have passowrds been changed, was their any data exfiltrated?Any impacted users need to be kept in communicated with in a timely fashion and given the approrpiate level of detail for their needs.
4. Restore - communicate
Once the relevant teams are satisfied that any restore points/offline backups are clean and that the compromised assets are also now clean, restoration needs to be done as quickly as possible to restore services. Communciation is again essential with all relevant stakeholders.
5. Lessons learned - communicate
Every cyber security incident, regardless of how well prepared you are, is going to throw some virtual spanner in the works somewhere. teams can always improve, nobody is perfect. It is important to debrief and apply lessons learned - without laying blame - in a constructive and positive way.
Nobody is safe from cybercrime, ransomware can compromise home computer users as well as the computers of both small and large businesses. Being prepared is key. Also - Don't Panic!