Ransomware is no longer just an endpoint being encrypted by malware. Servers, applications and even data stored in cloud services can be encrypted and held for ransom. While the specific recommendations vary depending on the systems involved in an incident, being prepared with a comprehensive plan can help reduce the effects of any attack.
Enterprise ransomware incident response plans should include the following steps:
- Validate the attack. Confirm whether the event was indeed an attack. Many incidents can be linked to phishing, adware or other malware incidents but not specifically ransomware. If it is determined to be ransomware — i.e., files are encrypted or locked — proceed to the next steps.
- Gather the incident response team. Make sure IT staff, management, PR and legal teams are aware of the issue and ready to tackle their roles in the response efforts.
- Analyze the incident. Examine the scope of the incident. Note which applications, networks and systems were affected, and determine how actively the malware is spreading.
- Contain the incident. First, disconnect the infected system from the network to ensure the attack does not spread to other computers and devices. Then, ensure backups are secured and free of malware. Every incident will generate some volatile evidence, such as log files or system images. Document this evidence as soon as possible, and check it regularly, as it may change if the attack is ongoing. When ransomware is involved, such evidence may also include a recoverable encryption key as long as the investigation begins before the encryption key is deleted. In some cases, if the incident is detected quickly enough, the encryption can be stopped.
- Perform a thorough investigation. Try to identify which ransomware strain has been used, its potential risks and recovery options. Some ransomware varieties use weak encryption that has a publicly available decryption mechanism provided by a security vendor or researcher. The No More Ransom initiative, a partnership between law enforcement and IT security companies, aims to help ransomware victims recover files where plausible.
- Eradicate malware, and recover from the incident. This involves wiping infected systems and restoring lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again once the malware is removed completely from the network.
- Contact law enforcement. Governments are urged to report any ransomware incidents to law enforcement. Enterprise responders may also want to involve law enforcement agencies in the case of a high-impact incident or data breach. Law enforcement experts may be able to offer guidance for paying ransoms based on previous experience with a strain of ransomware or criminal organization involved in the attack. In the U.S., organizations can contact the Multi-State Information Sharing and Analysis Center, FBI or Internet Crime Complaint Center. Private companies can also be hired to help enterprises infected with ransomware, including assisting with the negotiation process if needed.
- Perform post-incident activities. Adhere to regulatory and breach notification requirements, if applicable. Organizations should also verify the restoration of backups to ensure all applications, data and systems are accounted for.
- Perform analysis and learn from the attack. During this step, organizations can discover and analyze why the attack happened and apply appropriate actions to ensure the same vulnerability is not compromised in the future. For example, if the ransomware was the result of an employee clicking a malicious link, the company should perform additional security awareness training. Also, revise security policies if necessary. Security teams should also analyze how the ransomware incident response plan performed. If certain steps did not go as planned, review the plan, and update where needed to improve efficiency.
By: Sharon Shea, Senior Site Editor Nick Lewis