Infiltrate, Extort, Repeat – The Ransomware Pandemic. Part 2: React, Respond and Remediate

React, Respond and Remediate

Each ransomware attack will present a unique set of circumstances, but as part of your incident response process you should ensure you:

1. Triage – conduct an initial triage of the incident as quickly as possible so you can establish the facts and better understand the scope and impact of the attacks and assess its severity.
2. Instigate incident management procedures – involve key stakeholders such as representatives from the information security, IT and legal teams as well as communications and customer service representatives where relevant. It is important to keep detailed incident logs to record decisions and to use out-of-band modes of communication such as telephone calls to avoid tipping off the attackers or any other malicious surveillance.
3. Implement initial remediation steps as soon as possible to try to stop the attack or at least prevent further spread of the malware across multiple systems and servers. Implement disaster recovery and business continuity plans and look to contain the incident and evaluate whether there is a risk of the attackers moving across other servers that are yet to be affected, whether locally or globally. This may involve quickly isolating or disconnecting affected systems and resetting credentials and passwords (including compromised admin credentials). Following the initial response, work will likely need to begin to clean the infected devices and reinstall the operating system (prioritising key systems first). The team must then ensure that both the cleaned devices/ systems and the back-ups are free from any ransomware before restoring data from the back-up and reconnecting systems to a clean network. Of course, if a ransom is paid and data is released, the business may be able to avoid a fullscale rebuild.
4. Brief senior executives of events to ensure they are up to speed and able to take important decisions quickly (including whether to pay a ransom and dealing with any media interest).
5. Deploy third-party advisors to assist with your response. As noted above, these could range from specialists in incident response, dark web monitoring, system rebuild, cyber forensics and PR management as well as external legal counsel who can assist with the regulatory response. These specialists may also be able to help you to contact and negotiate with the attackers.
6. Work with other interested third parties who may have had corporate or other sensitive data compromised or accessed during the attack. Consider liaising with financial service providers to help prevent fraudulent activity if customer information has been accessed.
7. Consider involving law enforcement who may be able to assist with the investigation and help facilitate any ransom payments. You will want to take local legal advice here depending on the jurisdiction involved.
8. Make regulatory and contractual notifications where required, including to data protection authorities or other industry or government regulators. These often need to be made within a very short period of time. The business may also have contractual obligations to notify third parties of the breach.
9. Complete a detailed incident review to analyse how the ransomware attack was able to succeed, how the organisation responded and what lessons could be learned. Set a deadline and ensure accountability for implementation of any identified remediation measures.

Read part 1 of this miniseries where we look at the rise of ransomware and how businesses can fortify their defences and equip their team to deal with an attack.

This article was created for ICLG.com. Look out for Part 3: The Hostage Dilemma – Should You Pay the Ransom?, coming soon, or download the full piece below.