Ransomware Attack! Now what?
You got hit with a ransomware attack. Now what?
It’s not the end of the world and happens to a lot of organizations in all industries. Don’t panic. Our Incident Response team has outlined below what you need to do.
Isolate the Environment
The first step is to isolate infected systems immediately. However, it is important not to power off machines, as forensic artifacts may be lost. Removing all infected devices helps limit the replication of the ransomware to adjacent assets.
A few immediate things you can do while isolating the environment:
- Disconnect the internet
- Disable remote access
- Change passwords
Throughout the investigation, continue to isolate any additional accounts/endpoints discovered to be involved or compromised along the way.
Notify your Cyber Security Partners
Notify your cyber insurance carrier, incident response partner, and other IT partners (e.g., MSP). Quick action and reporting to the appropriate parties will help handle a claim, regardless of when it is reported. Once you have reported the claim, immediate assistance and a plan of action will be provided to respond to the incident. If you have cyber insurance, your provider may offer in-house expertise and services to walk you through proper response steps. Remember to keep constant communication and promote collaborative investigation and response efforts.
Establish Timetable of Key Events
Begin to analyze the execution of the ransomware to determine characteristics that may be used to contain the outbreak/infection and note them as indicators of compromise (IoCs). Keep a running list of IoCs in hand to search for the initial point of entry. Your list should include determining the first appearance of the ransomware binary and determining the user first impacted by it.
While establishing the key events, preserve a copy of the malware file(s) in a password-protected zip file, as this will help further the investigation.
Preserve Logs and Artifacts
Preserve the system(s) for further forensic investigation, including log review, MFT analysis, and deep malware scans. This step is critical to assessing how the breach happened, who is responsible and conducting future forensics.
While prepping for restoration, it is essential to preserve any artifacts, systems, and relevant backups based on the sensitivity and scale of the incident. Once all relevant data, equipment, and systems have been preserved, replace or rebuild systems based on a prioritization of critical services. Begin to restore impacted systems from a clean backup, taken prior to infection if available. For systems not restorable from backup, rebuild the machines from a known good image, a pre-configured standard image if possible. It is important to note that throughout the investigation, it is crucial to remediate any vulnerabilities and gaps identified.
Preparation is Best
It is best to prepare for a ransomware event rather than during one. If your organization would like to participate in a facilitated tabletop simulation of this or any other incident response scenario, please contact BreachQuest at Ransomware@breachquest.com. Furthermore, there are many ways to strengthen your security posture. Our blog post, “Cybersecurity Practices for Secure Infrastructure,” outlines the best practices for preparedness. These considerations should likely be documented as part of a well-structured incident response plan. If you need help with your incident response plan, contact BreachQuest, and we’ll be happy to help. We also recommend subscribing to the Cybersecurity and Infrastructure Security Agency’s alerts.