Ransomware Response Plan: How to Recover After the Attack
Ransomware spares no one. Mid-size organizations, schools, libraries, and even hospitals—all suffer ransomware attacks as often as once every eleven seconds.
The chances of getting hit with ransomware are never zero, regardless of a company’s security posture. In other words, it’s not a question of if but when the attack will occur.
The prevalence of ransomware makes it vital for every business to have a strong response plan. Without it, a successful infiltration will invariably wreak havoc on the entire organization.
The following article outlines a ransomware response plan that every organization can follow in the aftermath of ransomware. It has been prepared and vetted by experts at Object First, a company singularly devoted to stopping ransomware in its tracks.
What is a Ransomware Response Plan?
A ransomware response plan is a set of steps that cushions the blow of ransomware. It instructs and reminds admins about what they can and should do to minimize the fallout of the attack.
Why should admins have a ransomware response plan in the first place? Because ransomware is always sudden and shattering, leaving even the most consummate experts in the throes of panic. A good plan provides a blueprint for the emergency and comfort in the time of need.
Ransomware is not a death sentence — despite all the appearances to the contrary. It’s more helpful to think of it as a flood. Inaction will only let it spread, while proper countermeasures can curb and sometimes even reverse it.
Reasons to Create a Ransomware Response Plan
The guide assumes the worst-case scenario, in which ransomware encrypts backups. This is not unlikely. Perpetrators have long since realized that backups render their criminal efforts futile, so they increasingly target them, too.
This ransomware incident response plan will help recover even those without an immutable backup. By checking off the items in this plan, an organization will be able to:
- protect resources;
- pinpoint the threat;
- preserve reputation;
- prevent re-entry.
Ransomware Incident Response Plan in Five Stages
The first rule of emergency response: don’t panic. Fear is natural, but unchecked leads to rash decisions and snap judgments. A short meditation or a stroll in the park will go a long way towards calming the mind. After that, don’t hesitate to move into action.
- Communicate securely. Keep the intruder in the dark and communicate exclusively through phone calls. Cellular services operate outside corporate networks and fly under the radar of ransomware.
- Snapshot the cloud. Make a copy of the company’s cloud resources and quarantine it for forensic investigation.
- Identify and isolate. Find out which systems are impacted and sequester them from the rest. If cutting them off at the switch level fails, physically separate them from the network by unplugging cables or turning off the Wi-Fi.
- Power down devices. If a system defies disconnection, power it off. Note, however, that this is a means of last resort. Shutting down hardware wipes potential evidence from random access memory.
- Rank systems in order of importance. Prioritization will guide eventual recovery. If available, refer to the organization’s predefined list of critical services.
- Inspect prevention systems. Check the antivirus, EDR, and system logs for traces of precursor threats—the type of malware that precedes and enables ransomware. Examples include Bumblebee, Dridex, and Anchor. Remove them to prevent further exposure to ransomware.
- Map the intrusion. Investigate possible attack routes. The insight into entry points and infiltration pathways will inform future prevention tactics and improve security posture.
- Detect the threat. Pay special attention to Active Directory accounts, new logins, endpoint modifications, remote monitoring and management software (RRM), PowerShell and PsTools, endpoint-to-endpoint communication, and any activity around Windows system tools and Domain Admins. Anything out of the ordinary should prompt closer inspection, leading to the malware behind encryption.
Sounding the alarm immediately follows the initial response. This step is indispensable despite being unpleasant. Sharing information about the attack allows the affected parties to stay vigilant and offer a helping hand if they can.
- Inform internally. At this point, every impacted party, including stakeholders, should learn about the breach and the actions taken against it. They should also get regular updates as the situation unfolds.
- Contact Breach Counsel. A breach counsel is an external body of experts assisting companies hit by ransomware. Insurance companies usually include a list of breach counsels in their policies or websites.
- Alert authorities. Ransomware constitutes a criminal offense in many jurisdictions, so organizations may be under obligation to inform law enforcement and government agencies about it.
In the USA, consider contacting:
- FBI Internet Crime Complaint Center (IC3) is the FBI’s cybersecurity branch.
- CISA – US government security agency.
- US Secret Service – US security police.
In Europe, consult this list from Europol.
Legal requirements notwithstanding, state organizations may provide additional resources against the threat—for example, decryption mechanisms or forensic analysis of data samples.
- Notify customers. Companies prefer to keep ransomware incidents under wraps for fear of reputational damage. But news of the attack will come out sooner or later, and the customers had better learn about it from the company than someone else. External communication about the incident should mention its scope and accompanying risks, such as data leaks.
Zero in on the culprit with severe investigative efforts. Mobilize the company’s cybersecurity team and join forces with outside professionals to double down on the attacker.
- Isolate data for analysis.
WARNING: This is a delicate operation best performed by or with support from security experts, such as the Breach Counsel or CISA. Proceed with caution.
Extract data samples from impacted systems. Focus on relevant and suspicion-raising items, such as logs, specific binaries, registry entries, and IP addresses. Collect temporary data before they disappear—for example, Windows Security logs or firewall log buffers.
- Find the origin. Comb through all the systems and accounts, including email, to identify the initial point of entry.
- Secure endpoints. Close all endpoints and outward-pointing interfaces such as VPNs, remote access servers, single sign-on resources, etc. Otherwise, they remain a potential avenue into your systems.
- Eliminate persistence mechanisms. Find and neutralize any long-term processes the attackers may have left behind, such as prolonged authentications, backdoors, exploitations of vulnerabilities, etc.
The perimeter is secured. Now, bring the systems back to operational capability by cleansing and resetting everything that could have come into contact with malware. This is the only way to expunge malicious residue from the infrastructure.
- Erase affected systems. It may be tempting to cut out only infected data so the entire system isn’t sacrificed, but it’s not worth the risk of omission. For maximum security, wipe everything infected clean.
- Reload from images. Replace compromised services with their fresh images according to the priority list. With the cloud, rely on infrastructure-as-code for the same process.
- Reset passwords. The attackers won’t be able to re-infect if they can’t use the credentials they might have stolen.
Now that the threat is over, decrease the odds of it happening again. There are a few things an organization can do to strengthen its resilience against ransomware:
- Educate. Organize training on best practices in data security for all employees so they know how to avoid the pitfalls of social engineering and recognize early signs of threats.
- Audit. Examine the systems in terms of resilience to malicious software.
- Secure. Set Remote Desktop Ports (RDPs) to accept only trusted hosts and always switch off idle ones. Apply stringent security settings to all endpoints.
- Segment. Compartmentalize the network physically and with VPN—separate inward-facing network elements from outward-facing ones. Apply Zero Trust principles to access control management.
- Update. Always keep everything up to date. Even a slight update delay can give hackers a window to get inside.
- Enforce. Prepare and follow a robust backup strategy with immutability at the center.
A robust ransomware defense strategy diminishes the odds of future attacks, but it’s always worth having concrete resources ready. Consider creating, keeping, and regularly updating the following information:
- Incident response team. List the people responsible for remediating an attack.
- Asset inventory. Specify hardware and software assets, ideally as a chart. It will afford an instant, bird’s-eye view of the company’s infrastructure.
- Critical services list. Define a hierarchical list of digital resources, such as applications, datasets, and backups.
- Contact roster. Write down the contact information of organization affiliates and members who might suffer the consequences of a ransomware strike.
- Training opportunities. Detail the theoretical and practical exercises, such as courses, workshops, and incident simulations, available to employees and preferably categorized by difficulty to match with the right level of expertise.
- Lessons learned. Collect insights from past attacks and security drills to support future mitigation.
- Ransomware Incident Response Plan. Make a detailed ransomware response action plan to streamline damage control.
Immutable backup against ransomware
A backup is immutable when no one—including admins and root—can modify or delete it. These backups rely on the write-once-read-many mechanism (WORM), implemented at the software or hardware level.
Software-based immutability is more flexible and cost-effective because it can be time-defined and replaced with new data when its protection time elapses.
Immutable backups resist encryption, which makes them the perfect insurance against ransomware. If attacked, follow our ransomware incident response plan to get rid of malware and then proceed to recovery from immutable backups.
Ootbi—out-of-the-box-immutability for Veeam
Ootbi from Object First is a purpose-based backup appliance tailored for Veeam. It comes with out-of-the-box immutability, runs on S3 Object Lock, and utilizes object storage to better accommodate large data pools. Racked, stacked, and powered in less than fifteen minutes, Ootbi seamlessly integrates with any Veeam instance, supports all Veeam protocols, and requires no technical expertise to set it up.
Ransomware proves to be one of the biggest security threats in the current decade. Companies that want to stay safe and relevant must devise a ransomware response plan or face significant downtime and data loss that usually results from an attack.
Immutable and air-gapped backup appliances such as Ootbi emerge as the last line of defense and a rare assurance against ransomware. The plan and backup provide the best ransomware protection a company can hope for.
What is a Ransomware Response Plan?
A ransomware response plan enumerates the steps to take in case of a ransomware incident. It lets organizations swiftly counteract and contain the attack, keeping the damage to a bare minimum.
What is the best practice in ransomware response?
Experts are unanimous that the best way to prevent and thwart ransomware is through regular backups. Ultimately, however, only immutable backups guarantee peace of mind because nobody can tinker with them.
What is the 3-2-1 rule of ransomware?
The 3-2-1 rule of ransomware recommends that every organization rely on three backups. Two should live on different media types, and one should be off-site.
A variation on the rule extends it to 3-2-1-1-0—the additional 1 and 0 stand for one air-gapped and immutable copy and zero errors on backup testing.