How to create a ransomware incident response plan

Why create a ransomware incident response plan?

Yes, prevention is the best way to avoid becoming a ransomware victim, but should an attack occur, a ransomware incident response plan helps mitigate its effects.

Ransomware attacks can be detrimental to businesses. These financially motivated crimes can be costly, result in data loss, damage infrastructure, cause reputational damage and loss of customers, put an organization out of business and even cause personal harm.

A ransomware response plan helps ensure an organization has the processes, procedures and people in place to quickly and effectively respond to a ransomware attack.

Who needs a ransomware incident response plan?

Ransomware affects businesses of all shapes and sizes across all industries. While some targets are more popular than others -- for example, lower and higher education, construction and property, and central and federal government -- no one is immune to an attack.

As a result, it is beneficial for all organizations to create an incident response plan.

9-step ransomware incident response plan

While the specific recommendations for ransomware incident response vary depending on the systems involved, being prepared with a comprehensive plan can help reduce the effects of an attack.

Enterprise ransomware incident response plans should include the following steps.

1. Validate the attack

Confirm whether the event was indeed a ransomware attack. Many incidents can be linked to phishing, adware or other malware incidents but not specifically ransomware. If it is determined to be ransomware, proceed to step two.

2. Gather the incident response team

Make sure the IT, management, PR and legal teams are aware of the issue and ready to tackle their roles in the response efforts. If available, use an emergency notification system to quickly alert key responders. All team members should be aware of their specific response actions.

3. Analyze the incident

Examine the scope of the incident. Note which applications, networks and systems were affected, and determine how actively the malware is spreading. Assess communications received from the ransomware perpetrators, such as phone calls, text messages and emails. Use this information when planning a response.

4. Contain the incident

Steps one through three should be completed as quickly as possible to minimize potential damage to information systems, networks and data.

To contain the incident, disconnect and quarantine the infected system from the network as quickly as possible to reduce the likelihood that the attack spreads. Next, check and ensure backup resources are secure and free of malware.

Every incident generates some volatile evidence, such as log files or system images. Examine data from firewalls, intrusion detection systems (IDSes) and other monitoring tools to determine what is happening. Document this evidence as soon as possible, and check it regularly, as it may change if the attack is ongoing.

Ransomware evidence could include a recoverable encryption key if the investigation begins before the encryption key is deleted. In some cases, if the incident is detected quickly enough, encryption can be stopped.

5. Perform a thorough investigation

Try to identify which ransomware strain has been used, its potential risks and recovery options. Some types of ransomware use weak encryption that have a publicly available decryption mechanism provided by a security vendor or researcher. The No More Ransom initiative, a partnership of law enforcement and IT security companies, aims to help ransomware victims recover files where possible.

During this investigation, determine the severity of the attack. Establish what has been compromised, and identify steps to regain access if necessary.

In addition, brief management on the results of the investigation and the likelihood of eliminating the attack, as well as possible negative outcomes.

6. Eradicate malware and recover from the incident

Continue with steps to isolate, mitigate and eliminate the ransomware. Wipe infected systems, and restore lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again after the malware is removed completely from the network.

7. Contact law enforcement

Federal agencies are urged to report any ransomware incidents to law enforcement. Organizations are also encouraged to involve law enforcement agencies. Law enforcement experts can offer guidance for paying ransoms based on previous experience with a particular strain of ransomware or ransomware group involved in the attack.

In the U.S., contact CISA, the Internet Crime Complaint Center or your organization's local FBI office or Secret Service Field Office. Some organizations choose to hire private companies to help with ransomware incident response, including assisting with the negotiation process, if needed.

8. Conduct post-incident activities

Some compliance regulations require organizations to disclose ransomware attacks, either to government authorities or customers, if they involve sensitive data. Adhere to regulatory and breach notification requirements, if applicable.

Also, verify the restoration of backups to ensure all applications, data and systems are accounted for and fully operational.

9. Perform analysis and learn from the attack

Once the event is under control or eliminated, prepare for a post-even review and discussion of next steps:

• Use forensics techniques to discover and analyze how the attack happened, and apply appropriate actions to address the vulnerability.
• Gather output data from firewalls, IDSes and antimalware software for further analysis.
• Examine data from systems that dealt with the ransomware attack; identify what worked and what didn't.
• Discuss next steps, including the following:
  • Updating cybersecurity plans and ransomware incident response plans.
  • Updating cybersecurity prevention tools.
  • Performing follow-up tests of antimalware prevention software.
  • Performing tests of updated ransomware plans.
• Initiate a plan to complete remediation steps identified, and perform tests to validate that corrections are appropriate.
• Prepare an after-action report to present to senior management on the incident.
• Maintain diligence on all possible entry points in the network. Monitor systems and data that could be affected in the future.
• If the attack was the result of an employee clicking a malicious link, perform additional security awareness training, and revise security policies, if necessary.

Enterprise ransomware preparation and planning best practices

Test the incident response plan -- ideally, before an incident and on a regular basis -- to ensure it achieves its intended results. Using a tabletop exercise focused on assessing the response to a ransomware incident, test the effectiveness of existing tools, and determine whether additional tools are necessary.

Depending on test results, update current response procedures. Conduct annual, quarterly or even monthly exercises to test the plan and prepare the business. Note that tests should involve all relevant parties, including IT staff, management, communications team, and PR and legal teams.

Document which security tools have ransomware prevention, blocking or recovery functionality. Conduct additional tests to verify simulated systems infected with ransomware can be restored using a backup in a known-good state. While some systems save only the most recent version of a file or a limited number of versions, periodic testing to restore the data, system or access to all critical systems is an essential part of a ransomware protection program.

If your organization has cyber insurance, verify if the policy covers a ransomware incident or the ransomware negotiation process. Do the same with business interruption insurance, which can be used to recover lost revenue or other losses due to a ransomware attack.

Document ransomware prevention processes that include the following:

• Regularly back up systems.
• Perform required system patching, and update software on a regular basis, including antimalware and other security mechanisms.
• Perform ransomware-specific security awareness training that teaches employees the dangers of clicking links and downloading potentially malicious files.
• Review and update access control measures that follow the principle of least privilege.
• Perform periodic risk analyses to ensure risks are properly managed.

Other steps include installing spam filters, scanning emails for potential threats, blocking malicious IP addresses, performing regular antimalware scans and using application allowlisting to enforce use of approved-only applications.

In addition, have a conversation about what would happen if a ransomware attack occurred. How much would your organization pay in potential ransom? Are there parameters for when a ransom would be paid and when it isn't an option? How would your organization make the payment? Who would negotiate with the ransomware operators? While paying a ransom is not recommended, it is important to consider and get C-level approval on the decision.

The tradeoffs of how much to spend on prevention versus response continue to drive infosec. As costs from ransomware attacks -- outside of paying a ransom -- become more significant and disruptive, planning how to weigh these costs prior to an attack become more important.