How to create a ransomware incident response plan

Enterprise ransomware preparation and planning

Pre-incident planning: Preparing for an attack

Companies should test an incident response plan -- ideally, before an incident, as well as on a regular basis -- to ensure it accomplishes its intended results. Using a tabletop exercise focused on assessing the response to a ransomware incident, participants can use existing tools to test their effectiveness and determine if additional tools are necessary. Depending on test results, you may need to change current response procedures. Companies may want to have annual, quarterly or even monthly exercises to test the plan and prepare the business. These tests should involve all the relevant parties, including IT staff, management, the communications team, and PR and legal teams.

Enterprises should document which of their security tools have ransomware prevention, blocking or recovery functionality. Additional tests may be conducted to verify simulated systems infected with ransomware can be restored using a backup in a known-good state. While some systems save only the most recent version of a file or a limited number of versions, periodic testing to restore the data, system or access to all critical systems is an essential part of a ransomware protection program.

Enterprises with cyber insurance should verify if their policy covers a ransomware incident or the ransomware negotiation process. Do the same if the company has business interruption insurance, which can be used to recover lost revenue or other losses due to a ransomware attack.

Organizations should have documented ransomware prevention processes that include the following:

• regularly backing up systems;
• updating software on a regular basis, including antimalware and other security mechanisms;
• performing required system patching, especially for cybersecurity systems;
• performing security awareness training that teaches employees the dangers of clicking links and downloading potentially malicious files;
• reviewing and updating access control measures following the principle of least privilege; and
• performing periodic risk analyses to ensure risks are being managed.

Other steps include installing spam filters, scanning emails for potential threats, blocking malicious IP addresses, performing regular antimalware scans and using application allowlisting to enforce use of approved-only applications.

Another conversation organizations should have is about what would happen if a ransomware attack occurred. How much would your organization pay in potential ransom? Are there parameters for when a ransom would be paid and when it isn't an option? How would your organization make the payment? Who would negotiate with the ransomware operators? While paying a ransom is not recommended, it is important to consider and get C-level approval on the decision.

The tradeoffs of how much to spend on prevention versus response will continue to drive infosec. As costs from ransomware attacks -- outside of paying a ransom -- become more significant and disruptive to enterprises, planning how to weigh these costs prior to an attack will become more important.

During the incident: Planning a response

When it's clear that some sort of malware attack is occurring, perform the following steps:

• Examine data from firewalls, intrusion detection systems (IDSes) and other monitoring systems to determine what is happening.
• Isolate and quarantine the malware, if possible, to carefully examine it.
• Review communications from perpetrators to see what they want.
• Determine initial steps to mitigate the severity of the attack. For example, use software to examine the malware attack signature, and assess possible remedies.
• Establish what has been compromised, and identify steps to regain access if necessary.
• Brief management on the incident and the likelihood of eliminating the attack, as well as possible negative outcomes.
• Continue with steps to isolate and mitigate/eliminate the malware.
• Discuss options with the incident response team and senior management, if response actions are unsuccessful.
• Compile notes on the attack for a post-event review and after-action report.

Post-incident planning: Recovering from an attack

Once the event is under control or eliminated, prepare for a post-event review and discussion of next steps:

• Gather output data from firewalls, IDSes and antimalware software for further analysis.
• Examine data from systems dealing with the ransomware attack; identify what worked and what did not work.
• Discuss next steps, including the following:
  • updating cybersecurity plans and ransomware incident response plans;
  • updating cybersecurity prevention tools;
  • performing follow-up tests of antimalware prevention software; and
  • performing tests of updated ransomware plans.
• Initiate a plan to complete remediation steps identified and perform tests to validate that corrections are appropriate.
• Prepare an after-action report to present to senior management on the incident.
• Maintain diligence on all possible malware entry points in the network, and monitor systems and data that could be affected in the future.

9-step ransomware incident response plan

While the specific recommendations for ransomware incident response vary depending on the systems involved, being prepared with a comprehensive plan can help reduce the effects of an attack.

Enterprise ransomware incident response plans should include the following steps:

1. Validate the attack. Confirm whether the event was indeed an attack. Many incidents can be linked to phishing, adware or other malware incidents but not specifically ransomware. If it is determined to be ransomware -- i.e., files are encrypted or locked -- proceed to the next steps.
2. Gather the incident response team. Make sure IT staff, management, PR and legal teams are aware of the issue and ready to tackle their roles in the response efforts. If available, use an emergency notification system to alert key respondents quickly.
3. Analyze the incident. Examine the scope of the incident. Note which applications, networks and systems were affected, and determine how actively the malware is spreading. Assess communications received from the ransomware perpetrators, such as phone calls, text messages and emails. Use this information when planning a response.
4. Contain the incident. Steps 1 through 3 should be completed as quickly as possible to minimize potential damage to information systems, networks and data. Try to disconnect the infected system from the network as quickly as possible -- before even assembling the response team -- to reduce the likelihood that the attack spreads further. Next, check backup resources to ensure they are secure and free of malware. Every incident will generate some volatile evidence, such as log files or system images. Document this evidence as soon as possible, and check it regularly as it may change if the attack is ongoing. When ransomware is involved, such evidence may also include a recoverable encryption key if the investigation begins before the encryption key is deleted. In some cases, if the incident is detected quickly enough, the encryption can be stopped.
5. Perform a thorough investigation. Try to identify which ransomware strain has been used, its potential risks and recovery options. Some ransomware varieties use weak encryption that has a publicly available decryption mechanism provided by a security vendor or researcher. The No More Ransom initiative, a partnership between law enforcement and IT security companies, aims to help ransomware victims recover files where possible.
6. Eradicate malware and recover from the incident. This involves wiping infected systems and restoring lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again once the malware is removed completely from the network.
7. Contact law enforcement. Federal agencies are urged to report any ransomware incidents to law enforcement. Enterprise responders are also encouraged to involve law enforcement agencies. Law enforcement experts may be able to offer guidance for paying ransoms based on previous experience with a strain of ransomware or criminal organization involved in the attack. In the U.S., organizations can contact the Cybersecurity and Infrastructure Security Agency, Internet Crime Complaint Center or their local FBI office or Secret Service Field Office. Affected enterprises can also hire private companies to help with ransomware, including assisting with the negotiation process, if needed.
8. Conduct post-incident activities. Adhere to regulatory and breach notification requirements, if applicable. Organizations should also verify the restoration of backups to ensure all applications, data and systems are accounted for and fully operational.
9. Perform analysis and learn from the attack. During this step, organizations can use forensic techniques to discover and analyze why the attack happened and apply appropriate actions to address the vulnerability. For example, if the ransomware was the result of an employee clicking a malicious link, the company should perform additional security awareness training and revise security policies, if necessary. Security teams should also analyze how the ransomware incident response plan performed. If certain steps did not go as intended, review the plan, and update and test the plan where needed to improve efficiency.