Ransomware Incident Response: 7 steps to success

1 year ago
Eric Vanderburg

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

Validate

The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Assemble

Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

Analyze

The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Contain

Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

Investigate

The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

Eradicate

The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backup to each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

Remediate

The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would backup more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.