5 minute read 20 May 2021
Engineer working behind computers control room

How to mount an effective response to a ransomware attack

Authors
Carol Murphy

EY Ireland Consulting Partner and Head of Risk Transformation

IT strategy and transformation adviser. Effective programme and project management skills.

Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.

5 minute read 20 May 2021
Related topics Cybersecurity

The essential steps required for an effective ransomware response.

In brief
  • A multi-stakeholder response is required to mount a successful response to a ransomware attack
  • Investigations should focus on how the attackers accessed the system, what data was compromised, and what other systems may have been affected

Every organization should have a ransomware incident response plan in place, and this should be regularly tested, reviewed, and updated. This plan should include roles and responsibilities for all stakeholders, including IT, legal, compliance, human resources, operations, communications, and end-users.

Having a framework to guide your response efforts can significantly improve an organization’s capability to respond to a ransomware incident. The NIST incident response framework provides guidance for incident response processes in the following phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

A key step in the initial response process during a ransomware incident should be the designation of an incident response lead and support staff to help direct and coordinate teams, make decisions, and allocate resources. The response effort should maintain focus on key functional areas including; IT, information security, legal, and communications. The teams looking after these areas should share information in a central location and establish clear communication channels with regularly scheduled incident update sessions.

IT

Ransomware is a technology problem and once detected, the first step is to disconnect any infected or suspected systems from the network and shut down non-infected systems to protect them from infection. Once that is complete, available backups should be identified and evaluated. It is critically important that backups pre-date the attack. If a system cannot be cleaned and brought back to a secure, operational state, then the system must be rebuilt or restored.

The restoration process should follow a clear prioritised sequence based on business criticality and risk exposure. For example, critical production servers or systems providing email/collaboration services may come first, followed by business-critical workstations supporting payroll and other key areas of the business. Depending on the priority, general user workstations may come last.

Information Security

The information security team should attempt to identify the type of ransomware which has infected the system and, if possible, pinpoint the criminals responsible for it. The next step is to determine if a decryption key or remediation software is publicly available.

The team should then embark on a forensic investigation to determine what data was stolen, if any, how the network was accessed, the particular systems accessed, and what activities took place on them.

Devices and equipment which appear to be non-infected should be examined for evidence of hacker activity as a matter of routine.

Once the investigation is complete, the team should work with IT to fix the vulnerabilities used by the criminals to access the network.

When an organization recovers from a ransomware incident, it should emerge much stronger. It is not good enough to fix the root cause(s) or vulnerabilities exploited by the attacker, the organization should strengthen multiple layers of security controls and improve/adopt a defence-in-depth approach to security.

Legal & Communications

Depending on the criticality of the incident, company officers and employees may need to be notified of the incident immediately. Business partners and key external parties should also be informed at the earliest possible juncture and kept informed as the investigation progresses.

The Legal & Communications team should prepare a statement to inform the wider public of the incident. They should also work with IT and Information Security to develop and implement temporary workarounds for impacted critical functions including email, payroll, and customer portals.

The team should also prepare for regulatory or compliance reporting requirements such as those covered by GDPR.

No ransom

EY does not recommend paying ransom demands for a variety of reasons. From a moral perspective, paying ransoms will only fund continued criminal activity. Payment could also expose companies to legal risk with no guarantee that the criminals will make good on their promise to supply a decryption key or other means of recovering data. Indeed, companies that pay ransoms may actually find themselves vulnerable to re-infection by the same criminals or their associates.

To learn more about Cybersecurity and how EY can support, visit our Cybersecurity page here.

Summary

No organisation can afford to be without a cyberattack or ransomware response plan. The plan should be subject to periodic review and set out the role of all appropriate sections of the organisation in the response and recovery process. Particular emphasis should be placed on the investigation phase as this will assist in the prevention of future attacks. Paying a ransom is never recommended as it will not guarantee the restoration of systems or data and will only fund future criminal activity while potentially exposing the organisation to legal penalties.

About this article

Authors
Carol Murphy

EY Ireland Consulting Partner and Head of Risk Transformation

IT strategy and transformation adviser. Effective programme and project management skills.

Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.

Related topics Cybersecurity