Every organization should have a ransomware incident response plan in place, and this should be regularly tested, reviewed, and updated. This plan should include roles and responsibilities for all stakeholders, including IT, legal, compliance, human resources, operations, communications, and end-users.
Having a framework to guide your response efforts can significantly improve an organization’s capability to respond to a ransomware incident. The NIST incident response framework provides guidance for incident response processes in the following phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.
A key step in the initial response process during a ransomware incident should be the designation of an incident response lead and support staff to help direct and coordinate teams, make decisions, and allocate resources. The response effort should maintain focus on key functional areas including; IT, information security, legal, and communications. The teams looking after these areas should share information in a central location and establish clear communication channels with regularly scheduled incident update sessions.
Ransomware is a technology problem and once detected, the first step is to disconnect any infected or suspected systems from the network and shut down non-infected systems to protect them from infection. Once that is complete, available backups should be identified and evaluated. It is critically important that backups pre-date the attack. If a system cannot be cleaned and brought back to a secure, operational state, then the system must be rebuilt or restored.
The restoration process should follow a clear prioritised sequence based on business criticality and risk exposure. For example, critical production servers or systems providing email/collaboration services may come first, followed by business-critical workstations supporting payroll and other key areas of the business. Depending on the priority, general user workstations may come last.
The information security team should attempt to identify the type of ransomware which has infected the system and, if possible, pinpoint the criminals responsible for it. The next step is to determine if a decryption key or remediation software is publicly available.
The team should then embark on a forensic investigation to determine what data was stolen, if any, how the network was accessed, the particular systems accessed, and what activities took place on them.
Devices and equipment which appear to be non-infected should be examined for evidence of hacker activity as a matter of routine.
Once the investigation is complete, the team should work with IT to fix the vulnerabilities used by the criminals to access the network.
When an organization recovers from a ransomware incident, it should emerge much stronger. It is not good enough to fix the root cause(s) or vulnerabilities exploited by the attacker, the organization should strengthen multiple layers of security controls and improve/adopt a defence-in-depth approach to security.
Legal & Communications
Depending on the criticality of the incident, company officers and employees may need to be notified of the incident immediately. Business partners and key external parties should also be informed at the earliest possible juncture and kept informed as the investigation progresses.
The Legal & Communications team should prepare a statement to inform the wider public of the incident. They should also work with IT and Information Security to develop and implement temporary workarounds for impacted critical functions including email, payroll, and customer portals.
The team should also prepare for regulatory or compliance reporting requirements such as those covered by GDPR.
EY does not recommend paying ransom demands for a variety of reasons. From a moral perspective, paying ransoms will only fund continued criminal activity. Payment could also expose companies to legal risk with no guarantee that the criminals will make good on their promise to supply a decryption key or other means of recovering data. Indeed, companies that pay ransoms may actually find themselves vulnerable to re-infection by the same criminals or their associates.
To learn more about Cybersecurity and how EY can support, visit our Cybersecurity page here.