Problem solve Get help with specific problems with your technologies, process and projects.

How to create a ransomware incident response plan

The increase in recent attacks makes clear the need for a ransomware incident response plan. Here's how to limit the effect of such attacks, as well as what to do if infected.

A comprehensive ransomware incident response plan is crucial for infosec programs. The incident response plan can...

serve as the foundation of the program and, as an evolving document, should include a feedback loop to update the program when new vulnerabilities are identified.

Recent wide-ranging ransomware attacks have made the news for significantly affecting enterprises. In fact, 2019 saw record numbers of ransomware attacks, with quantities quadrupling over the previous year and accounting for the biggest share of incidents tracked in Trustwave's 2020 Global Security Report. The COVID-19 pandemic resulted in another wave of ransomware threats and attacks, this time against hospitals and public health facilities.

With better planning, however, it is possible to reduce the effects of ransomware attacks. Read on to learn the importance of ransomware prevention, as well as steps to include in incident response plans.

Enterprise ransomware preparation and planning

Companies should test an incident response plan -- ideally, before an incident, as well as on a regular basis -- to ensure it accomplishes its intended results. Using a tabletop exercise focused on testing the response to a ransomware incident, participants can use existing tools to test their effectiveness and determine if additional tools are necessary. Companies may want to have annual, quarterly or even monthly exercises to test the plan and prepare the business. These tests should involve all the relevant parties, including IT staff, management, the communications team, and the public relations (PR) and legal teams.

Enterprises should also document which of their security tools have ransomware prevention, blocking or recovery functionality. Additional tests should be conducted to verify simulated systems infected with ransomware can be restored using a backup in a known-good state. While some systems save only the most recent version of a file or a limited number of versions, testing to restore the data, system or access to all critical systems is a good idea.

Enterprises with cyberinsurance will want to verify if their policy covers a ransomware incident or the ransomware negotiation process.

Steps in a ransomware incident response plan

Organizations should have documented ransomware prevention processes that include the following:

  • regularly backing up systems;
  • updating software on a regular basis, including antimalware and other security mechanisms;
  • performing security awareness training that teaches employees the dangers of clicking links and downloading potentially malicious files;
  • reviewing and updating access control measures following the principle of least privilege; and
  • performing risk analysis.

Other steps include installing spam filters, scanning emails for potential threats, blocking malicious IP addresses, performing regular antimalware scans and using application whitelisting to enforce use of approved-only applications.

Another consideration is talking about what would happen if there was a ransomware attack. How much would your organization pay in potential ransom? Are there parameters for when a ransom would be paid and when it isn't an option? How would your organization make the payment? Who would negotiate with the hacker? While paying a ransom is usually not recommended, it is important to consider and get C-level approval on the decision.

The tradeoffs of how much to spend on prevention versus response will continue to drive infosec. As costs from ransomware attacks -- outside of paying a ransom -- become more significant and disruptive to enterprises, the importance of planning how to weigh these costs prior to an attack will become more important.

A 9-step ransomware incident response plan

Ransomware is no longer just an endpoint being encrypted by malware. Servers, applications and even data stored in cloud services can be encrypted and held for ransom. While the specific recommendations vary depending on the systems involved in an incident, being prepared with a comprehensive plan can help reduce the effects of any attack.

Enterprise ransomware incident response plans should include the following steps:

  1. Validate the attack. Confirm whether the event was indeed an attack. Many incidents can be linked to phishing, adware or other malware incidents but not specifically ransomware. If it is determined to be ransomware -- i.e., files are encrypted or locked -- proceed to the next steps.
  2. Gather the incident response team. Make sure IT staff, management, PR and legal teams are aware of the issue and ready to tackle their roles in the response efforts.
  3. Analyze the incident. Examine the scope of the incident. Note which applications, networks and systems were affected, and determine how actively the malware is spreading.
  4. Contain the incident. First, disconnect the infected system from the network to ensure the attack does not spread to other computers and devices. Then, ensure backups are secured and free of malware. Every incident will generate some volatile evidence, such as log files or system images. Document this evidence as soon as possible, and check it regularly, as it may change if the attack is ongoing. When ransomware is involved, such evidence may also include a recoverable encryption key as long as the investigation begins before the encryption key is deleted. In some cases, if the incident is detected quickly enough, the encryption can be stopped.
  5. Perform a thorough investigation. Try to identify which ransomware strain has been used, its potential risks and recovery options. Some ransomware varieties use weak encryption that has a publicly available decryption mechanism provided by a security vendor or researcher. The No More Ransom initiative, a partnership between law enforcement and IT security companies, aims to help ransomware victims recover files where plausible.
  6. Eradicate malware, and recover from the incident. This involves wiping infected systems and restoring lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again once the malware is removed completely from the network.
  7. Contact law enforcement. Governments are urged to report any ransomware incidents to law enforcement. Enterprise responders may also want to involve law enforcement agencies in the case of a high-impact incident or data breach. Law enforcement experts may be able to offer guidance for paying ransoms based on previous experience with a strain of ransomware or criminal organization involved in the attack. In the U.S., organizations can contact the Multi-State Information Sharing and Analysis Center, FBI or Internet Crime Complaint Center. Private companies can also be hired to help enterprises infected with ransomware, including assisting with the negotiation process if needed.
  8. Perform post-incident activities. Adhere to regulatory and breach notification requirements, if applicable. Organizations should also verify the restoration of backups to ensure all applications, data and systems are accounted for.
  9. Perform analysis, and learn from the attack. During this step, organizations can discover and analyze why the attack happened and apply appropriate actions to ensure the same vulnerability is not compromised in the future. For example, if the ransomware was the result of an employee clicking a malicious link, the company should perform additional security awareness training. Also, revise security policies if necessary. Security teams should also analyze how the ransomware incident response plan performed. If certain steps did not go as planned, review the plan, and update where needed to improve efficiency.
This was last published in May 2020

Dig Deeper on Information security incident response