If your network experiences a ransomware attack, it is likely that your IT staff will want to immediately begin researching and working to stop the attack before they get guidance and assistance from an outside incident response firm. This guide is to help aid your first responders in identifying the most important ransomware attack priorities for containment and avoiding common pitfalls that can hinder later investigation and recovery activities.
At this point you can stop, take a breath, and begin to evaluate the situation and develop an investigation and recovery strategy. Examples of key next steps include:
In the case of an incident, your organization will want to avoid the following.
Many times, IT staff may delete encrypted files or impacted virtual machines to free space for recovery, only to learn that the associated backups are missing or corrupt. Be sure to retain copies of all encrypted or impacted files and systems until after backups are validated and restores are complete, even if it means you have to slow down recovery to add temporary storage and copy potentially unneeded data.
Deleting files or virtual machines, or performing other recovery activities before taking steps to preserve disk images, logs and other evidence, can destroy artifacts that could be used later to help tell the story of how the attacker got in and what data they stole.
There is often a tendency to underestimate an attacker early on and determine it unlikely that the attacker accessed some critical system or set of sensitive data, perhaps because of a belief that the data would have been too hard to find or too difficult to extract. The organization then bases its decisions about investigation and notification activities on these optimistic assumptions, only to learn that the assumptions were wrong.
Be aware that the attacker may be monitoring your communications during and after the attack. For example, one community organization disclosed their insurance policy’s ransom coverage limit in a public board meeting discussing the community’s response options, which led to the attacker increasing their demand to match the policy limit.
If you would like assistance in creating your response plan for ransomware attacks, please contact our cybersecurity team at any time!
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.