ASK FOR HELP. The first actions shortly after detection is key: we recommend involving third parties who are experienced in incident response. Among other things, you should set up emergency teams, chain of command, emergency communication channels, reach out to the employees in any way you can to inform them about the incident, give them clear instructions and provide them access to emergency communication channels if necessary. The rule of thumb is: network access should be cut and turned off machines should not be turned on until further investigation.
DO NOT PAY. Negotiating with criminals and paying the ransom is ultimately your decision, we encourage you not to pay as there is no guarantee whatsoever that they hold on to their side of the deal (e.g. providing decryptor, not publishing data, not infecting the network again, providing details on how they gained access). Moreover, paying ransom pours even more to the millions of euros worth of money these groups already have, financing more and more advanced attacks in the future.
ISOLATE. The impact of a ransomware compromise highly depends on whether the organization have backups of their data, parts of their data and whether these backups survived the infection. Isolate storages that contain only intact data or backups, these will help the most in restoring business-critical systems as fast as possible.
COMMUNICATE. Being transparent towards your employees, partners, stakeholders and the public is always encouraged, especially in hard times. Giving them regular updates as the investigation and the recovery progesses seem tedious, but we urge you to keep others informed. Furthermore, security incidents have to be reported to local authorities regarding the data breach and the criminal activity.
PRIORITIZE. Define those business-critical elements that need to be restored first, make them priority. Business continuity have to be reinstated, core processes have to be running again as well as email communication, but only you can define what are most important. The steps of recovery is further detailed below.
ANALYZE. If you restore your environment to the same exact state it was before, it either means the attackers are still have access to your network or at least you have the same weaknesses that they originally had exploited. This is why it is cruicial to have an experienced team of forensic analysts, network forensic analysts, malware analysts who can trace back the security events leading to the ransomware attack. Unfortunately, due to the destructive nature of the ransomware itself and the attackers evasiveness, these forensic artifacts will not always be present or recoverable, but still, it is worth conducting the root cause analysis. The goal of the investigation is to find and patch those weaknesses attackers had found and used during their attack, and not to point fingers.
PROTECT. Once the recovery is complete and you are back in business, it is high time you made steps to decrease the risks of such events ever happening again. If an organization cannot prove they had at least the basic defensive measures in place, they most likely face a significant amount of fine from data protection authorities and the insurance company can and will deny coverage. Also please keep in mind that the new infrastructure had been reinstalled hastily in a very short period of time, which increases the chance of introducing yet another weakness, so we encourage you to double-check your configurations, public-facing devices and services, and the protection of user credentials. Protecting enterprises or SMB’s have their own challenges and it is a continuous grind, but still cost orders of magnitudes less than the implications of a full-scale security incident such as ransomware attacks.