Developing a ransomware incident response plan may seem like a daunting task, but it’s important to have one in place in case your company falls victim to this type of attack. There are a few key elements that should be included in your plan, such as:

• Identifying who will be responsible for leading the response effort
• Determining what data and systems are critical to your business and must be protected at all costs
• Creating a backup and disaster recovery plan so you can quickly get your systems back up and running in the event of an attack
• Developing procedures for communicating with employees, customers, and other stakeholders during and after an attack

By taking the time to create a comprehensive ransomware incident response plan, you can help ensure that your business is prepared to handle this type of threat.

How to create Ransomware Incident Response Plan in 5 steps?

1. Assess and validate threat risks
2. Mitigate ransomware attack
3. Respond to ransomware incident
4. Train workforce
5. Analyze

What are the 4 phases of Ransomware Incident Response Plan?

There are four identified phases of ransomware incident response plan activity — Analysis, Containment, Eradication and Recovery.

These phases do not always happen serially. As further investigation occurs additional information may be obtained that requires previous phases to be revisited. The individual four phases are identified below and discussed in further detail in subsequent sections in this playbook.

Containment

The containment stage is focused in stopping any further propagation of the malware throughout the network. Additional assistance from the infrastructure, network, and/or storage teams may be required. Any additional disruptions to operations required during the containment process must be communicated to the appropriate business groups via the communications lead.

Analysis

The analysis process is aimed at identifying the ransomware variant and how it entered the network. Information gathered in this phase needs to be preserved and will be used in all phases.

Remediation

The remediation phase is focused on eradicating all malicious artifacts on the network. It involves full system scans (including integrity of system configuration files), patching vulnerabilities, updates to threat intelligence tools and submission of IoC to relevant third parties (e.g., MSSP/MDR provider).

Recover

This final phase is focused on recovery of the incident and returning to normal business. It also includes the requirement for a post-incident review and report.

Containment

Identify Affected Hosts

A first critical step is to understand the scope and sprawl of the ransomware infection. You need to identify all affected assets and determine the infection boundary (i.e., extent of lateral sprawl).

Isolate Affected Hosts

Upon successful identification of an affected host, a CSIRT member should immediately start isolating the host. Simultaneously other members can continue the analysis to determine ransomware strain and the full extent of the cyber-attack.

***IMPORTANT***

Do NOT power off machines without guidance from forensic investigators — doing so may destroy valuable forensic data residing in memory or executing on disk.

Reset Impacted User/Host Credentials

All affected user and device accounts must be reset. At this point we don’t know what information has been exfiltrated. We have to minimize the risk to the business.

Analysis

Preserve Evidence

It is of the utmost importance to preserve evidence and maintain a chain of custody when starting to investigate a ransomware attack.

If you are unsure or do not have the technical capabilities for forensic evidence preservation it is highly recommended that you engage with a forensic incident response provider for assistance. During analysis and investigation you may need to reference specific forensic artifacts and in some cases there may be a legal requirement to preserve the evidence.

Sample evidence sources could include:

• ransomware notification
• encrypted files
• event logs
• application logs
• alert events
• forensic images of disks/memory
• in-memory processes
• network packet capture files

NOTE: If there is strong reason to believe that a criminal or civil proceeding is likely, Chain of Custody form must be used. Consult legal counsel regarding applicable laws, regulations and procedures related to evidence collection and preservation.

If unsure, follow the guidance from NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response.

Identify Ransomware Strain

Typically ransomware does not mask it’s type, strain, name or version. In cases where this information may not be available the CSIRT will need to leverage third-party resources and threat intelligence to identify the strain. In cases where a third-party incident response team has been contracted, they can lead or assist with this process. The following resources below may be helpful in identification:

• https://www.nomoreransom.org
• https://www.virustotal.com
• https://id-ransomware.malwarehunterteam.com
• Generic internet research based on artifacts or behavior on the ransomware

NOTE: Be careful with what type of data submitted to third-party web resources. When in doubt, consult with CIO, CISO, or legal counsel for guidance.

Establish Infection Vector

Determine how the impacted system(s) were compromised. This necessary step prevents spreading and re-infecting the systems.

Validate Data Backup Availability and Integrity

Validate that the data backups have not been corrupted nor tainted with the malware.

Contact Law Enforcement

With permission from the legal department reach out to your federal law enforcement agency responsible for cybercrime (Australia — Australian Federal Police, Canada-RCMP, U.K. — National Cyber Security Centre, U.S. — FBI, etc.) to report the incident. Contact information should be included in your IRP.

Decision to Engage Cyber Insurance Carrier

Dependent on the extent of the ransomware infection, a decision needs to be made as to whether or not to engage with the cyber insurance carrier.

The decision should include at a minimum the following considerations

• Extent of infiltration
• Has data exfiltration occurred
• Incident response capabilities
• Potential costs (recovery and business disruption) to the business

Identify who (or what group) specifically in the business will make the decision as to engage with the insurance carrier. This has to be a timely decision and made early on in the process as the insurer may have a specific methodology that must be followed while responding to the incident in order to remain compliant with insurance policy terms and conditions.

Data Exfiltration

Regardless what the bad actors tell you, you should review logs to validate what data (if any) has been exfiltrated. Even if you’re presented with copies of sample files, you need to understand the full extent of the data exfiltration. Your response to the data exfiltration will vary dependent on the sensitivity and legal/compliance requirements of the associated dataset.

Notifications

Once an incident has been identified, determine if there are others who need to be notified, both internal (e.g., board of directors, human resources, legal, finance, communications, business owners, etc.) and external (e.g., service providers, government, public affairs, media relations, customers, general public, etc.). Most importantly, remain factual and avoid speculation. This communication plan should be outlined and/or referenced as part of your IRP. Communication plans should also address any regulatory notifications that need to occur.

Inform Legal

The legal team and/or data protection office will review the type of data that was exfiltrated and determine the requirements for regulatory notifications and reporting.

Depending on the degree of sensitivity of the incident, it may be necessary for legal or management to remind employees of their responsibilities in keeping the information confidential.

Regulatory Notifications

In instances where regulated data has been exfiltrated it may be necessary to provide some form of regulatory notification. These notifications are time sensitive and most regulations have specific requirements that must be followed. At a minimum identify what regulations the organization is subject to and the mandatory reporting requirements. Remember to include both privacy and industry regulations. For example:

• Privacy (i.e., GDPR, CCPA, CPPA, etc.)
• Industry (HIPAA, PCI-DSS, FINRA, SOX, etc.)

Sample Notification Requirements

GDPR — Must report to the Information Commissioner’s Office (ICO) without undue delay but not later than 72 hours after becoming aware of the breach

CCPA — Must notify affected resident in the most expedient time possible and without unreasonable delay. Where greater than 500 residents affected, must report to both the individuals and Attorney General’s Office.

NOTE: For incidents involving cardholder data, credit card vendors (VISA, Mastercard, AMEX, etc.) may have defined specific requirements to be followed in addition to regulatory requirements. Review merchant requirements as necessary.