This is my 7-step response plan.What’s clear is that no organization is 100 per cent immune. So, the key is how you respond to an attack.
You must act fast. This will boost your chances of stopping the attack spreading enterprise-wide. And the best way to achieve this? Unplug infected laptops from the network, but do not switch them off, otherwise you will lose all the information you need for a forensic investigation of the attack.
That’s the advice I received from my cybersecurity consultant. As an organization, we procure several cybersecurity services from Capgemini, but in this case I wanted something different. I wanted the reassurance that we could stop a ransomware attack doing untold damage (assuming my backup plan was proven to work well, and that I had good offline backup).
Together, we drew up a 7-step response plan. It doesn’t make us infallible, but it gives us a fighting chance.
Firstly, never consider paying the ransom. Very little ransomware is built in a way that it can restore your data. Also, by paying, you are doing exactly what the attacker wants, and you are creating the incentive for a real growth in ransomware attacks.
Here’s how the plan looks:
Step 1: Unplug affected laptops, PCs and other devices from the network – but DO NOT shut them down.
Step 2: Make a call. Don’t send an email alert about the attack (you need to be offline); rather phone your external cybersecurity support or responsible internal resource.
Step 3: Carry out a first-level forensic investigation to ascertain the extent of the threat. Which domain? What ransomware are you facing? What network elements are affected? This is why you need to keep your laptops running after you’ve unplugged them from the network.
Step 4: Protect what is still safe. It is a mistake to focus on restoration at this stage. Instead, you need to stop the ransomware propagating before you begin to restore your laptops. How? Shut down the network elements identified in Step 3.
Step 5: Clean your IT landscape. If you know what the ransomware is, where it entered your network, and who has been targeted, you can start to remove the threat. Don’t forget to correct your master images before doing a full restore of the laptops. If the ransomware was propagated through email or a file, think about people who are out of office: remove the mail, or files from servers, sharing services, laptops, etc.
Step 6: Begin restoration, ideally one laptop at a time – if you restore multiple laptops at once, you risk the ransomware trying again. This may be frustrating for your users, but it is an important step in the fight against ransomware.
Step 7: Learn from the attack. Where did the protection fail? What new protection measures should you take? Are there areas on your network that need isolating entirely? Do your data back-up and recovery measures need revamping?
Ransomware attacks are receiving global news coverage – with good reason. But at least I know that, as CISO, I’m doing all I can to limit the risk to my organization.