Call now for cybersecurity help: 888-646-1616
Josh Ablett

Ransomware Playbook: 31 Critical Questions to Build Your Own

Are you worried about ransomware? You should be.  Ransomware is hitting companies of all sizes, sometimes with disastrous results.  

Many companies need to put together a specific plan for ransomware, known as a “ransomware playbook.”  We think even small firms should spend some time planning what they will do if they're hit.   

When ransomware hits, time is of the essence. You’re literally in a race against time, and ransomware moves at computer speed.  If you waste time debating who will do what, you’ve already lost.

Some people think the answer to ransomware is simply “call your IT person.” This is naive, as a successful ransomware attack can and will touch every part of your company.  

As you work to put together a ransomware playbook of your own, here’s our list of things that you should include:

1) Prepare

Before you get started, there are quite a few questions that your team must answer.  Here are some of the most important ones: 

Which computers are most important? 

Some computers in your company are critical, others aren’t. Ransomware against your main file sharing server is urgent.  Ransomware against the crappy old computer that runs the scanner isn't. Your first step is to know which machines matter

Make sure to include data you keep in cloud services as well.  While they have additional protections in place, no company is immune to ransomware.  

Is your data backed up to an air-gapped location? 

Make sure your critical computers are backed up. Safest is to have them backed up to an “air gapped” location, meaning a location that isn’t connected to your network.

Also, are your backups versioned?  In some cases, the ransomware itself has been backed up!  You might need to go back to a previous version of a backup.   

Do you have cyber breach insurance? 

Beyond covering your costs, most cyber breach insurance plans offer one-stop hotlines to call if you're hit with ransomware. They already have attorneys, forensic experts, and notification services that you might need. 

Does your cyber breach insurance cover ransomware? 

Specifically, you want to make sure that your insurance covers ransomware. Don’t be surprised if it raises your premium, though. 

Will your cyber breach insurance pay a ransom? 

Make sure they have the ability and cryptocurrency accounts needed to pay a ransom.

This is an important consideration.  Setting up a cryptocurrency wallet is not a trivial task.  It can take days to set up a wallet and fund it with the funds required to pay a ransom.  In some cases, the deadline for a ransom may even pass before you have it set up.  That’s why it’s important to have this discussion with your insurance company ahead of time.  

If you don’t have cyber breach insurance, you may want to consider funding a Bitcoin wallet ahead of time.  

Will your staff spot it? 

Train your staff to identify signs of ransomware AND who to call if they think something's happening.  

Ransomware can be detected in many ways:

  • A message popping up on the user’s screen
  • Local computer files no longer being accessible
  • Shared, networked files no longer accessible
  • Computer locks up or crashes
  • Applications or services that used to work no longer work

Also, give them some easy instructions to follow.  For example, take a photo of the suspicious thing with your phone and text it to IT.  Something clear and concise that doesn’t rely on the use of a computer.  

Who is your response team? 

You need to define, specifically, what team will gather to execute on your ransomware playbook. What are their email addresses and cell phone numbers?  Remember, time is of the essence.  Also, how specifically will you all meet in a virtual environment as quickly as possible.

In many cases, your team’s first call will be to your cyber insurance provider's incident hotline.  If you don’t have an insurance policy, you may want to source a firm to help you independently like this one.  

Who does what? 

Who will lead your incident response calls? Who will take notes? Who from IT will attend? Who from security? Who will keep executives updated as the incident unfolds?  Will you involve your attorney so your documentation is protected by attorney-client privilege?

Who should you contact in law enforcement? 

In the US, the agencies focused on ransomware are the US Secret Service and the FBI. You should know how to contact them for your area. You may also try calling local law enforcement. 

However, don’t be surprised if it takes time to hear back — they are very busy. 

Are your computers protected? 

Businesses should have more than just basic antivirus to protect against ransomware. Review what you have installed with your IT firm to make sure it has robust protection. 

Better yet, work with a team like ours to perform penetration tests to see how well you'd do.   

Where are you storing your ransomware playbook? 

After you go through this article and meet with your team, you'll end up with a documented ransomware playbook.  

But if you keep it only on your computer, there’s a chance you won’t be able to access it during a ransomware attack.

Keep digital and printed copies of this playbook in a secure, off-site location.  

Who will make difficult business decisions? 

This may be the most important question to answer in your ransomware playbook. 

In a ransomware attack, there is no one right answer, but a lot of “least wrong” answers.

For example:

  • What’s more important -- getting people back to work, or preserving evidence? 
  • What’s faster and cheaper -- paying the ransom or recovering all of your files from backup?
  • Should we notify our clients, or will that erode their trust in us?
  • Was our data just encrypted or was it actually stolen from the hackers?  Oftentimes this decision needs to be made without clear evidence.

There are no “one size fits all” answers to any of these questions, which is why you should discuss them ahead of time.  

2) Detect

Here are the questions you need to answer to be ready for an actual incident.

What’s the first thing a user should do? 

Some recommend disconnecting the network cable (if one exists). But what if you use wifi? Others suggest pulling the power cord from the computer, though this can disrupt crucial evidence. If you’re not in a networked office behind a firewall, you may not need to do either. Talk with your IT and cybersecurity team about what first step makes the most sense for you.

What experts will you call? 

Computer forensics people are highly trained experts. Amateur attempts can actually wipe critical evidence, making it harder (or even impossible) to figure out what happened. Know which forensic experts you’re going to call (typically those provided by your cyber breach insurance company). 

How will you contain the outbreak? 

Discuss how you will decide whether to quarantine a single machine vs. taking measures on other computers. How will you quickly spread the message to all staff members of the steps they need to take? Remember, their computers may no longer be usable, and time is of the essence. 

How will IT contain the outbreak? 

Talk through your options to detect and disrupt the ransomware, especially if it moves between computers. 

These vary by company, but may include:

  • Network tools (like firewalls) to block ransomware attempts to “phone home” or to upload your files
  • Network tools (like switches and routers) to block attempts by ransomware to spread inside your network
  • Network tools that can quickly and efficiently disconnect every computer from the network at the same time
  • Email reporting tools to identify “remailers” that spread ransomware via email
  • Endpoint tools that can quickly block specific applications, files, or network communication attempts
  • Domain tools can be used to lock out users from key system resources

Take the time before you’re hit to know what tools you have in your toolbelt.  

3) Respond

Here are the questions you need to answer about your response to be ready for an actual incident.

How will IT identify the strain of ransomware? 

Existing security tools may tell you which strain of ransomware you’re facing.  

There are also sites like CryptoSheriff and ID Ransomware where you can upload a sample of the ransomware in hopes of identifying it.  

Is the key publicly available?  

For some older ransomware, the methods to decrypt them are published online.

Here’s an article that lists eight different places to find ransomware decryption tools that you can include in your ransomware playbook.    

How will you preserve forensic evidence? 

You can’t afford to be down while your forensic experts try to figure out what happened.  Your IT team has a lot of different options for preserving evidence, including:

  • Building new machines and leaving the old ones intact
  • Taking images of the infected machines and then wiping them
  • Removing copies of files and logs before wiping them

Discuss the approach you’ll take with your IT team based on what tools exist in your environment.

What other evidence is available?  

Beyond the infected machines themselves, other systems in your company might have critical evidence.  Review your list of security and monitoring tools and write a list of which logs will be pulled from each system to help identify what happened.  Remember, time is of the essence, and you don’t want the logs to be overwritten with new data.

You also want to be thorough in documenting everything you can.  Clearly assign who will be responsible for collecting this documentation and where it will be stored.  Be thorough about keeping screenshots, scan results, and anything else that is performed along the way.  

How and when will you start working again?

This probably isn’t something that you can decide in advance since every incident of ransomware may be different.  Instead, discuss who will make the decision and what factors you’ll consider in making the decision.  

What stakeholders need to be notified?  

If you’re offline for an extended period of time, someone will need to notify all of the stakeholders of your business.  Your team, your executives, your Board of Directors, your clients, and your vendors may need to be notified.  Make sure you have your lists, point people, and contact people identified before an incident.  This is another area where it’s important to involve your attorney to craft effective communications.  

Are you required to follow breach notification laws or contracts? 

If the ransomware attack involved a possible data breach, you may be required to notify affected clients.  Figure out which attorney you will use to determine your liability and plan of action.  

Who will handle the press?

If news of your ransomware event becomes public, who is authorized to handle media inquiries?  In some cases, the event may rise to the level of wanting to engage a public relations firm.  

What if you don’t get the key?

Ransomware is a business.  Hackers are motivated to deliver on their promises.  However, there have been cases where a company pays a ransom, but the decryption key doesn’t work.  Be sure to talk through what you should do then?

How will your IT team make your systems safe to start working again?

Once the scope of the damage is known and evidence is prepared, IT can get to work getting users back online and recovering key data.  

You should NEVER bring computers back into an environment if there’s a chance of continued infection from ransomware.  

You need to agree with your IT team, though, what steps they’ll take to keep the new environment safe from ransomware in the immediate term.  This may include things like:

  • Changing all user passwords
  • Changing all usernames
  • Wiping all machines and re-installing all programs
  • Keep machines offline while rebuilding them
  • Recreating all passwords, certificates, service accounts, credentials, etc. 

Again, there won’t be a “one size fits all” approach to this, so discuss ahead of time how you’ll approach this in the heat of the moment.  

4) Recover

Now that you’re back online, let’s make sure that you don’t run into the same problem again.  Here are some questions to answer.

Who’s on point?

Companies often forget to go back and figure out what went wrong.  Decide whose job it is to perform a lessons learned review of the incident.

How did it get in?

Unfortunately, you may never know for sure.  If you know, great.  If not, make an educated guess, and use this to strengthen your cybersecurity controls.  Pay special attention to your email security, as phishing is one of the most common ways that ransomware gets into organizations.    

Why wasn’t it detected?

This will likely reveal systems that were either missing, or that were in place but being ignored.  Use this question to identify what gaps need to be filled.

What vulnerabilities allowed ransomware to happen?

Once you know the type of ransomware, you’ll be able to figure out how your vulnerability patching program let the problem happen.  

How can we improve our training?

Based on what you’ve learned, improve your training to make sure your team can spot future incidents.

What’s Next?

The best way to get your ransomware playbook ready is to do a “tabletop exercise.”  Get together with your IT team, your security team, and your company executives.  Using this article as a guide, come up with your own answers to the questions raised above.  

As you’d imagine, most companies don’t publicly share examples of their ransomware playbooks, but there are a few out there that are a few years old.  Here’s a decent one from a Bible Fellowship that may be appropriate for smaller businesses.  There are also a couple that are a better example of large company ransomware playbooks.   

If you’d like help performing a tabletop exercise to build your ransomware playbook, please contact us.  

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2020 Adelia Associates, LLC | All Rights Reserved | Sitemap