Are you worried about ransomware? You should be. Ransomware is hitting companies of all sizes, sometimes with disastrous results.
Many companies need to put together a specific plan for ransomware, known as a “ransomware playbook.” We think even small firms should spend some time planning what they will do if they're hit.
When ransomware hits, time is of the essence. You’re literally in a race against time, and ransomware moves at computer speed. If you waste time debating who will do what, you’ve already lost.
Some people think the answer to ransomware is simply “call your IT person.” This is naive, as a successful ransomware attack can and will touch every part of your company.
As you work to put together a ransomware playbook of your own, here’s our list of things that you should include:
Before you get started, there are quite a few questions that your team must answer. Here are some of the most important ones:
Some computers in your company are critical, others aren’t. Ransomware against your main file sharing server is urgent. Ransomware against the crappy old computer that runs the scanner isn't. Your first step is to know which machines matter
Make sure to include data you keep in cloud services as well. While they have additional protections in place, no company is immune to ransomware.
Make sure your critical computers are backed up. Safest is to have them backed up to an “air gapped” location, meaning a location that isn’t connected to your network.
Also, are your backups versioned? In some cases, the ransomware itself has been backed up! You might need to go back to a previous version of a backup.
Beyond covering your costs, most cyber breach insurance plans offer one-stop hotlines to call if you're hit with ransomware. They already have attorneys, forensic experts, and notification services that you might need.
Specifically, you want to make sure that your insurance covers ransomware. Don’t be surprised if it raises your premium, though.
Make sure they have the ability and cryptocurrency accounts needed to pay a ransom.
This is an important consideration. Setting up a cryptocurrency wallet is not a trivial task. It can take days to set up a wallet and fund it with the funds required to pay a ransom. In some cases, the deadline for a ransom may even pass before you have it set up. That’s why it’s important to have this discussion with your insurance company ahead of time.
If you don’t have cyber breach insurance, you may want to consider funding a Bitcoin wallet ahead of time.
Train your staff to identify signs of ransomware AND who to call if they think something's happening.
Ransomware can be detected in many ways:
Also, give them some easy instructions to follow. For example, take a photo of the suspicious thing with your phone and text it to IT. Something clear and concise that doesn’t rely on the use of a computer.
You need to define, specifically, what team will gather to execute on your ransomware playbook. What are their email addresses and cell phone numbers? Remember, time is of the essence. Also, how specifically will you all meet in a virtual environment as quickly as possible.
In many cases, your team’s first call will be to your cyber insurance provider's incident hotline. If you don’t have an insurance policy, you may want to source a firm to help you independently like this one.
Who will lead your incident response calls? Who will take notes? Who from IT will attend? Who from security? Who will keep executives updated as the incident unfolds? Will you involve your attorney so your documentation is protected by attorney-client privilege?
In the US, the agencies focused on ransomware are the US Secret Service and the FBI. You should know how to contact them for your area. You may also try calling local law enforcement.
However, don’t be surprised if it takes time to hear back — they are very busy.
Businesses should have more than just basic antivirus to protect against ransomware. Review what you have installed with your IT firm to make sure it has robust protection.
Better yet, work with a team like ours to perform penetration tests to see how well you'd do.
After you go through this article and meet with your team, you'll end up with a documented ransomware playbook.
But if you keep it only on your computer, there’s a chance you won’t be able to access it during a ransomware attack.
Keep digital and printed copies of this playbook in a secure, off-site location.
This may be the most important question to answer in your ransomware playbook.
In a ransomware attack, there is no one right answer, but a lot of “least wrong” answers.
For example:
There are no “one size fits all” answers to any of these questions, which is why you should discuss them ahead of time.
Here are the questions you need to answer to be ready for an actual incident.
Some recommend disconnecting the network cable (if one exists). But what if you use wifi? Others suggest pulling the power cord from the computer, though this can disrupt crucial evidence. If you’re not in a networked office behind a firewall, you may not need to do either. Talk with your IT and cybersecurity team about what first step makes the most sense for you.
Computer forensics people are highly trained experts. Amateur attempts can actually wipe critical evidence, making it harder (or even impossible) to figure out what happened. Know which forensic experts you’re going to call (typically those provided by your cyber breach insurance company).
Discuss how you will decide whether to quarantine a single machine vs. taking measures on other computers. How will you quickly spread the message to all staff members of the steps they need to take? Remember, their computers may no longer be usable, and time is of the essence.
Talk through your options to detect and disrupt the ransomware, especially if it moves between computers.
These vary by company, but may include:
Take the time before you’re hit to know what tools you have in your toolbelt.
Here are the questions you need to answer about your response to be ready for an actual incident.
Existing security tools may tell you which strain of ransomware you’re facing.
There are also sites like CryptoSheriff and ID Ransomware where you can upload a sample of the ransomware in hopes of identifying it.
For some older ransomware, the methods to decrypt them are published online.
Here’s an article that lists eight different places to find ransomware decryption tools that you can include in your ransomware playbook.
You can’t afford to be down while your forensic experts try to figure out what happened. Your IT team has a lot of different options for preserving evidence, including:
Discuss the approach you’ll take with your IT team based on what tools exist in your environment.
Beyond the infected machines themselves, other systems in your company might have critical evidence. Review your list of security and monitoring tools and write a list of which logs will be pulled from each system to help identify what happened. Remember, time is of the essence, and you don’t want the logs to be overwritten with new data.
You also want to be thorough in documenting everything you can. Clearly assign who will be responsible for collecting this documentation and where it will be stored. Be thorough about keeping screenshots, scan results, and anything else that is performed along the way.
This probably isn’t something that you can decide in advance since every incident of ransomware may be different. Instead, discuss who will make the decision and what factors you’ll consider in making the decision.
If you’re offline for an extended period of time, someone will need to notify all of the stakeholders of your business. Your team, your executives, your Board of Directors, your clients, and your vendors may need to be notified. Make sure you have your lists, point people, and contact people identified before an incident. This is another area where it’s important to involve your attorney to craft effective communications.
If the ransomware attack involved a possible data breach, you may be required to notify affected clients. Figure out which attorney you will use to determine your liability and plan of action.
If news of your ransomware event becomes public, who is authorized to handle media inquiries? In some cases, the event may rise to the level of wanting to engage a public relations firm.
Ransomware is a business. Hackers are motivated to deliver on their promises. However, there have been cases where a company pays a ransom, but the decryption key doesn’t work. Be sure to talk through what you should do then?
Once the scope of the damage is known and evidence is prepared, IT can get to work getting users back online and recovering key data.
You should NEVER bring computers back into an environment if there’s a chance of continued infection from ransomware.
You need to agree with your IT team, though, what steps they’ll take to keep the new environment safe from ransomware in the immediate term. This may include things like:
Again, there won’t be a “one size fits all” approach to this, so discuss ahead of time how you’ll approach this in the heat of the moment.
Now that you’re back online, let’s make sure that you don’t run into the same problem again. Here are some questions to answer.
Companies often forget to go back and figure out what went wrong. Decide whose job it is to perform a lessons learned review of the incident.
Unfortunately, you may never know for sure. If you know, great. If not, make an educated guess, and use this to strengthen your cybersecurity controls. Pay special attention to your email security, as phishing is one of the most common ways that ransomware gets into organizations.
This will likely reveal systems that were either missing, or that were in place but being ignored. Use this question to identify what gaps need to be filled.
Once you know the type of ransomware, you’ll be able to figure out how your vulnerability patching program let the problem happen.
Based on what you’ve learned, improve your training to make sure your team can spot future incidents.
The best way to get your ransomware playbook ready is to do a “tabletop exercise.” Get together with your IT team, your security team, and your company executives. Using this article as a guide, come up with your own answers to the questions raised above.
As you’d imagine, most companies don’t publicly share examples of their ransomware playbooks. There are a couple that are a better example of large company ransomware playbooks.
If you’d like help performing a tabletop exercise to build your ransomware playbook, please contact us.