Initial Response

... completed very quickly (and also for a long time after that). Panicking at this point in the attack is going to make the recovery last that much longer. Panicking also prevents the teams from taking the necessary immediate actions to limit the damage.

School house

Part of every IR plan is designating someone to communicate information once the damage has been assessed, but don’t forget to have someone handling communication during the initial assessment. This person should ideally be part of the response team and is responsible only for internal communications. During a crisis like this, employees will likely be reaching out to everyone they know, hoping to get an understanding of what’s happening. All that does is slow down the initial response.

Sending out a note early in the attack letting employees know what’s happening will hopefully slow down the deluge of calls and text messages. Many employees might be shut off from email, so consider text messages or some other form of pre-planned communication. That note should identify a point of contact in case employees have questions or want to report additional suspicious activity. In addition, the note should let employees know when they should expect the next update. Again, that should slow down the number of phone calls and texts. Consider different communication schedules for leadership and for other employees.

The person or team in charge of communication should also start the process of documenting initial findings. During initial response, a lot of the findings are reported in an ad hoc manner. Getting everything documented and stored in a place easily accessible by everyone will make further triage much easier.

... take hours to fully complete. This gives IT and security teams time to isolate the infected machines and, hopefully, keep the ransomware from spreading. This initial response team should consist of members of the IT, security, and IR teams who are onsite and can act immediately. At this point, there likely isn’t time to call in reinforcements for this initial response, especially not knowing whether remote access will need to be shut down to keep out the ransomware actor.

... or if the ransomware actor seems to be infecting systems at random, infected machines should be immediately disconnected from the network and Wi-Fi turned off. Ideally, that can be done remotely, but if remote tools are unavailable, the response teams need to go from machine to machine to turn off Wi-Fi manually. This action should also disconnect the machine from any network mappings, but to be safe, teams should disable any network mappings for those machines. Depending on how the ransomware is spreading, this may include taking Active Directory services offline. These steps are outlined in the diagram above.

Unlike a lot of other cybercriminal activities, there’s almost always a human on the other end of the keyboard launching the attack. In their (perverse) thinking, they’ve invested money and time launching this attack and they won’t want to leave without stealing files and encrypting systems on the network. As the initial response team is shutting things down, it’s likely that the ransomware actor will be trying to find other access points or ways to deliver the ransomware.

Watch out

Shutting down systems is often necessary. However, keep in mind that since many ransomware operators prefer to use tools that load into memory, shutting down encrypted systems will mean those tools disappear. This will result in the loss of valuable forensic evidence for the IR team and, if called in, law enforcement.

This doesn’t mean that systems shouldn’t be powered down if necessary, but it's important to step through the order outlined in this section and not start with immediate shutdown. Also, keep in mind, not all tools used by the ransomware groups run in memory; there are often enough artifacts left behind by the ransomware actor to piece together most of the attack. This is where the experience of the IR team or law enforcement are necessary.

... defining which systems or network segments have definitely been encrypted, which ones definitely haven’t, and which ones the teams aren’t sure about. In addition, the teams need to document clearly what data was on the encrypted machines for prioritization purposes, as well as to start to understand what data may have been exfiltrated.

... how both encrypted and “clean” systems will be brought online. Even systems that are initially considered clean may have artifacts from the ransomware actor hiding on them, such as dropped tools, persistence mechanisms, backdoors, and others. All systems need to be brought online in a manner isolated from the rest of the network by someone from the IR team who can ensure that reconnecting the system to the network won’t cause more damage.

However, it’s going to be less of a business disruption than the ransomware actor regaining access and attempting to finish the job. Therefore, it’s imperative to get the ransomware actor’s artifacts removed from the systems. As systems are returned online, they need to be fully scrubbed, Active Directory credentials reset, and thorough discussion about what the ransomware actor might have done to facilitate regaining access needs to be had. Once that last point has been identified, organizations need to do something about it.

Pay attetntion

Whether it’s a conference call, a permanent Zoom session, or other video conferencing tool, the bridge will allow those who need to check in with the ability to do so easily. It will also make it easier to schedule regular updates. If the IR team is going to provide updates every four hours, everyone who needs to hear the update can just connect to the bridge.

Make sure, whatever form the bridge takes, that it’s password-protected. The last thing an organization needs during a ransomware cleanup is outsiders connecting to the bridge and learning sensitive organization details.

Everyone who participated in the tabletop exercise and who has a role in the IR and DR plans should meet either in person or remotely.

The meeting will likely open with a briefing on the initial assessment of the damage caused by the ransomware attack, as well as how long it’s expected to take to get things back up and running. Set realistic goals here, based on the prioritizations outlined earlier (consider planning for this during the ransomware tabletop exercises). Prepare everyone to grasp that some systems are going to be down longer than others and that recovery is a gradual process, with the dual priorities being getting the organization back online quickly without risking reinfection by the ransomware actor.

... handed over to the person or team designated in the IR plan. They keep employees updated, as well as partners and vendors, as needed. They also communicate with the press, should it become necessary.

... want regular status updates about the situation. Set expectations early on that reports will be provided on a defined regular interval. This might change over time. For example, at the beginning, senior management may want hourly reports because there’s a lot happening. As the recovery progresses, the reports will become less frequent because there’s less to report.

Don’t forget that rules about where, when, and how to communicate should have all been approved in advance by the organization’s legal counsel. There will likely be a lawsuit over the ransomware attack. Clearing communication with the legal team helps ensure that all relevant communication is preserved when that lawsuit happens.

... many hours since the attack was noticed, and there will be some people on the team who haven’t gone home or slept since the start of the attack. Send them home or to a nearby hotel so they can get some rest and be ready for the next day.