Ransomware has become a growing threat – between those occurring within healthcare organizations and law enforcement agencies and those at the federal, state, and local government levels – it seems like a new story of a ransomware attack pops up each day. Both the State of Indiana and the Washington D.C. police department (DCPD) were recent victims of ransomware attacks, and just last month, ransomware completely shut down a town in Ohio where it was believed that the virus was spread via a phishing scam that locked up county servers, disabling online access and landline telephones for those on the county system. Some counties are paying up while others have prevailed. That said, the FBI issued an alert in 2016, requesting organizations do not pay ransomware demands. As the threats continue to mount, how can you prepare your agency from falling into the ransomware trap? In this blog post, we identify the top five ways to defend your organization with a ransomware incident response plan. Here they are:
First and foremost, agencies and organizations must understand what ransomware is, how it can be identified, and how to report it. This can be done through an ongoing information security and training process, web filtering technology, and a robust patching program, among others. Once ransomware has been detected, it should then be escalated through the appropriate channels.
Determine the scope of the ransomware and whether or not it can be removed. If it can’t, then the threat must be escalated to the appropriate team. Is the attack a low, moderate, or high threat? How many users have been affected? Understanding which category the attack falls into will help escalate the issue appropriately and help you better determine how the threat should be managed.
The first step in containing ransomware is to get the infected machines off the network. You must assume that the malware could make use of an Internet connection and that it’s sending information back to the criminals. Perform a forensic analysis to find the source and type of the ransomware infection. Once you are confident that the ransomware is contained and the chances of any further compromise have been eliminated, then you can begin to restore your files.
If your data is encrypted by ransomware, backups allow you to restore your environment from a point in time before the attack to avoid paying the ransom. When a critical IT environment has been backed up, you can recover the information rather than the potential disaster of spending hours, days or weeks rebuilding databases.
Test your plan, and test it again. While having an incident response plan in place is the best possible defense against ransomware, one that isn’t regularly tested may have undetected problems that could cause your strategy to go wrong during a high-pressure situation like a ransomware attack.
Your ransomware response plan should provide for a post-incident evaluation of the response, including recording lessons learned. As threats evolve, the plan should be periodically reviewed and revised. It may make sense to do so on the same schedule as data security breach plans.