You want to be ready, if and when your organization is attacked. But when ransomware takes down a business, it can be hard to think clearly. And you may have more questions than answers: How long will you be down? Who needs to know? How long will you be working around the clock to recover?
Even when you can’t know all of the answers, you can take steps to minimize the damage by following a few key steps.
As part of cybersecurity awareness month, Racksquared is sharing what we’ve learned working with clients to respond to ransomware attacks. Follow this order of operations to make sure you do everything you can to safeguard your business and its data.
1. Assess the Damage and Close Any Vulnerabilities.
You need to know what you’re dealing with first. Look for clues about how the systems were infected. Are there compromised admin accounts? Unexpected logins to servers? Search broadly across your systems. You don’t want to focus too narrowly on one leak and miss breaches in unexpected areas. If necessary, hire a third party to help with the forensics.
Once you know where the problems lie, immediately close any vulnerabilities to prevent further damage. This may mean changing passwords on breached accounts or shutting down infected machines and VPN access.
Verify the conditions of your backups. Evaluate your backup systems and determine if there are any damages to local backups. Be sure to examine cloud applications and cloud backups to check for any damage there.
2. Notify Appropriate Business Stakeholders.
Identify who needs to know in the leadership of your organization. Notify them about the damage and provide an estimated recovery time.
For end users who are affected, consider how and when you need to notify them. Keep in mind that some methods of communicating may not be accessible because of the attacks. You may also want to work with an attorney to communicate to people outside your business.
3. Alert External Stakeholders.
Reach out to any external stakeholders that can support you as soon as possible. For example, connect with your insurance company because they may have specific guidelines to follow to file claims for damage. Cyber insurance providers, in particular, will often coach you on what to do right after an attack.
It’s also important to reach out to the FBI or local law enforcement right away. These agencies may want to investigate and need things like copies of VMs. You want to make sure you’re able to provide what they need before you delete anything.
4. Review and Follow Your Recovery Plan.
After you’ve covered the immediate needs in the first three steps, turn to your business recovery plan. You’ll want to review it with your team to check if anything should be adjusted and then follow the guidelines.
Before recovering any data, take care to determine the date you need to recover to in order to prevent reinfection from the malware. You don’t want to be in a situation where you recover from two days ago when the ransomware has actually been present for three months and can bring you down again.
5. Review the Incident and Prepare Again.
When you have recovered, take time to review the incident in its entirety. This review can help you understand how to better protect your security and make informed decisions about upgrading or replacing your malware protection.
A review can also help you identify what you want to do differently if there’s another attack. Capture your insights and update your business recovery plan so you can be prepared.
If you need assistance with disaster recovery planning or your data backup strategy, Racksquared can help. Learn more about how Racksquared can help you protect your business.