The Cybersecurity and Infrastructure Security Agency (CISA) strongly advise utilizing the following checklist to respond to ransomware. The list was created from a Joint CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC). This information will walk you through the response process, beginning with recognition and continuing to limitation and abolition. Make sure you go through the first three stages in order.
Recognition and Evaluation
1. Establish which structures were affected and contain them separately.
- When there are a lot of systems or subnets that appear to be affected, shut down the network at the switch level, it’s not always possible to disconnect each system during an emergency.
- If you can’t immediately take the network down, find the network connection (Ethernet) and unplug affected devices or remove them from Wi-Fi to stop the infection.
- After establishing a foothold, malicious attackers may monitor your organization’s activities and communications to determine if their actions have been recognized. To avoid alerting perpetrators that they’ve been discovered and that mitigation efforts are being taken, make sure to separate systems in a coordinated manner and utilize out-of-band communication methods such as phone calls or other means. If you don’t close the doors, actors will move laterally to preserve their access—already a common practice—or use ransomware widely before networks are taken offline.
2. If you cannot disconnect devices from the network, switch them off to prevent further propagation of the ransomware infection.
This step is to avoid preserving ransomware and eliminate the exposure and theft of sensitive data kept in potentially compromised storage. It should only be used as a last resort if other methods to temporarily shut down the network or disconnect impacted devices from it are not feasible.
3.Triage systems for repair and recovery
- Assess the data protection situation and determine the nature of data stored on damaged systems.
- Prioritize restoration and recovery based on a specified critical asset list that includes information systems crucial for health and safety, revenue generation, or other necessary services, as well as systems they rely on.
- As a result, you’ll have better visibility into the status of your networks and devices so that they may be deprioritized for restoration and recovery. This allows your business to get back up and running in less time.
4. Begin by consulting with your incident response team to develop and write an initial grasp of what has happened based on the first evaluation.
5.Include your internal and external teams and stakeholders in the process with a clear idea of what they can contribute to assist you in mitigating, responding to, and recovering from the crisis.
- Share what you know to get the most up-to-date and helpful information. Keep senior management and board members informed via timely updates as the problem evolves. Your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders might all be relevant stakeholders.
“Paying ransom will not ensure that your data is decrypted or that your systems or data will no longer be impacted,” the Joint CISA MS-ISAC Ransomware guide warns. “CISA, MS-ISAC, and other federal law enforcement do not advise paying the ransom. Furthermore, attackers have begun to follow their ransom demands to decrypt the data with a follow on extortion demand to keep data private.”
Control and Extermination
If no early alleviation measures seem likely:
6.Take a system image and a memory capture of a sample of impacted devices (e.g., workstations and servers). Collect any relevant logs and pieces of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files.
- To avoid loss or tampering, be sure to keep evidence that is highly volatile (or has a short retention period) and can’t be recreated (system memory, Windows Security logs, data in firewall log buffers).
7. Security researchers have already discovered methods to decrypt some ransomware strains. Federal authorities should be consulted about any possible decryptors available.
- Assaults may cause significant disruptions to business processes and leave organizations unable to function and provide critical services. Read the Ransomware Guide for further information about precautions managing a ransomware event.