Before! – Ransomware Part 9

It is an odd title, but as I bring this ransomware mini-series to a close I want to go back to the beginning, recap and think about the major things you and any organisation that wants to survive a ransomware attack needs to do, before the threat actors strike.

“We have ransomware!”

I will start here, because the most important thing you should think about before an incident is how you and your staff are going to react. If you allow panic, then your responses will not be as effective. Someone who has been trained in the company’s incident response plan, knows what to do and who to contact because it is written down, will remain calm, do their best work and keep the situation under control.

This calm response goes double for your incident response team. This is where coffee* comes in!

Blame Culture

This includes NOT having a blame culture. A member of staff who accidentally opens a malicious file and panics that they might get the blame and lose their job, might keep quiet about it and then the incident will escalate very quickly.

Before! - Ransomware Part 9 Cyber Awake — You need to be ready

Stuff you will need

This list is not complete, it is only the highlights, you and your incident response team will put together your own list whilst completing your planning and preparation.

Ransomware resilient back-ups – someone must be assigned to check the status of the back-ups as soon as an incident is suspected, even if it comes to nothing. Of course your back-up is checked every day – isn’t it?
A communications plan – both internally and to all stakeholders. Do you have a public spokesperson?
- Prepared draft responses
- NEVER disrespect the ransomware gang
A readily accessible emergency contact list – probably on paper.
- Include your insurance company and legal help on the list.
Some kit – this will often be provided by your contracted IT/Cyber security support company, but if you do not have one, then you need to buy this gear yourself and store it:
- Guaranteed clean laptops
- Guaranteed clean fast USB storage devices
- Patch cables and switches
- Spare router
- Network diagram printout (several copies as they will be scribbled on)
- Office/staff plan – again several copies
- Copies of your Incident Response Plan, Business Continuity Plan and your Cyber Security Master Document. These will probably be electronic and may be a combined single document.
- Notebooks – for use only in this incident – make sure they have numbered pages. Add some pens and coloured pencils as well.
- Small toolkit including a torch.
- Keys for any locked rooms and cabinets.
A storage location for incident photos, videos and other files. Obviously not on your network!
- This is where your third party IT/Cyber Security support can help – their storage will be clean and secure. Ask them to create some incident storage for you as part of the support contract.
- Remember there will be physical evidence to preserve as well.
Somewhere for the incident response team to base themselves, which includes:
- Toilets – no joke. We were once given a portacabin to work from – and when the office staff went home, they locked up the toilets.
- A kettle, water etc.

After…

Clive Catton MSc (Cyber Security) – by-line and other articles

* Other hot or cold drinks are available – you choose.

References

DeVoe, C., & Rahman, S. (2015). Incident response plan for a small to medium sized hospital. arXiv preprint arXiv:1512.00054.

Grimes, R. A. (2021). Ransomware protection playbook. John Wiley & Sons, Incorporated.

NCSC. (2023). Mitigating malware and ransomware attacks. NCSC. Retrieved March 9, 2023, from https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks.