After Ransomware

by
Bring everything to the meeting

Ransomware – It’s gone

What spoilt your Monday morning – ransomware on the network – has now been cleaned out. Your response team worked the plan, you spoke to the press and clients throughout, the IT/Cyber Security team put the hours in, used their skills, ate the pizza and drank the coffee, no one was blamed and your staff pulled together to keep things going.

The relief of being back in business is good. Let’s put that behind us and get on…

But the Response Team leader has sent you an email calling you and a group of your busy staff to one more meeting.

Why?

You know that you are not looking for someone to blame. (I know I keep going on about this but a “blame culture” is the threat actor’s best friend.)

Ransomware Lessons Learned

The meeting is to understand what happened, examine the responses and build a better response plan for next time – not that you want a next time. Not to assign blame.

Here are some of the highlights from the agenda

  • How did the attack start?
    • How did the attacker get in?
  • What was the damage?
    • Impacted systems and information
    • Data loss
    • Ransoms paid?
    • Costs of recovery
  • Statutory and/or legal reporting
    • Results and ramifications
  • Which parts of the plan worked?
    • Rate the parts on a scale of 0-9
    • Add notes as required
  • Which parts of the plan did not work?
    • Rate the parts on a scale of 0-9
    • Add notes as required
    • What could have been done instead – options?
    • What changes need to be made?
  • Rate the back-ups and cyber security software and security procedures
    • Rate them on a scale of 0-9
    • Do you need to make changes?
  • Assess the training
    • Make any changes that have come about because of the incident
    • Run a refresher course for everyone – including lessons learned from this attack
  • Recognise the teams that dealt with the incident
    • You do not want them feeling under valued and then taking the experience gained to other organisation
  • APPLY THE LESSONS LEARNED

It’s not complete and it does not address your particular organisation or situation but it will get you started.

Once done there are of course reports – for the board, internal and public, by department etc. and action plans…

After Ransomware Cyber Awake
These processes are also used for other cyber incidents

The Conclusion

We have reached the end of this Ransomware Mini-series but it is not the end for you. You need to check that your ransomware plan is up to the job.


Clive Catton MSc (Cyber Security) – by-line and other articles

References

Johansen, G. (2017). Digital forensics and incident response. Packt Publishing Ltd.

Further Reading

The Blame Game

Ransomware Mini-Series (2023)

Ransomware: Is it a Threat? (Part 1)

A Bag of Spanners – Planning and Preparation (Part 2)

Minimise the Damage – Planning and Preparation (Part 3)

Detecting Ransomware (Part 4)

Ransomware – What Not To Do! (Part 5)

Ransomware – The Impact (Part 6)

You and a ransomware resilient back-up (Part 7)

Where do you keep that Incident Response Plan? (Part 8)

Before – Ransomware (Part 9)

Featured Image Credit: fauxels

Contact us for consultation

Wake up to cyber threats..

After Ransomware Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close