1. Don't Panic:
- Stay calm and act purposefully when targeted by ransomware.
- Seek help from security vendors or report the incident to your insurance company.
2. Isolate Your Systems and Stop the Spread:
- Identify the range of the attack and implement network-level blocks or device-level isolation.
- Utilize endpoint detection and response (EDR) technology to block the attack at the process level.
3. Identify the Ransomware Variant:
- Determine the specific strain of ransomware to understand its behavior and possible decryption options.
4. Identify Initial Access:
- Determine the entry point of the attack to close security holes
.
- Consult digital forensics teams and incident response experts if needed.
5. Identify All Infected Systems and Accounts (Scope):
-
Identify active malware and persistent elements in systems communicating with the command-and-control server.
6. Determine if Data Was Exfiltrated:
- Look for signs of data exfiltration, such as large data transfers or unusual communications.
7. Locate Your Backups and Determine Integrity:
-
Ensure backup technology was not affected and scan backups for integrity.
8. Sanitize Systems or Create New Builds:
- Remove malware and incidents of persistence, or consider creating new, clean systems
.
- Implement appropriate security controls to prevent reinfection.
9. Report the Incident:
- Report the incident and determine if law enforcement should be involved.
Consider legal obligations regarding regulated data.
10. Paying the Ransom?
- Law enforcement advises against paying the ransom
.
11. Conduct a Post-Incident Review:
- Evaluate the ransomware response and identify areas for improvement.
- Simulate attack scenarios and consider proactive playbook building.
- Consider external services if IT or security team staffing is limited.
0 comments:
Post a Comment