Endpoint
11/6/2017
03:30 PM
Patrick Hill
Patrick Hill
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Ransomware Strikes: 7 Steps You Can Take Now to Prepare

Ransomware is still on the rise. These operational tips can help lessen the blow if you're hit.

If you walked into work tomorrow to find your company had been hit by ransomware, would you know what to do? Who would you call? How would you find their phone numbers if your computer was locked up? How would you notify customers?

There are many aspects to preparing for ransomware, including technical tips such as maintaining a current, offline backup of your data. This article isn't about those technical steps. It's about the practical, operational measures you can take now to prepare yourself and your company for the moments after an incident occurs. What's your emergency plan? Who would you want on your team? How would you communicate?

Few of us are good at preparing for the unexpected, but planning ahead will make life a lot easier if disaster strikes. And when it comes to ransomware, there's a good possibility it will. After the WannaCry attack in May, which infected some 300,000 computers in the first few days, the head of the FBI's Cyber Division called ransomware "a prevalent, increasing threat," and said attacks are likely to rise in future. Other reports also predict an increase.

With that in mind, here are seven steps you can take now to prepare yourself and your company for the moments after ransomware strikes. Some of these can be applied broadly to other critical incidents, while some are ransomware-specific.

1.  Plan your initial response. Your team members may not be used to dealing with stressful situations, so make sure they know what to do. This includes where they'll gather to discuss the problem, where press inquiries should be directed, and what to tell customers and staff. Most of the time, this means planning the who, what, when, and how. Once you have this plan, share it with your team ahead of time, and...

2.  Store your response plan in multiple locations. If your plan for incident response is stored on your PC and you're locked out, you can't even get started on your recovery. Ransomware can affect your desktop, your servers, or both. Store copies of your plan in multiple locations, including at least three separate cloud services. And set a calendar alert to remind yourself to update them periodically.

3.  Pick your team now. Who needs to be in the room in the moments after an incident occurs? Your CEO and CIO are a given, but you may also want your heads of PR, legal, HR, and other department chiefs. Draw up a list now and make sure everyone knows they're on it. Also, get their contact details for off-work hours, and share them with the rest of your team.

4.  Have a communications plan in place. You may find yourself locked out of your primary, preferred method of communication, so know which channels you'll fall back on. Email might not be an option, so prepare to use other means. If your smartphones are still working, collaboration apps can be a good way to communicate as a group — just make sure everyone has the app installed. But ransomware can also strike mobile devices, so as with all aspects of preparedness, have a backup. Storing phone numbers and personal email addresses in multiple locations is a good place to start.

5.  Decide now who'll take charge. There's a lot to do in the moments after an attack, including directing employees and contacting law enforcement, customers, and partners. Someone will need to oversee and manage the recovery effort and be ready to answer questions as they arise. It could be your CIO, COO, head of security, or someone else — but it's best to have a clear, single owner. Decide now who that will be, so the responsibility doesn't suddenly get dropped in their lap that morning.

6.  Have a discussion now about how you'll respond. Whether you decide to pay the ransom will likely depend on the severity and nature of the incident, but it's better to begin this conversation now than in the heat of the moment. The FBI has said it doesn't condone payment because it wants to discourage future attacks, but it also recognizes that every business will need to make its own decision. It can't hurt to start talking about this now, so your team is at least familiar with the trade-offs when a decision has to be made.

7.  Know your appetite for risk. You can't plan for everything, so figure out how much you risk you can tolerate — and how much potential harm you can deal with — and then make a trade-off. For example, some companies will do a disaster recovery exercise every month, to be sure they're always prepared. But that's a big time commitment, and others will opt for once a quarter. It all depends how much "insurance" you want built into the system. These are tough calls, but they need to be made deliberately and in advance.

If you're lucky, you'll never have to face a ransomware incident, but luck isn't how you run a business. Your technical teams will have put in a lot of work guarding against attacks and mitigating damage. But responding operationally, informing customers, and keeping the company moving forward falls to management. It's often hard to imagine a situation you've never been in, but try to picture that morning when your phone rings and you learn your company has been hit. Think about all the things you'll wish you'd have done — and start doing them now.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Patrick Hill is SRE Solutions Lead at Atlassian, a provider of team collaboration and productivity software that helps teams organize, discuss, and complete shared work. Teams at more than 100,000 organizations use Atlassian products including JIRA, Confluence, HipChat, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
11/7/2017 | 7:14:38 AM
All good points - for planning, now ACTION points
Have a tested and verified backup protocol for servers AND workstations in place.

Update it - do not assume July, 2003 is a good protocol for 2017.

Workstations should store data on SERVER whenever possible so it can be backed up as above.

Ensure your risk - time window is sollid, i.,e. 24 hours of latent data, 12 hours, etc.

TEST - TEST - TEST - Do not assume a human can think straight at 2am.  Solve problems NOW.

Update

Workstation rebuilds can be done in a wide range from a SIMPLE GHOST IMAGE to USB key boot over network to server or a PXE boot to server.  In this case, the image server is critical to get up, if compromised, for station rebiulds.  And THAT should be tested as well.

 

 

 
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.