Sponsored By

Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What Are Some of the Must-Have Steps in a Ransomware Response Plan?What Are Some of the Must-Have Steps in a Ransomware Response Plan?

What should organizations be sure to include in a ransomware response plan, and which steps are commonly missed?

Liam O’Murchu

August 6, 2021

2 Min Read
Employees in crisis meeting
(Image: AVAVA via Adobe Stock)

Question: What are some of the must-have steps in a ransomware response plan?

Liam O’Murchu, director, Symantec Security Technology and Response Group: Unfortunately, it's still necessary to emphasize that people need to have a plan, and that the plan needs to be an organization-wide plan – not just a security team plan. Often the business recovery plan does not take this type of incident into account. We also see that all companies have data backup plans, but not all have tested those backups. An active ransomware attack is not the time to discover a flaw in your backup strategy.

Recent examples have shown that although companies had an accurate and available backup of their data, it would take weeks to restore the data, forcing companies to pay the ransom to expedite business recovery. The response plan should specify what teams need to be involved and what their responsibilities are. It is important that teams have practiced their roles in advance so that execution can happen quickly when needed. The plan should emphasize immediate action to limit the spread and damage of an attack, frequent and clear communication on current status and actions, and the commencement of an analysis of the intrusion. Recovery will be hampered if the attacker can return during that period. In many cases, machines need to be turn off or isolated, credentials need to be changed, patches need to be applied, and analysis needs to be completed before even considering restoring data.

A common step we see missed is not having tested and practiced the response plan. Speed is of the essence when a ransomware attack is in progress, and teams need to clearly know what their role is and their key contacts in the organization so they can execute efficiently and access the resources they need.

The plan should, of course, start before an incident escalates to a widespread problem. Now that ransomware gangs are decreasing their dwell time, some moving from intrusion to encryption in just a few hours, there needs to be an increased focus on protection rather than detection. Ransomware gangs have also started to respond quickly to vulnerability announcements and are rapidly using exploits shortly after patches for the vulnerabilities are released. We have seen many cases where organizations were on the path to patching but the attackers exploited the system first. Many organizations are not aware of this increase in speed from ransomware gangs. The huge ransom payments we have seen recently, reportedly up to $40M, have incentivized ransomware gangs to move ever faster with their attacks. Many organizations have not factored that into their response planning.

About the Author(s)

Liam O’Murchu

Liam O’Murchu, Director, Symantec, Division of Broadcom, Security Technology and Response Group

Liam O’Murchu is a director with the Security Technology and Response group at Symantec, a division of Broadcom. Over
the past 15 years, Liam has investigated and responded to the most sophisticated cyberattacks ever –
from professional cybercriminals targeting financial institutions to government-backed threats targeting
critical infrastructure. He has worked with law enforcement to pursue malware authors and disrupt
botnets, and his analysis and testimony have helped secure lengthy cybercriminal convictions. His
analysis of Stuxnet's objective to disrupt uranium enrichment in Iran is recounted in the book
Countdown to Zeroday. He is currently spearheading the effort to combine threat-specific knowledge
with behavior analysis to automate attack surface reduction.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights