Help, I've got ransomware. What do I do next?
A high level plan for detecting, responding and recovering from ransomware.
Our client portal provides all the tools you need to create, view or update your support requests.
For urgent IT support during business hours, or if you suspect anything suspicious call 01314528444 for the fastest response.
If one of our team has asked you to start a remote control session on your computer, use the remote control menu option above.
5 min read
itfoundations
Originally posted on September 17, 2024
Last updated on October 03, 2024
Cyber incidents cause significant damage to business and institutions across the world every year. Lost productivity, loss of reputation, confidential data leaks and in extreme cases loss of livelihood. Accepting the probability that this could affect you and planning for it will significantly reduce the risk and help you to recover faster.
A cyber incident is typically defined as any situation where a computer or network is used to inflict damage.
According to the UK's National Cyber Security Centre (NCSC), cyber incidents can manifest in various forms, including denial of service, malware, ransomware, or phishing attacks.
The UK cyber security breaches survey 2023 noted that businesses with a formal incident response plan are more likely to quickly identify and mitigate breaches, reducing downtime and financial losses.
Incidentally, they also noted that businesses with incident response plans are more likely to implement comprehensive cyber hygiene measures, such as up-to-date malware protection, password policies, and network firewalls which further reduces the impact of cyber attacks.
Having an incident response plan in place will help your team remain composed if a cyber attack occurs. Panicking and implementing knee-jerk reactions in the heat of the moment can increase the damage done by an attack.
The management team as a minimum. Finance, HR, Operations all need to be involved. There needs buy-in from the owners, board or trustees and you should also involve your IT team or IT support company. This last point is critical as they need to know how to react in the first instance and when to invoke the plan.
Now! Start now and if you apply the 80:20 rule to get as much done as you can with the minimum effort you will reap the reward. It's not a one time activity and it needs to be tested at least annually and every time you test it you can make it better.
By following the six steps below you can create your cyber incident response.
We'll take each of the above in turn and explain what you need to do to ensure you're ready if the worst should happen.
This may seem like an odd place to start but ensuring that you have good quality cyber insurance that will cover you in the event of an incident is crucial as the costs involved in recovering from an incident can be significant.
Your policy should cover:
Ideally, your insurer will have a specialist cyber incident team to guide you and your IT partner through the incident and ensure you can make a successful claim. Every insurer will have different requirements for how an incident is handled so it's important to contact them immediately if an incident occurs to avoid your IT team taking any measures that invalidate your claim.
Building an incident response team (often shortened to an IRT) with defined roles in the event of a cyber incident is important. It ensures that everyone knows their duties and there's no ambiguity over who is to do what.
You will need to appoint:
A team lead: to coordinate all aspects of your response. This person should be well-connected with the authority to make decisions
A technical lead: to implement your technical response (this may be your external IT partner if you don't have anyone technical within your team)
A legal lead: to liaise with your lawyers and formulate your legal position and response (this may be your lawyer)
A communications lead: to coordinate and manage all internal and external communications
Once you have identified your team they need to plan the steps that should be taken, in the order that they should be taken, if an incident occurs. Ideally, they should formulate variants depending on the type of cyber incident, albeit identifying the type of incident should form part of that documented procedure.
Your structure will look something like this:
The full plan should include contact details for all parties, along with backup contacts in case the primary contact is unavailable.
Your business continuity plan is key to minimising the business's loss of productivity during a cyber incident. We published a guide that goes into the topic of creating a business continuity plan in depth.
This plan should include your documented steps for how and where staff can work when your office or primary IT systems are offline. You need to consider whether:
Your disaster recovery plan is the stage that you would implement after your insurance company permits you to rebuild your systems. This is usually only after they have finished conducting their forensic examination to identify the cause and extent of the attack.
This involves rebuilding your computers, servers, networks, firewalls, and other technology from backups. It is becoming more common for attackers to target a company's backups to increase the chance of a ransom being paid to them. It's important to make sure that your backups are kept secure and separate with multiple copies available.
If the forensic examination has identified the source of the attack, it could be that malicious code is saved in all your backups in which case meticulous restoration at a granular level will be required which will take significant time (and therefore significant cost).
Identify the systems that you need to restore first (security and payroll are usually high on the priority list for most companies) and document the order that you want systems to be restored. This will assist your IT team.
Unfortunately, once you've completed the above steps you are not finished.
Your plans need to be practised with staff in dry runs and rehearsals, focussing on different types of pretend cyber incidents.
Each time you run through the cyber response plan you should identify areas for improvement and update your plans until you are confident that they cover as much as you can reasonably prepare for and everyone knows their roles.
The NCSC's exercise in a box is a great place to start with planning and testing your incident response plans.
It's a provides free exercises that cover a variety of scenarios to help you and your senior staff to craft and refine your response procedures in the event of a cyber attack.
If you would like assistance with your incident response planning then we can help you. Just get in touch with your team of cyber experts today.
A high level plan for detecting, responding and recovering from ransomware.
3 min read
No business wants to suffer a data breach. But unfortunately, in today’s environment, it’s difficult to completely avoid them. Approximately 83% of...
A comprehensive continuity plan can help address all sorts of threats that can disrupt your business.