Been Hit with Ransomware, now what?

Been Hit with Ransomware, now what?

Ransomware has really taken its toll on the US Critical Infrastructure this year (Oil & Gas delivery and Food Industry). Know its not a matter of IF but when your Enterprise is hit by a Ransomware attack. According to Gartner, by 2025, at least 75% of IT organizations will face one or more ransomware attacks. Know that these types of attacks were up 700% in '20 and will continue to rise as digital transformation efforts increase attack surfaces.

So, what do you do?  Hopefully, you have a plan that triggers your Disaster Recovery (DR) because a Ransomware attack is a DR event; it attacks your Data. My take is it is a new form of Denial of Service (DoD) attack, this one being more powerful. This is written from an IT perspective with a few Business items sprinkled in.

Step 1 take Action - Remediation plan must be kicked off! Recall nobody is coming to save you its up to you!

• Take your LDAP / Active Directory servers offline ASAP
• I would also take my DNS servers offline too
• Then start to understand the Blast Radius of the attack. How much of the Business was impacted? Did they get your key data stores / Databases? This step is critical to knowing how much of your business has been impacted and the scope of outage required to get back up and running

Step 2 enact your Recovery Playbook - hopefully you have a solid plan that you have been performing Dry Runs against so you know how much of an effort it will require based upon output from Step 1.  Additionally, you can start your Automation and Orchestration recovery efforts. 

However, I assume the reason you are here as you need help jump starting your plan. Recall the Bad Guy has a plan you need one too!

                             Here is a great quote from the '90's  "Security is a Process, not a product" - Bruce Scheiner 

If you don't have a developed plan familiarize yourself with the NIST Cybersecurity Framework (CSF) https://www.nist.gov/cyberframework

as well as the CISA guidelines https://www.cisa.gov/stopransomware

Do you have a Cyber Insurance Firm on Retainer with a Defined SLA? If not get started on a current hardware inventory and software inventory you will need it when filling out their questionnaire.

Know that the Basics must be sound prior to starting your efforts (Layered Security Defenses, Multi-factor Authentication (MFA), Logging everything everyday, immutable snapshots, etc.)

The basis for your playbook should include these factors:

• Initiate your Call List and start initial discussions internally 
• Recall your Backup tapes (if you still use tape), ready your immutable snapshots 
• it's about good data hygiene
  • Recovery Space to Review space, staging space, recovery space - you must determine when the hack occurred
  • Establish time to recovery!
  • Know that if you are hit w/ Ransomware / malware and you PAY the ransom you will be able to unlock some data,  but it will still be a restore event (Think data consistency ruined in DB and you must recover redo logs etc.)
  • Define at what point you Pay the Ransom just to get back to moving your business in the right direction (I would weigh out the ransom costs vs the costs of your business being down hourly)
  • Do you have Crypto in your Corporate treasury or will you rely on the Insurance Firms Crypto stash to pay out?
• Consistent logging from all systems (into a large pool)
• Credential vaulting for all credentials
• Multi AI systems looking at all your data & logs
• Running tabletop exercises w/ your exec at least annually, better off bi-annually, board once per year
• When to notify your Cyber Insurance firm
• Do you have an IT Forensics team you work with? When to notify them
• When to notify Law enforcement (which includes FBI)?
  • Are you prepared for them to come in and take your storage arrays and other evidence? 
• Speed is king, as your business has been impacted.
• Consistent communication always Top down and bottom up.
• The Executive and Board must also have their Playbook to run from, as they must have a plan to get in front of the Press - Nobody wants their name blasted on the front page of the WSJ or any news site proclaiming you have been hacked!

Summary - this planning and preparation is not a once and done scenario, it must constantly evolve as your IT environment evolves. An example, are you deploying IOT or Edge computing devices?  You better know how insecure those devices are out of the box and how you will secure them Day 1. You have to practice, practice practice, you thought your DR testing was complex before, now it will be order of magnitude larger. Keep your DR playbook up to date too.  Hoping this saves you some time and pain and jump start your playbook efforts.  Stay calm and collected you are not the first nor will you be the last impacted by Ransomware!!