Home
General
Off-Topic
Responding to a ransomware attack
mnashe
Hello All,
When it comes to responding to a ransomware attack, in a corporate environment, what are the common first steps you'd take? For example, if a user contacts a helpdesk to say their files are encrypted and the user has the ransomware note on their machine, is the best course of action to simply isolate that machine to stop more files from being encrypted? Would you take it further and take down the entire network? I'm thinking that could be complicated for an enterprise with many branch offices but more than complicated is it overkill?
Likewise, what if a user calls a helpdesk to say their files are encrypted but it's not their machine that was infected, how does that change the first actions/
I would think ransomware wouldn't typically spread? I suppose if 100 users got a phishing email that contained ransomware then sure it can easily spread that way.
Find more posts tagged with
Comments
SteveLavoie
It depend a lot of how big is your enterprise. Depending on your enterprise, you may or not have an incident response plan. Then legal and insurance aspect must be considered too.
mnashe
Thanks
@SteveLavoie
. I don't have an incident response plan currently, my org is roughly 600 users spread throughout US, Canada and London.
I'm trying to put a written plan in place on how to react to such an event. Right now, I rely on preventative measures. The other issue is, I don't have a siem right now, it was budgeted but due to the pandemic, it was cut.
My initial thought is if I know a user in Chicago got infected with ransomware, why would kick all users off the network and impact Canada and London? Maybe that's the wrong thinking, but that's what I'm attempting to figure out
SteveLavoie
I am currently in the same position, I am working on formalizing the incident response plan for my business and improve our process for our customer (I am operating a MSP business).
bigdogz
@mnashe
Yes, malware can spread and your mileage may vary.
You may need to outsource this if your organization can afford it.
If not get a plan together. ASAP,
Chances are they are in your network probably looking at your email server and trying to obtain other information. There is a good chance that there is a key logger on at least one machine.
This is where your backups come into play and resetting all passwords on all physical and logical devices. Do not put anything in email and use different forms of communication that are not being used for the organization ie: laptops and cellphones.
iBrokeIT
Mandiant (Fireeye) has some great strategies in their "Ransomware Protection and Containment Strategies" whitepaper:
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf
mnashe
Thanks for the responses all. Outsourcing is not really an option. Are there any sample IR plans that you all would recommend?
UnixGuy
you might find this publication useful:
https://www.cyber.gov.au/media/2029
bigdogz
Here is one from NIST:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
...and one from SANS:
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Good luck!
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
