Responding to a ransomware attack

mnashemnashe Member Posts: 136 ■■■□□□□□□□
Hello All,

When it comes to responding to a ransomware attack, in a corporate environment,  what are the common first steps you'd take?   For example, if a user contacts a helpdesk to say their files are encrypted and the user has the ransomware note on their machine, is the best course of action to simply isolate that machine to stop more files from being encrypted? Would you take it further and take down the entire network?  I'm thinking that could be complicated for an enterprise with many branch offices but more than complicated is it overkill?   

Likewise, what if a user calls a helpdesk to say their files are encrypted but it's not their machine that was infected, how does that change the first actions/

I would think ransomware wouldn't typically spread?  I suppose if 100 users got a phishing email that contained ransomware then sure it can easily spread that way.  


  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    It depend a lot of how big is your enterprise. Depending on your enterprise, you may or not have an incident response plan. Then legal and insurance aspect must be considered too. 
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    edited October 2020
    Thanks @SteveLavoie.   I don't have an incident response plan currently, my org is roughly 600 users spread throughout US, Canada and London.  

    I'm trying to put a written plan in place on how to react to such an event.  Right now, I rely on preventative measures. The other issue is, I don't have a siem right now, it was budgeted but due to the pandemic, it was cut.

    My initial thought is if I know a user in Chicago got infected with ransomware, why would kick all users off the network and impact Canada and London?   Maybe that's the wrong thinking, but that's what I'm attempting to figure out
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    I am currently in the same position, I am working on formalizing the incident response plan for my business and improve our process for our customer (I am operating a MSP business). 
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Yes, malware can spread and your mileage may vary.

    You may need to outsource this if your organization can afford it.
    If not get a plan together. ASAP,
    Chances are they are in your network probably looking at your email server and trying to obtain other information. There is a good chance that there is a key logger on at least one machine.
    This is where your backups come into play and resetting all passwords on all physical and logical devices. Do not put anything in email and use different forms of communication that are not being used for the organization ie: laptops and cellphones.
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Mandiant (Fireeye) has some great strategies in their "Ransomware Protection and Containment Strategies" whitepaper:
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Thanks for the responses all.  Outsourcing is not really an option.  Are there any sample IR plans that you all would recommend?
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    you might find this publication useful:


    Learn GRC! GRC Mastery : 

Sign In or Register to comment.