Ransomware Playbook

Cyber security is the bread and butter of any company these days. Every organization needs security put in place to protect their system and keep data protected. It’s key to plan, prepare, and scan for threats. But even with all the preparation in the world, the best security in the world can’t stop every single threat from ever making it through your security plan.

That’s why every company needs a plan of action to put into place immediately when there’s a potential threat. If an attack makes it through your walls, it’s already too late to make a plan. The time to get your plan nailed down is now. Failing to plan ahead for a crisis is planning to fail to protect your data.

A ransomware attack can be scary. There’s high risk, a lot on the line, and little time to act. But preparing now to handle a ransomware attack is crucial to protecting your system and data. There are plans you can have in place now, so if you’re ever faced with a ransomware attack, you already know what you’ll do and how to handle it quickly to mitigate the threat. Having a ransomware playbook is a must in today’s world, and we have your ransomware playbook right here.

What Is Ransomware?

Here’s ransomware explained to better understand how an attack might unfold. Ransomware is a subcategory of malware where the malicious attackers use malware to get you to pay a ransom. With ransomware, the attacker will corrupt your data files in a way that makes them unusable and unaccessible. The attackers will then demand a ransom be paid for you to ever get access to the files again. Many attackers threaten to release the files and data on the internet if the sum of money isn’t paid.

What Are the Most Common Forms of Ransomware?

Ransomware can enter a system in many different ways, but what are the most common forms of ransomware?

Phishing is an attack that gets system users to click on and open a malicious link or file. Often these links or files will come through a mass email that looks like it might be from a legitimate source (like a bank or the CEO of the company). All it takes is one user to allow an attacker in by clicking the link. When someone clicks on the link, the attacker can execute commands using those credentials. They can also build themselves a backdoor into the system that they can access later to put the ransomware into place.

Drive-by download
Drive-by downloads are when a user downloads the ransomware on accident by visiting a malicious site. On the site they might click on a download, and that provides the attacker with a way into the system where they can plant malware and begin a ransomware attack.

Malvertising uses legitimate online advertisements to lure users in but replaces the code with something that leads to downloading malware. A user will click on the ad only for it to take them to a malicious website or to download malware.

Exposed services
Exposed services, like Remote Desktop Protocol (RDP), allow access to your system and can be a way in for ransomware. Attackers might exploit a vulnerability in these services or use password spraying to get access to your system this way and release ransomware into your network.

Ransomware aids
These aren’t traditional vectors for a ransomware attack, but they are available options for a ransomware attack.

  • Third parties and managed service providers (MSP) can be used by attackers in phishing attacks. Essentially the MSP credentials would be used in spoof emails to trick users into allowing malware into the system.
  • Supply chain attacks are when attackers force an update to infect all of their devices with ransomware. Supply chain security can help reduce this risk.
  • Ransomware as a Service (RaaS) is a service where potential attackers buy ransomware on the dark web from malicious developers. The developers receive a cut of the ransom if the attack is successful.

What Is a Ransomware Playbook?

Once ransomware is detected, it’s too late. Your system has been compromised, and there’s no more time to plan. That’s why you need a plan in place long before your system is ever attacked. You need a plan to lower the risk of an attack and mitigate the impact of an attack. A ransomware playbook is your plan to handle ransomware in a way that protects as much data as possible and reduces the risk of future attacks.

Your Ransomware Playbook Quick Guide

Here we have your quick guide ransomware playbook to help you get your ransomware plan in place quickly. Since it is a quick guide, make sure it isn’t exclusively everything you’re doing. But this quick guide should provide you with the necessary information to begin shaping your ransomware playbook now, so you’re prepared for the unexpected. Here are the basic steps for your ransomware playbook:

Don’t panic
Ransomware attacks can be scary, and many people’s first instinct is to panic. But panicking can lead to future problems and throw your entire ransomware playbook into chaos. So the first thing to do when you’re aware of a ransomware attack is to stay calm and move forward with your plan meticulously.

Determine the type of ransomware
Once you’ve contained the attack as much as possible by removing infection, you need to determine what type of ransomware you’re dealing with, so you can move forward with mitigating the attack. To find the type, look for any related messages in the system. Analyze the message for clues for what type of ransomware you might be working with. If you can’t utilize messages, the encrypted files themselves can help you figure it out. Look for what files have been renamed to. Once you’ve gathered clues, use a ransomware ID software to determine what you’re up against.

Determine the scope
When an attack is underway, you also need to figure out how big the scope of the attack is. Scan your system for concrete indicators of compromise. Try to determine what data might be corrupted by the ransomware. It’s important to see how much of your system might be compromised or at risk of being compromised if you don’t take action.

Remove infected systems
To keep the attack as contained as possible, you need to remove the infected systems from the environment as much as possible. Removing systems could be something physical like unplugging a device, or it could be more digital where you need to remove infected assets to keep it from infecting adjacent assets.

Assess the impact
Once you’ve contained as much as you can, it’s time to determine how much impact the attack could have. There are two areas you need to assess: how much is at risk with the ransom and how sensitive the corrupted data is. A high ransom is high risk for your company, but highly sensitive data is also at high risk if it’s released on the internet.

Once you’ve assessed the impact and weighed the decision of what to do with the ransom, you need to restore your data from a thorough backup. Investing in a good data backup is important preparation for protecting your data, especially in a ransomware attack.

Issue new assets
Once the data is back up, it’s time to issue new assets to replace the ones that were corrupted, so you can fully close up your system. Your team will want to make sure you have enough assets to issue new ones without delays. No team will want to wait a week for new computers after an attack.

Avoid future attacks
Once you’ve mitigated the attack, it’s time to try to avoid future attacks. Close off the system from similar type attacks and make sure the current breach is closed off from a duplicate attack.

Ontinue Is Your Ransomware Playbook

At the end of the day, ransomware attacks can be scary and catastrophic—but they don’t have to be when you have a plan in place and your ransomware playbook ready to go. Ontinue is your ransomware playbook to guide you through the process of handling a ransomware attack. From start to finish, we can help you prepare for ransomware attacks. The Ontinue ION MXDR service is your first line of defense and ransomware playbook all in one.

Contact us today to learn what we can do for your organization.