What Is Ransomware Response?
Why Every Organization Needs a Ransomware Response Plan
Ransomware attacks are on the rise. For most threat actors, ransomware attacks make for easy paydays. All they need to do is fire off a few phishing emails with a malicious payload; eventually, someone will have to pay the ransom.
Some particularly enterprising threat actors have even begun offering Ransomware-as-a-Service, applying the managed services business model to their criminal activities.
No business is too great or small to be targeted by ransomware. Threat actors do not discriminate, nor does their malicious software. If an organization suffers a ransomware attack without a clear plan, it could cripple it.
Key Components of Ransomware Response
The key components of a ransomware response plan include addressing:
Who is responsible for overseeing the response process? Who will manage communication with stakeholders?
What systems exist to identify and detect ransomware as it surfaces in a network?
What steps will the organization take when it identifies a ransomware attack?
How will the organization recover from a successful ransomware attack?
What measures are in place to regularly test and refine the ransomware response plan?
How frequently will employees undergo training and drills to help them learn the response process?
Post-response: What measures are in place for assessing the efficacy of the organization’s incident response process? How will the organization manage recovery and remediation in the long term?
Review: Lastly, an organization’s incident response policy should include a systemic review of the policy and individual plans in the interest of continuous improvement—an effective incident response strategy must change and evolve alongside the organization that implements it.
Best Practices for Responding to a Ransomware Attack
If your organization is targeted by ransomware, there are a few best practices you should follow—and incorporate into your ransomware response plan:
- Ensure there’s a means of identifying the scope of the attack, such as via an Endpoint Protection Platform (EPP). This will warn you of an attack and, in some cases, may shut the ransomware down before it can gain a foothold
- Disable and airgap any affected systems immediately
- Ensure you have a clear recovery plan and communicate openly with stakeholders at every stage
- Maintain multiple backups of critical files and systems
- Ensure your organization has a recovery plan in place