Ransomware Response Plan

The Cybersecurity industry is a unique community. One where we find collaboration beats competition 100% of the time. When one of us suffers an attack, we all do.

In the spirit of collaboration I am providing a generalized Ransomware Response Plan that is free to use, adopt, and modify to fit your needs. The ability to quickly respond to any ransomware activity is the one item any security professional can control, regardless of technology.

This plan is simplified to provide concrete steps in the event of ransomware activity. There are supplemental documents and plans that may be needed like an Incident Response Plan, Disaster Recovery Plan, Threat Level or a Ransomware Recovery Committee. The purpose of the RRP is to have documented procedures for responding to ransomware. I hope this plan may provide you a framework for testing and responding to today's ransomware.

Confirm activity is ransomware related (see Threat Level policy)

• Low confidence is needed to confirm if threat level is RED
• Medium confidence is needed to confirm if threat level is YELLOW
• High confidence is needed to confirm is threat level is GREEN

Engage internal and external Incident Response (IR) teams (see Incident Response Plan)

Reset all admin and privileged accounts passwords (this will be needed multiple times)

• Privileged accounts are defined as any account within IT that have rights of Domain Admin, Global Admin, Enterprise Admin, or any account characteristics indicating admin or privilege. (This includes Service Accounts (SA))
• This process may be needed multiple times throughout the incident

Communicate with internal stake holders

• This Template may be used: Hello, we are currently investigating a security incident that is impacting most IT systems. This means logging in and accessing most applications may be unavailable. We do not have an expected time to recover but will communicate regular updates every 15-30 minutes. Please inform your teams of this impact. Any request for service will be delayed.

Contain source and impacted devices

• This may be an action taken with an EDR tool or by physically or logically isolating impacted devices

Confirm impacted devices

• A central list on SharePoint or similar storage site should be kept and updated by the Incident Manager

Confirm data theft

• Using network logs, SIEM, or any means available, confirm all data exfiltration from time of entry to present

Engage backup and recovery teams

• Follow disaster recovery plans

Confirm recovery timelines and validate after restoration

Identify point of entry and propagation technique

• Enable additional defenses to prevent the threat
• Collect list of Indicators of Compromise (IOCs) (defang any URLs or IPs)

Assess likelihood of recovery and damage

• Communicate with stakeholders and allow the Ransomware Recovery Committee (RRC) to determine if a ransom is to be paid or if recovery objectives are reasonable. Additionally, the committee may determine if there are any negative impacts associated with not paying the ransom.

Contact Law Enforcement (and ransomware negotiation team if needed)

Engage internal compliance and legal teams on notification requirements

Close incident activities and remain at threat level RED for 2 weeks following the event

Conduct lesson learned no more than 4 weeks after the incident.

What do you think? Did I miss any steps? How would you adopt and test an RRP?