The Definite Incident Response Guide to Ransomware Attacks

The Definite Incident Response Guide to Ransomware Attacks

by Anastasios Arampatzis 


In the case of ransomware attacks, failing to prepare is a sure recipe for disaster. However, attackers may (and will) overcome your defenses. When they do so, you’d better be prepared to respond effectively and efficiently. In the event of a ransomware attack, an effective response plan can mean the difference between panic and decisive action. It can mean the difference between a company-wide infection and a contained incident. The difference between swift remediation and permanent business closure. 

This guide, while not exhaustive, will discuss the steps every business should follow to respond to a ransomware attack and reduce the impact of such an attack. 

How to respond to a ransomware attack 

If preventative measures fail, organizations should take the following steps immediately after identifying a ransomware infection.

  1. Isolate infected systems

Isolation should be considered top priority. Most ransomware variants will scan the target network, encrypt files stored on network shares and try to propagate laterally to other systems. To contain the infection and prevent the ransomware from spreading, infected systems must be removed from the network as soon as possible. 

  1. Secure backups

Backups play a crucial role in remediation. However, it is important to remember that they are not immune to ransomware. To avert recovery efforts, ransomware gangs will specifically target a company’s backups to encrypt, override, or even delete them. In the event of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved. 

Blog 28 Incident Response to Mitigate Ransomware Attacks
  1. Disable automated maintenance tasks

Organizations should immediately disable automated maintenance tasks such as temporary file removal and log rotation on affected systems. These tasks can interfere with files that may be useful for investigators and forensics teams. For example, file logs may contain valuable clues regarding the initial point of infection, while some poorly programmed ransomware variants may store important information (such as encryption keys) inside temporary files. 

  1. Create backups of the infected systems

Victim businesses should create backups or images of the infected systems after isolating them from the network (see step 1). There are two main reasons for doing so: 

  • Prevent data loss – Some ransomware decryptors contain bugs that can damage data. For instance, the decryptor of Ryuk was known to truncate files, effectively cutting off one byte of each file during the decryption process. While this didn’t cause major issues for some file formats, other file types – like Oracle and MySQL database files – store important information in the last byte and were at risk of being corrupted after decryption. Having a backup of infected systems ensures data integrity. If something goes wrong during the decryption process, you can roll back your systems and try to repeat the decryption. 
  • Decrypt files for free in the future – If the encrypted data is not critical to an organization’s operations and does not need to be urgently recovered, it should be backed up and stored securely as there’s a chance that it may be able to be decrypted in the future. As law enforcement agencies bring down various ransomware operators, they release the decryption keys and victims can recover their data for free. 
  1. Quarantine the malware

Victims should never remove, delete, or reformat infected systems unless otherwise instructed. Instead, the malware should be quarantined, which allows investigators to analyze the infection and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack. 

  1. Identify and investigate patient zero

Identifying patient zero (i.e. the source of the infection) is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident but can also help organizations address vulnerabilities and reduce the risk of future compromise. 

Don’t pay the ransom 

While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. In their advisory for protecting data from ransomware attacks, “CISA strongly discourages paying a ransom to criminal actors.” 

However, if businesses are forced to pay the ransom, they should consider the following factors: 

  • There is a 1 in 20 chance that the ransomware authors will take the money but not provide a decryptor. 
  • The attacker-provided decryptor may not work properly. 
  • Ransom payments may be used to fund serious criminal activity, including human trafficking and terrorism. 
  • Paying the ransom substantiates the ransomware business model and perpetuates further attacks. 

The don’ts of a ransomware attack 

Incorrectly handling a ransomware incident can hinder recovery efforts, jeopardize data and result in victims paying ransoms unnecessarily. Here’s what you shouldn’t do in the event of a ransomware attack: 

  1. Do not restart infected devices 
  2. Do not connect external storage devices to infected systems 
  3. Do not pay the ransom (we have said that before, but we should stress it) 
  4. Do not communicate on the impacted network 
  5. Do not delete files 
  6. Do not trust ransomware gangs 

ADACOM offers a holistic approach to mitigating the ransomware threat 

This changing business landscape requires a holistic approach towards information resilience and security risk management to enable an organization to minimize the threat of ransomware attacks and maximize the trustworthiness of its information and the reliability of its automated processes. 

ADACOM has established its own GRC & Assurance Services portfolio based on Information Resilience, which goes beyond the traditional Information & Digital Security models. Contact us to learn how we can help you.