6-Step Ransomware Response Plan

Ransomware is malicious software that encrypts files, preventing users from accessing or using computer systems. Usually accompanied by a ransom demand, a ransomware attack cripples infected computers, servers and files. Attacks are common — the Veeam 2023 Global Report on Ransomware Trends revealed that in the preceding 12 months, 85% of organizations experienced at least one cyberattack. While 80% paid the ransom, only 75% regained access to their data and, on average, only recovered 66% of their data. Hackers specifically targeted backup repositories 75% of the time.

On the other hand, 16% of organizations attacked recovered their data without paying a ransom. These organizations had clean, immutable and reliable backups and an integrated ransomware response strategy that worked as intended. The takeaway is that it is possible to recover from a ransomware attack if you have a robust plan to handle ransomware attacks.

Key Components of a Ransomware Response Plan

Since attacks are so common, knowing how to recover quickly from a ransomware attack is essential. Critical aspects of your ransomware recovery plan should include hardening systems, rigorous prevention measures, ransomware detection and response, recovery and restoration measures, and plans to inform relevant authorities and affected parties. Always conduct a post-incident analysis to help prevent future attacks.

Step 1: Preventative Measures

You can take several measures to prevent and mitigate ransomware attacks. These include employee education, risk assessments, hardening hardware and software solutions, network segmentation, and having secure data backups:

  • Educate employees: Your employees are your first line of defense against malware attacks, so you should train them to recognize attacks and educate them about ransomware threats and how to detect signs of compromised systems.
  • Perform risk assessments: Use expert teams to perform risk assessments to identify weak points in your malware and ransomware defenses.
  • Harden port and endpoint settings: Disable unused Remote Desktop Ports (RDPs) and limit RDP and other remote access protocol ports to trusted hosts. Similarly, harden endpoints with secure configuration settings.
  • Segment networks and enforce access controls: Segment networks using VPNs and physical tools. Keep customer-facing parts of the network separate from inward-facing portions. Adopt the principle of zero trust when granting access.
  • Implement all software updates and patches: Limit the risk of intrusion by meticulously implementing updates and security patches.
  • Adopt secure backup and data redundancy policies: Carefully plan your backup strategy, as this represents your last line of defense. Back up frequently, ensuring you have immutable copies that cannot be changed. Keep at least one set of backups entirely offline. Check backup integrity regularly.

Step 2: Detection and Response

It’s crucial to react promptly to any ransomware incident. With the proper monitoring tools, it’s often possible to disrupt an attack while it is in progress. You should have 24/7 coverage and online ransomware detection tools to do this. In this way, you mitigate the damage and can clean your systems faster, as follows:

  • Determine impacted systems: Establish which systems are affected and immediately isolate them from the rest of the network. If the attack has impacted several systems, and it is not possible to initially verify its extent, take the network offline. If you cannot easily take systems offline, limit the scope of the infection by unplugging ethernet cables and disabling Wi-Fi.
  • Power down equipment: If it is not possible to disconnect devices from the network, power down the affected equipment. Note that this step may remove evidence held in volatile memory.
  • Triage affected systems: Identify systems that are critical to the organization and list them in order of importance in terms of the organization’s priorities.
  • Examine logs: Review system logs to identify precursors such as dropper malware, earlier attacks and compromised networks.
  • Determine what happened: Establish the sequence of events leading to the attack and how the actor was able to penetrate your network.
  • Find the threat: Identify the ransomware, its variant and any other malware on the system.

Step 3: Communication and Reporting

Report the incident and transparently communicate what has happened with the affected parties. Prompt communications will help mitigate longer-term consequences such as loss of credibility and punitive damages. Actions to take include:

  • Communicate internally: Inform all affected employees and functions immediately and notify them of steps taken to contain the incident. Issue regular updates.
  • Notify relevant authorities: Report the incident to local or national law enforcement officials as required by local ordinances. Ensure you meet all legal obligations regarding specific privacy and data protection regulations.
  • Communicate externally: Notify customers and business partners of the incident and release appropriate information regarding the extent of the damage. Note that it’s common for criminals to threaten to release confidential information to coerce victims into paying the ransom.
  • Be transparent: While it is natural for companies to want to hide damaging information, news of cyberattacks inevitably gets out. Transparency minimizes harm to reputation, helps investigators and provides affected parties with an opportunity to take steps to protect sensitive data.

Step 4: Containment Strategies

Before taking steps to eradicate ransomware from your system, capture system images and volatile memory contents of all infected devices. This information is helpful during forensic investigations to determine what happened and how your systems were compromised. It is vital to preserve volatile information stored in the system memory, security logs and firewall log buffers.

Consult with federal law enforcement authorities, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and your security vendor to identify whether researchers have developed decryption tools or identified encryption flaws you can use to decrypt your data. These resources may also provide additional information regarding steps to identify impacted systems and how to turn off ransomware binaries. Other steps include:

  • Identification of systems involved
  • Disabling VPN, cloud-based and public-faced endpoints
  • Turning off server-side data encryption
  • Identification of inside and outside persistence mechanisms

Step 5: Eradication Strategies

The primary goal of your eradication strategy is the removal of all traces of ransomware and malware from your systems (distinct from data). While it is sometimes possible to sanitize your systems, it is generally more straightforward and much safer to wipe them and rebuild them from scratch using templates and clean images. Steps include:

  • Wipe or sanitize all infected systems
  • Rebuild corporate systems, starting with critical systems
  • Reset all passwords
  • Address and block identified vulnerabilities, websites and malware
  • Issue a declaration from the designated IT authority once you have eradicated all traces of the ransomware and rebuilt systems to confirm that the ransomware incident is over

Step 6: Recovery and Restoration

At this point, you can now restore your data and get back to work. It is also when you will benefit from the foresight that led you to use innovative solutions to recover quickly from ransomware attacks. Veeam offers several solutions, including a backup replica to create a virtual machine that you can get up and running quickly. Steps in recovery and restoration include:

  • Use secure backups to restore systems
  • Make sure that your backups are clean, so you do not reinfect your clean systems during recovery
  • Implement lessons learned from the attack to strengthen security measures
  • Deploy ongoing ransomware monitoring solutions
  • Complete a post-incident evaluation

Best Practices for Ransomware Incident Response

The incidence of ransomware attacks is such that you should consider them in the same category as other business continuity management plans. These include strategies for dealing with major incidents, natural disasters and disaster recovery.

The starting point for a ransomware incident response plan is a thoroughly researched and documented recovery plan. Typically, this plan includes all stakeholders, a clear statement of the recovery objectives and communication strategies. The plan identifies responsible parties and clearly defines the actions to take when a ransomware attack hits you.

Points to consider include:

  • Response team: Identify all members of the response team, their responsibilities and functions. Appoint a designated leader responsible for coordinating activities.
  • Inventory: Compile a complete list of all physical and cloud hardware and software assets, together with diagrams of how these interconnect, including special features such as VPNs, virtual private clouds, WANs and APIs.
  • Critical functions: List and prioritize critical business functions, applications, datasets and backups.
  • Emergency contact list: Include all employees, service providers, suppliers and customers who may be impacted by a ransomware incident.
  • Training: Train team members in their roles and responsibilities and simulate an incident with a Ransomware Prevention Kit to ensure each person is familiar and comfortable with their role.
  • Ransomware action plan: Prepare a detailed ransomware response action plan.
  • Lessons learned: Documents lessons learned during training simulations and actual attacks.

Formalizing and adopting these ransomware protection best practices will help your organization respond quickly and effectively when you come under attack and ensure you have clean backups to restore and reconnect services.

Getting Started With Veeam

While it is always possible to recreate IT structures, a business cannot survive a ransomware attack if it cannot access clean data. Veeam’s online backup solution solves this problem. Veeam offers a single solution that gives you total control over your recovery with multi-layered immutability, comprehensive monitoring and automation. Veeam works with common cloud-based solutions as well as on-premises solutions for Windows, Linux and Mac.

Call our sales department to learn more about our ransomware data recovery solutions or download our dedicated whitepaper Building a Cyber-Resilient Data Recovery Strategy for more tips on achieving cyber resiliency. 

Related content

Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK