Ransomware Incident Response Plan – Part 1

Ransomware Incident Response Plan - Part 1


Ransomware was and still is one of the most dangerous attacks that can cause catastrophic consequences to the endpoint system if not responded properly. The following article is specially created for preparing incident response teams against this particular attack, but it is generally excellent guidance for everyone who would like to have clear and step-by-step approach on how to prepare, identify, contain, remediate and recover from the dangerous attacks of ransomware.

The following is part one of the overall incident response plan where we are going to discuss in our opinion the most critical phases of the incident response plan, which are the preparation and identification phases, because our goal is to prevent the compromise rather than allow it to be executed and completed, hence we will concentrate more on the phases mentioned above, but as well as we will cover other phases in part two and part three which are important as well.

Before jumping into the phases and steps we would like to give brief introduction about ransomware, to explain what it is and how does it work.

Ransomware is a type of malware from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for an expert to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. As was already said we will divide the incident response plan into 5 phases and first phase is preparation from we shall start.


1. Preparation Overview

On the preparation phase the company or the incident response team must realize that malicious actors often use phishing to infect a system with ransomware, hence it is very important to have a phishing policy. The chance of being compromised by ransomware can be decreased by conducting routine phishing tests, so employees will be able to detect a phishing email before clicking on any dangerous links or attachments.

To be ready for potential attacks such as ransomware the systems must be updated including the software with the latest security patches. This critical preventative step will make it harder for malicious actors to compromise your system. As ransomware became one of the most used and dangerous attack in a manner of data loss and system corruption, the company or the incident response team must prioritize the data that is most critical to the organization and back it up.

The recommended practice for backup is to periodically test the backups and verify the validity and reliability of the backups. For being ready and prepared there is yet another crucial step to cover to stay on the safest side and that is to deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring to advanced EDR (Endpoint Detection & Response) solution. Compared to the traditional anti-virus solutions which only detects malware at a signature level which can be ineffective in case of a new-born ransomware. Hence, we must implement advanced threat detection systems for cyber security resilience. The company or the incident response team should develop an incident response (IR) plan that is created specifically for a ransomware attack. It is crucial to prepare for targeted attacks that can affect broad swaths of your company.

Incident Response Plan - Preparation

2. Identification

For initial identification and detection, a good approach is to get signatures and IOCs into your IDS. It is highly recommended as a best practice to use a threat intelligence sources to block and alert on the presence of anomalies that have a chance of being associated with ransomware in your network traffic. There are numerous signatures for most of the popular ransomwares out there such WannaCry and NotPetya traffic. These practice alone will not protect you from a ransomware because ransomwares can be modified and changed hence, we want to have more defense than just the detection. However, these signatures can be a useful source for the most widely distributed tools that enterprises tend to use.

Perform continuous anti-virus and overall endpoint security scans, to detect and discover unusual registry keys, malicious files, encrypted data, unusual directories, unusual amounts of internet traffic flow, unexplained system crashes, unauthorized and unexplained installation of software. Check the anti-virus notifications, scans, and Windows Event Logs for more details about the malicious activity. Request system updates and patches. In case of phishing emails that may contain or lead users to the ransomware, the company or the incident response team must use tools that detect malicious attachments or perform attachment scanning to look for malicious attachments. This technique is your best automated defense against ransomware emails.

Ransomware Incident Response Plan - Identification

Click here to read our step-by-step hands-on approach on how to prepare and identify ransomware attacks.