I have a companion article to this one to this one looking at the planning and preparation needed if you are not plugged in!
Pull the Plug: But I haven’t got a plug!
In my previous ransomware article, in this mini-series, we had a quick look at some spanners and planning and preparation for a ransomware attack. (You will have to visit CyberAwake to see where spanners fit into my planning and preparation!)
Today we are going to look at a couple of immediate steps you should have in your plan to minimise the damage ransomware can do to your system.
Act Fast – You Need Planning and Preparation
One of the things I often must talk people into, is shortening the reporting chain. What do I mean by that? Here is an example.
User/victim recognises something is not right, they have just clicked on a link, submitted their credentials at a rogue site or just noticed that their PC is acting up – their next step is:
Report to supervisor – who reports to manager – who reports to senior manager (who is in a meeting) – who reports to another manager who deals with the IT support team – who then calls the IT/Cyber Security support team. Now the response plan is finally set into action.
OR
User/victim calls the IT/Cyber Security support team emergency number and the planning and preparation is up and running. The reporting process to the others is detailed in the incident response plan.
And it was a false alarm.
No harm done. But if it was not and LockBit ransomware was encrypting your information, then precious minutes or hours have been saved.
But is there anything else we can include in our planning and preparation that could minimise the damage?
I hear you ask…
Well yes, quite a lot, but I am limited to 500 words here.
Let me suggest two things the user should do, one before calling IT/Cyber Security support and one after.
Isolation
Disconnect the PC, laptop or device from the network. Ransomware is malware that thrives on a network, it is specifically designed to attack information wherever it can find it. So, by disconnecting an infected device, you may stop the damage spreading. This is only really effective before the ransom demand appears on the screen, but even then disconnecting is still recommended as ransomware works in many different ways and we are trying to minimise the damage with our first few response steps. You will probably need to have specific training in place to show everyone how to do this. The first question you will have to deal with is cable or Wi-Fi? This can be challenging to the less technical.
Possibly other devices on the LAN should be isolated, but that is a decision you would have made in your original planning.
Evidence
After the call, if there is anything on the screen that may help the response team, photograph it – and make a few notes about what happened. Both of these actions will help with the initial assessment of the incident and help minimise the impact of an incident.
More
Next Time
Detecting ransomware.
Clive Catton MSc (Cyber Security) – by-line and other articles
* Part 1 is here Ransomware: Is it a Threat? and Part 2 is here: A Bag of Spanners – Planning and Preparation
References
Grimes, R. A. (2021). Ransomware protection playbook. John Wiley & Sons, Incorporated.
Further Reading
Ransomware Mini-Series (2023)
Ransomware: Is it a Threat? (Part 1)
A Bag of Spanners – Planning and Preparation (Part 2)
Minimise the Damage – Planning and Preparation (Part 3)
Detecting Ransomware (Part 4)