Ransomware – You need a Checklist

Part 8 of my Ransomware Mini-series looks at another aspect of “what if the worst happens”.

Monday Morning Blues – A Ransomware Attack

ransomware screen

This message on your laptop when you start work on a Monday morning, is not the blues that can be washed away with a cup of coffee – although a coffee* should be part of your incident response plan.

Now is the time to use your incident response plan and take the first steps to isolate the infected machine – as discussed in Part 3, and start discovering the extent of problem.

So why do I need a checklist?

My team and I have dealt with a variety of ransomware attacks and it is stressful – so if it happens to you it will be stressful and having your plan and checklists written down will aid your incident response team through the recovery process and get you the result you are looking for – getting your organisation working again.

One of the first steps in any incident response plan – you checked the integrity of the latest back-ups whilst you were drinking that coffee – is discovering the extent of the problem. It is especially important to discover any other computers that are infected with the ransomware malware and still encrypting or exfiltrating your data. (Maybe an early step, for you, should be to isolate your information store from the internet to stop further data theft, although it may be that by the time the threat actors declare themselves to you, they have already stolen everything they want.)

So where should I look and what should be on my checklist?

This list is not extensive – I have a 500 word limit here – and it does not address your particular situation. It is just a starting point.

  • PCs and their locations (do not forget people working away from the office)
    • The role of the user will also be useful – as role equals what information that user has access to
    • Isolate as required
  • Other devices – such as servers, web servers, NAS devices, infrastructure devices, cloud storage, other local storage such as mapped drives and USB portable storage etc
    • Do any of these have any evidence of malware activity?
  • Impacted backups – eliminate those in your retention that cannot be used as part of the data recovery
  • Email servers involved
    • Have emails been compromised?
    • Check everyone’s email configuration for malicious rules (we have a script for this)
  • Has any there been an information exfiltration?
    • This can be indicated by high network traffic, or the existence of large unaccounted-for archive files that the threat actors may have created to make exfiltration of your information easier
  • Are any credentials compromised?
  • Does it appear that the threat actors have privileged information that has been used in the attack?
  • Does the attacker seem to know people’s names and roles?
  • Have any malicious files, malware, scripts etc been discovered?
    • Use a clean AV install to check for these
  • What messages have the threat actors sent you and what information about them do you have?
  • Brief your communications team so a truthful and honest message can be circulated to your stakeholders or the authorities
    • Remember only authorised persons should issue statements
    • Preparing some template responses can stop a rushed inaccurate message going out by mistake

How can you make this easier?

Use a Cyber Security Master Document

We have a Cyber Security Master Document for our incident response and we help our clients create one too. Everything you need in one place. It helps with the big things, incident response and business recovery and the small things, such as does this security advisory about a Cisco security device affect us?

Next

Where do you keep your Cyber Security Master Document?

Clive Catton MSc (Cyber Security) – by-line and other articles

* Other hot or cold drinks are available.

References

DeVoe, C., & Rahman, S. (2015). Incident response plan for a small to medium sized hospital. arXiv preprint arXiv:1512.00054.

Grimes, R. A. (2021). Ransomware protection playbook. John Wiley & Sons, Incorporated.

Further Reading

Practice Drinking Coffee* better known as Planning and Preparation

Ransomware Mini-Series (2023)

Ransomware: Is it a Threat? (Part 1)

A Bag of Spanners – Planning and Preparation (Part 2)

Minimise the Damage – Planning and Preparation (Part 3)

Detecting Ransomware (Part 4)

Ransomware – What Not To Do! (Part 5)

Ransomware – The Impact (Part 6)

You and a ransomware resilient back-up (Part 7)

Photo by cottonbro studio