{"id":41664,"date":"2021-07-08T10:00:00","date_gmt":"2021-07-08T10:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/ransomware-recovery-plan-for-it-now\/"},"modified":"2021-07-08T10:00:00","modified_gmt":"2021-07-08T10:00:00","slug":"ransomware-recovery-plan-for-it-now","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ransomware-recovery-plan-for-it-now\/","title":{"rendered":"Ransomware recovery: Plan for it now"},"content":{"rendered":"
<\/div>\n

If your computing environment is subject to a large ransomware attack, you will most certainly be enacting your disaster recovery (DR) plan. But before you begin restoring systems, you must first ensure you have stopped the infection, identified it, and removed it. Jumping too quickly to the restore phase could actually make things worse. To understand why this is the case, it\u2019s important to understand how ransomware works.<\/p>\n

How ransomware spreads in your environment<\/h2>\n

There are many articles such as this one<\/a> that describe what ransomware does, but it\u2019s important to emphasize that the goal of ransomware is rarely to infect just one system. Modern ransomware variants will immediately attempt to identify and execute various operating system vulnerabilities to gain administrative access and spread to the rest of your LAN. The attack will be coordinated via command-and-control (C&C) servers, and contacting these servers for instructions is the first thing that every ransomware variant does. They key in responding to an active ransomware attack is stopping further communications with C&C servers, as well as further communications between infected systems and the rest of your network.<\/p>\n

If you are not currently infected, now is the time to develop a response plan tailored to your network and test it as often as you test your DR plan.<\/p>\n

Line up help<\/h2>\n

A big ransomware attack is not the time to go it alone. There are resources available that will assist you halting and recovering when it feels like all hell is breaking loose, and there are steps to take that might help authorities catch the criminals. Part of your ransomware-response plan should include the contact information of these resources.<\/p>\n

If you have a cyber-insurance policy, it can be very helpful. It can put you in touch with specialists to help guide you through your response. Contact them now, before you are attacked, to establish their response process and document it in your plan. If you don\u2019thave such a policy, consider getting one.<\/p>\n

You should also immediately contact the local field office of the FBI. Its level of involvement in a particular case will be driven by the extent and nature of the attack, but it says that notifying them of all attacks helps them to better respond to ransomware in general. They also have access to tools and resources unavailable to many other organizations that can help especially if it identifies another country as the source.<\/p>\n