Jarrett Kolthoff | October 25th, 2019

Business Journal Ask the Expert Column – October 2019

One of our suppliers was recently paralyzed by a ransomware attack. No one knew what to do – they had no plan. When we saw the chaos the attack caused, we realized we don’t have a ransomware plan in place either. What should we do if we’re attacked? 

With more ransomware attacks happening every day, your company should have a step-by-step plan outlining exactly what to do from the moment the intrusion is discovered. While I don’t have enough space in this column to give you a thorough response guide, here are some basics you need to get started with your ransomware response plan.

Call In The Pros From The Beginning. Don’t think that you can handle this type of event internally. Call in the experts as fast as you can, preferably from the moment you discover you’ve been encrypted. Every minute counts.

As a cyber counterintelligence provider, I would tell you to call us first, so we can immediately get to work inside your systems and networks to find the source of the breach, identify all the key information surrounding it, and mitigate the ransomware itself. We can work in tandem, when engaging your law firm to ensure we maintain attorney-client privilege. This approach will get you back up and operational most quickly.

Other resources will tell you to contact your law firm or insurance company first, since one of them will likely provide you with a Breach Coach to help you navigate the incident response process. Who you call first is up to you and may also be dependent on time of day. Remember, your cyber incident response provider, insurance company, and law firm all work for you. So, make sure you stay in control and manage the process on terms that work best for your organization.

Access Backup Inventory List And Test Your Backups. As a part of your response plan, you should have an inventory of all backups and their locations. Your inventory log should be kept in both digital and hard copy form in the event you are unable to access your network and systems. You’ll also need the list for your cyber incident response provider, law firm and insurance team—always know where it’s located and keep it accessible. Concerning backup testing, once you’ve located everything, you’ll need to test. Testing will ensure that your backups are fully functional and encryption free to guard from reinfection.

Do Not Respond Or Communicate With The Attacker In Any Form. Cybercriminals will demand that you communicate with them and try to take control. Don’t let them. Their goal is to get information from you that they will use against you later. Let your cyber incident response team bring in trained personnel for all attacker communications.

Unplug Everything From Your Network, But Do Not Shut Anything Down. The moment you know you’re infected, unplug everything from your network in the hopes some devices may not yet be encrypted. Most importantly, don’t shut down anything. Everything must be left running. Ransomware encryption makes recovery and forensics much more difficult if you attempt any form of shut down.

Go Dark And Control All Communications. Tell only those who absolutely need to know that you’ve been hit with ransomware, so you don’t create panic, gossip, or greater problems. Your cyber incident response provider, insurance carrier, law firm and executive team should be the only parties who know of the attack until you can assess the scope of the breach and begin crafting the narrative about the attack. Anything more than this could potentially place you in violation of compliance standards or worse. Don’t worry about “total transparency,” particularly with employees, until you’re in full control of the situation.

Kill The Code And Restore Operations. Ensure your cyber incident response provider kills the code planted inside your systems to eliminate the possibility of reinfection. Once that step is completed, you should be able to restore operations without wiping your drives and reinstalling everything from scratch.

Call In The Spin Doctors. Once you’re in control, engage your PR and legal teams to craft and release appropriate messaging to only the necessary parties in order to keep you fully compliant.

Inform The FBI. All ransomware incidents should be reported to the FBI in the event your incident can be linked to other cases and hopefully help lead to the arrest and conviction of the criminals responsible for the attack(s).

Review Forensics Reports With Necessary Stakeholders. Following the mitigation portion of your incident, the forensics experts from your cyber incident response unit will issue a full forensic report which should be reviewed with insurance, legal and other key stakeholders. We complete reports in 15 days, on average. The report should identify critical facts of the attack and how it happened, as well as any protected data that may have been compromised.

Execute Compliance Notifications. In the event personal or protected information was compromised during the attack, work with your legal team to make sure necessary notices are delivered within designated time periods, so you remain legally compliant.

For an even more complete list of what to do in case of a ransomware attack, feel free to reach out to me personally. Or, if you have a question that you’d like answered here in the Business Journal, email it to, [email protected].