Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • What to do first when your company suffers a ransomware attack
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

What to do first when your company suffers a ransomware attack

5 years ago Graham Cluley
What to do first when your company suffers a ransomware attack

For many companies it would be a nightmare to discover that they are the latest unwitting victim of a ransomware attack, capable of crippling computer systems and locking up data if a payment isn’t made to cybercriminals.

There’s no magic wand that can make a ransomware attack simply disappear with no impact at all on an organisation, but you can lessen the problem by carefully following tried-and-trusted steps in the immediate aftermath of an attack.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have jointly released an in-depth guide that not only includes recommendations on how you can reduce the chances of being the next ransomware victim, but also provide a step-by-step checklist for how to respond.

I believe that the ransomware response checklist could be a valuable addendum to organisations’ incident response plans. Your company does have a cyber incident response plan, right?

And the advice couldn’t be more timely, with more and more organisations hit by ransomware attacks that cripple their ability to operate normally.

So, let’s take a look at the checklist step-by-step, focusing specifically on the very first things you should do:

1. Determine which systems were impacted, and immediately isolate them.

If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.

If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.

If it’s one or two computers that have been infected by the ransomware then you may be able to get away with just disconnecting those PCs and dealing with them individually. But if the infection has distributed itself more widely then you may have to take more significant action to prevent the ransomware from spreading further.

So clearly it’s important to attempt to determine the scale of the problem as quickly as possible, as this will influence the nature of your response.

After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken.

In some instances, organisations have used personal email accounts or instant messaging services like WhatsApp to communicate if they fear corporate communications systems may be being monitored by the attackers.

Obviously response teams should be careful to ensure that out-of-band communications they receive are genuinely from fellow workers rather than malicious themselves.

Not doing so could cause actors to move laterally to preserve their access — already a common tactic — or deploy ransomware widely prior to networks being taken offline.

But what if you cannot temporarily shut down your network or disconnect affected computers from the network?

In that case, the response guide offers the following advice:

2. Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.

However, it should be noted that if you do this you may lose potential evidence about the attack which would be useful to the authorities.

Law enforcement agencies, as well as CISA and MS-ISAC, may be interested in gathering a wide variety of other information that could be useful in their investigation.

This includes, but is not limited to, the following:

  • Recovered executable file
  • Copies of any readme file (this should not be removed as it often assists decryption)
  • Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Malware samples
  • Names of any other malware identified on systems
  • Encrypted file samples
  • Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
  • Any PowerShell scripts found having executed on the systems
  • Any user accounts created in Active Directory or machines added to the network during the exploitation
  • Email addresses used by the attackers and any associated phishing emails
  • A copy of the ransom note itself
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Copies of any communications with attackers

Even if there is little chance that an attacker might be identified and caught, details like the above – if shared with other companies – could help prevent them from becoming the next victim of the ransomware.

And it is only after the first two response steps that the guide recommends victims attempt to restore critical systems.

3. Triage impacted systems for restoration and recovery.

Identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems.

– Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.

Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.

While these first three steps are being considered in order, however, there is additional work that can be taking place in parallel.

4. Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.

This clearly is a document that will grow over time as more information is found out about the ransomware, and what systems have been attacked and which have not.

5. Engage internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.

The guide provides contact information for CISA, MS-ISAC, as well as the FBI and US Secret Service.

Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders.

The guide also references the “Public Power Cyber Incident Response Playbook”, which although targeted at power utilities contains advice that would be appropriate for any organisation needing step-by-step guidance on how to engage teams and co-ordinate messaging to customers and the public.

Ideally you do not wait until you are suffering a ransomware attack to read guidance like this, but build a set of your own in advance that is specific to your organisation.

There are many more steps detailed, and good advice offered, in the full MS-ISAC Ransomware Guide and I would strongly recommend it to anyone responsible for securing an organisation against an attack.

The post ” What to do first when your company suffers a ransomware attack” appeared first on TripWire

Source:TripWire – Graham Cluley

Tags: Critical Severity, Exploit, Goverment, Malware, Phishing, Ransomware, TripWire, Whatsapp

Continue Reading

Previous Russian Gets 7 Years in Prison for Linkedin, Dropbox & Formspring Hacks
Next Spammers Smuggle LokiBot Via URL Obfuscation Tactic

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

12 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

16 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

19 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

23 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

1 day ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT