CYBER READINESS
[Link]
INSTITUTE
Ransomware
Playbook
How to prepare for, respond to,
and recover from a ransomware attack
© Cyber Readiness Institute 2020 | guide@[Link]
[Link]
guide@[Link]
� By 2021
“every 11 seconds”
a new organization will
fall victim to ransomware,
according to market researcher
Cybersecurity Ventures.1
Ransomware Playbook
To Pay or Not to Pay? This question is often the first one many organizations consider
after they are hit with a ransomware attack.
Unfortunately, the choice is not simple. Many organizations simply don’t know how to
protect against ransomware. This guide is intended to provide a roadmap for organizations
(e.g., small and medium-sized businesses, state and local governments) to secure
themselves against this growing threat.
1
[Link]/blog/2019/12/17/ransomware-defense-for-dummies-2nd-edition
[Link] guide@[Link]
� All organizations are at risk of having their valuable data – about customers,
employees, operations – encrypted by a malicious actor so that the organization
loses access to it. A ransomware attack is conducted by a malicious actor
to hold an organization’s data hostage for a ransom. Malicious actors can gain
access to an organization’s data through various means, including phishing
and unpatched software. Patches are issued by software companies for
vulnerabilities they find in their programs; many users fail to download the
patches, which means the vulnerabilities can be exploited.
An organization that builds a culture of cyber readiness can be resilient against
a ransomware attack by taking preventative actions (e.g., creating a backup of
critical data) and developing and testing a ransomware incident response plan.
An organization should focus on three steps: Prepare, Respond, and Recover.
STEP 1 STEP 2 STEP 3
Prepare Respond Recover
[Link]
guide@[Link]
�Prepare
Make sure your company regularly backs up its data; � ince malicious actors often use phishing to
S
storing dating in the cloud is a common tool used for infect a system with ransomware, it is crucial to
backups. If your employees save important business have a phishing policy. Conduct routine phishing
information on their own computers, your organization tests so employees will be able to detect a
should also provide clear instructions to your employees on phishing email before clicking on any dangerous
how to back up their data on a regular basis. Key elements links or attachments and, when possible, use an
to protect against ransomware include: anti-phishing software program.
Prioritize the data that is most critical to your � pdate your software with the latest security
U
organization and back it up. Make sure you can patches. This critical preventative step will
re-install from the backups, which are often in make it harder for malicious actors to
the cloud, and that the backups are compromise your system.
tested frequently.
� evelop an organization-wide policy regarding
D
Early detection is important, so make sure your ransomware attacks. It is much easier to have
workforce knows how to report a possible ransomware these discussions when the pressure of response
incident or unusual network behavior. is not looming. Questions to consider:
What data is most critical to your
Contract, if possible, with a vendor that can provide organization? Does your insurance cover
response support if an incident occurs. Establish a ransomware? Are you OK with paying a
contract, pre-event, so you have access ransom? If so, do you understand how to
to the vendor immediately. use bitcoin and other crypto-currencies?
Discuss and agree to an organization-wide policy regarding ransomware attacks.
It is much easier to have these discussions when the pressure of response
is not looming.
[Link]
guide@[Link]
� Is the data critical to your operations?
Has your organization pre-determined
that it is ok paying a ransom?
Does your insurance cover
ransomware?
Respond
If an employee or the organization is confronted with a ransom request, your organization
must first assess the legitimacy of the ransom request by contacting your IT manager. If it is legitimate,
two possible scenarios are presented:
1 � our organization has backups that work.
Y
You don’t need to worry about the ransomware.
You restore your data completely and get back to work.
2 � ata that is held hostage is needed and there are
D
no working backups.
a. Check if the data exists somewhere else in the organization
(e.g., cache files, email) so you can “tape” together the data to replace what is being held hostage
b. If you can’t access the data elsewhere, ask the following questions:
Is the data critical to your operations?
Has your organization pre-determined that it is ok paying a ransom?
Does your insurance cover it?
[Link] guide@[Link]
�Recover
The fire is out and it’s time to return to business as usual. It is especially important to ensure patches are
The scope of the ransomware attack and the severity of updated following the attack. If data has been restored,
its impact on your daily operations will determine sometimes vulnerabilities that were patched,
how much time and effort is needed to recover. pre-ransomware, can reappear.
Use the incident as a learning experience to reinforce
the importance of cyber readiness principles like The Cyber Readiness Program includes detailed
patching and phishing awareness. instructions and templates to help you create your own
policies and incident response plan to prepare for,
Ensuring that your software is always updated with the respond to, and recover from a ransomware attack.
latest security patches will make it harder to penetrate Sign up for free at [Link].
your system. Likewise, enforcing routine phishing training
minimizes human error and the potential entry points To read about real examples of how companies and
into your system. As with any security breach, notify all municipalities responded to a ransomware attack,
affected parties, re-set the user IDs and passwords of all please visit Cyber Readiness News.
compromised devices, update the software on all devices,
and re-install your data from backups once the ransomware
threat has been neutralized.
The Cyber Readiness Program includes detailed instructions and templates
to help you create your own policies and incident response plan to prepare for,
respond to, and recover from a ransomware attack.
[Link]
guide@[Link]
� Ransomware Decision Guide
Have you prioritized your data and systems so you know what is most critical to your business operations?
Do you have an incident response plan that covers ransomware? Identify what is most valuable. Go to [Link]
to access a prioritization checklist.
PREPARE
Do you have a current backup?
Develop an incident response plan that covers ransomware. Go to
[Link] to access an incident response plan template.
Back up your system
Have you tested it in
and all data.
the last month?
Test your backup to make sure
Congratulations. you can recover your data – You better hope you don’t get a ransomware attack.
You’re prepared. especially the most critical to You are REALLY unprepared.
your business operations.
Ransomware Incident Occurs
Isolate the incident and remove the infected computer(s) from the network. Then proceed.
Great job. Do you have an IT support Can you or your IT support
Go directly to Recover! to contact? back up in real time?
RESPOND
Is the data being held hostage valuable to your business? Do you have cyber insurance?
Does your policy cover ransom events?
Your data is unrecoverable…
decide whether or not to pay.
Go into the real time backup and clean out the malware.
Reset user IDs and change passwords
RECOVER
Do a clean install from your backup You are back in business!!
Sign up for the free Cyber Readiness
Update your software Program at [Link]
to prevent more ransomware
attacks in the future.
Selectively reinstall data
[Link]
guide@[Link]
