Ransomware Recovery – 5 Action Items Missing from Your Plan

Ransomware Recovery – 5 Action Items Missing from Your Plan

There are hundreds of ransomware recovery guides out there, so we aren’t going to rehash the same tips. Instead, our threat intelligence experts share some practical, actionable tips to ensure your ransomware playbook is up to the challenge if the worst happens.

Tip No. 1:

Create an incident response team with a clearly defined hierarchy and an incident commander—as well as a backup commander. Think about it. Most companies have someone specially designated as an emergency response coordinator in the event of physical threats, such as a fire or inclement weather.

You need the same kind of plan in place with cybersecurity, too. You have a clear emergency outline for physical threats, so ensure you do the same with cyber threats.

We recommend having a written SOP that’s easily accessible to everyone and keeping a backup, printed copy on hand if you must shut down network access. In it, you should outline straightforward, granular tasks assigned to each person in the chain. That way, if you do get hit with ransomware, there’s no confusion about who needs to do what as the threat unfolds and your team acquires more information. For example, have someone on the corporate communications team responsible for all incoming queries and calls, and have a set script in place.

Tip No. 2:

It should be common sense, but you need a current contact list with everyone’s names, emails, and phone numbers, both business and personal. Make sure this list is updated at least quarterly. Large enterprises, in particular, tend to be siloed, and many departments don’t communicate freely with one another. But if a ransomware attack happens, you need to be able to contact your CISO, your CTO, your legal team, and any other stakeholders at a moment’s notice. That way, in case of an attack, your IT or security teams won’t waste valuable time looking for contact information.

Our experts recommend having a secondary means of communication in case the company infrastructure is compromised. You definitely won’t want to use company computers or cell phones in case the hackers are monitoring those.

You will also need to contact the relevant authorities for your state and country. Often, the government will have invaluable information about your attacker and may be able to assist you in prosecution. You also should include all your current vendors and anyone in your existing supply chain. (More on that later.)

Tip No. 3:

Research reputable ransomware negotiators. Professional negotiators know the tactics, techniques, and procedures (TTP) of the biggest ransomware criminal syndicates and will know when to work with them and when to play hardball. Be sure to include those names in your contacts list! We always recommend that you DO NOT pay the ransom, but sometimes you don’t have a choice. A professional negotiator will help keep the financial burden on your company as low as possible.

Tip No. 4:

Invest in good cyber insurance. Cyber insurance will protect your company from any damages and liability that arise because of cybercrime. Ensure you have cybersecurity insurance and be sure that ransomware coverage is included. Not all policies have it, so it’s not a bad idea to review your current coverage and add it if it’s available.

Tip No. 5:

Set up a communications cadence and stick to it. We recommend setting out a predetermined communications cadence beforehand, so your stakeholders know when to expect updates. In addition to company stakeholders, current regulations require contacting everyone on your supply chain to avoid lawsuits and regulatory fines. If you’ve followed Tip 2, you already have an updated vendor contact list, and notifying them should be as simple as sending a mass email.

If you have a tactical, action-based ransomware response guide handy, your organization can weather the attack. It’s a simple, common-sense series of tips, but common sense often goes by the wayside when security is threatened. These steps will help your team access direct, accurate contact information for all parties involved and act quickly because If ransomware locks up your business’s critical data, every second counts.

If the worst happens, you don’t have time to read. Get our handy-dandy ransomware recovery downloadable infographic of the blog right here. 

VerSprite’s Threat Intelligence Group can help you understand the imminent risks locally and from a geopolitical perspective. To learn more about geopolitical risk factors affecting you, check out our yearly report.

For more on ransomware recovery, check out CISA’s website for free tools and tips.