Do you have an emergency?

---

 

Experiencing a ransomware attack - follow these initial steps

1. Contain the Threat and the Damage

   1. Do not shut down servers, but disable networking if possible

   2. Disconnect systems from the Internet

   3. Disable VPN and Remote access for everyone except critical IT staff

2. Gather your team

   1. ​Contact your Cyber insurance broker or carrier for coverage support

   2. Engage your external Counsel to provide legal coverage

   3. Bring together your IT and Technology providers

   4. Work with your legal, insurance and recovery provider to engage the remainder of the support team

3. Take stock of the situation

   1. Identify and retain a copy of any ransom notes, do not delete as there may be a specific key for each impacted system​

   2. Do not contact the Threat Actors, leverage your insurance carrier for support

   3. Determine the accessibility and viability of any backup

   4. Identify the number of impacted systems

   5. Know your inventory of Servers, Workstations and Critical applications

4. Develop a containment and recovery plan

   1. Prepare for the long road to recovery.  Most recovery efforts take weeks, not days so plan your resources and team accordingly​​

   2. Determine the most critical business applications and determine a recovery order​

   3. Restore critical infrastructure such as Active Directory, DNS, Networking etc.

   4. Deploy containment tools such as Endpoint Detection and Response (EDR) software to allow for quick identification and containment of malware

   5. Rotate all passwords, including service accounts

   6. Where possible, begin restoring systems from backups, working with forensics teams to identify and contain any persistent access

   7. Continue working the plan, pivoting where necessary based on the information that becomes available from recovery teams and forensics experts