Last month, in the light of the escalating Russia-Ukraine conflict, we shared four tips you can take to protect your business against cybercrimes. But what should you do if your organization becomes a victim?
Should your business find itself a victim of ransomware or another form of cybercrime, we want to help you feel prepared to respond. We’re sharing six steps the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends you should consider in responding to cybercrimes.
The following steps are only the start of the process to responding to cybercrimes. CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Ransomware Guide as a one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack. We encourage you to take a look — it will take you through the response process from detection to containment and eradication.
- Determine which systems were impacted, and immediately isolate them.
If several systems or subnets appear impacted, take the network offline at the switch level, or unplug affected devices from the network, or remove them from Wi-Fi to contain the infection. After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline.
- Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
This step will prevent you from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.
- Triage impacted systems for restoration and recovery.
Identify and prioritize critical systems for restoration and confirm the nature of data housed on impacted systems. Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on. Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.
- Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
- Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders.
- Consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.
For more tips and resources on ransomware, visit cisa.gov/stopransomware. In addition to the above steps, getting to know your local FBI or Secret Service agents or joining groups like CISA, with a library of resources, is a good way to help you prepare in case you ever do become a victim.
Our Commitment to Information Security
We’re dedicated to protecting our customers and our communities from cyber-crime, identity theft and fraud. We have implemented multiple layers of security and fraud controls designed to safeguard your personal information and funds. We also strive to provide you with current scams, trends, and best practices so you can feel protected with the most up-to-date knowledge. You can view more security resources by visiting bankprov.com/security.