Protection Against Ransomware Attacks: The Do’s and Don’ts
Ransomware can cause some of the most dangerous attacks a company can face. It could prevent access to critical data and result in theft and the disclosure of sensitive data. Due to the serious nature of an attack, it’s important to follow these recommended actions. The best defense against a ransomware attack is proactive cyber risk management. Having both technical and managerial processes in place could drastically reduce the overall impact of a ransomware attack.
Should you fall victim to a ransomware event, immediately contact Great American’s Cyber Risk Division. We have the resources critical to restoring your operations. These can include digital forensic consultants, breach coaches, crisis management firms and more. Please read this document carefully before taking any action.
Do's | |
Implement Your Incident Response Plan Key employees will begin executing their assigned tasks for response and recovery. Ensure that decision-makers are aware of updates regularly. | Maintain a Chain of Custody Form Track all individuals who had access to breached systems. This will help ensure compliance with regulatory requirements. Use this time to assess the situation, and inventory all encrypted and non-encrypted systems. You should then, under the supervision of counsel, put together a timeline of events. The timeline would be discoverable, we want to make sure it is prepared under the direction of counsel and subject to the attorney client privilege to the extent possible. |
Execute a Business Continuity Plan Complete manual tasks to satisfy clients, and avoid severe reputational damage from breaches of contractual obligations. | Engage With Legal Counsel To the extent possible, an investigation of the incident should be conducted under the protection of attorney-client privilege and the work product doctrine. Our breach coaches will assist in navigating the legal landscape of an event from investigating the incident to remedying the loss and notifying regulators and consumers. |
Disconnect From the Internet Seal off the outside world without shutting down any systems. This will help alleviate the network and minimize the risk of additional malware spread. | Craft Public Statements Work with the breach coach to craft a neutral, factual statement that will communicate current technical issues your company is experiencing to internal and external users. Avoid using the word 'breach.' |
Create a Strong Password Create a strong password (one that is long, unique, complex and random). This can help provide the first line of defense against unauthorized access. Changing your password regularly, as well as using a unique password for different services, significantly increases your security posture. A tool, such as a password manager, can assist by generating, storing and changing passwords. | Notify Law Enforcement Notify the appropriate law enforcement agencies. The FBI should be the first agency contacted. This can be done on their website at IC3.gov. Our claims team and breach coaches will assist with this process. |
Assess the Viability of Backup Records Assess the viability of backup records and estimate the time required to restore the systems and data. This assessment will help inform you on the restoration efforts and determine the resources that may be required. | Cooperate With the Forensic Investigators Our digital forensic consultants will work to identify the root cause, contain the incident, secure vulnerabilities and determine the specific data that may have been accessed or exfiltrated. The work of the forensic consultant provides information that the breach coach will use in assessing contractual, industry, regulatory and/or statutory notification requirements. |
Don'ts | |
Do Not Engage With the Attacker Engaging with a threat actor may start a "clock" that could limit the time available for negotiation and accelerate the publication of stolen data. Attackers often have only IP addresses and may not know the identity of their victims, so you should not reveal your identity to the attackers. Let our claims staff bring in the experts necessary to communicate with threat actors when needed and in a manner that complies with legal requirements and protects your organization. | Do Not Make a Payment to a Threat Actor Without Legal Consultation Ransom payments are subject to certain U.S. Department of Treasury regulations and may be subject to other state, federal or international laws. To ensure compliance with legal requirements, you should work with our trusted legal counsel and experts to assist and oversee the payment process. |
Do Not Turn Off Encrypted Systems You should not turn off encrypted systems or systems that are in the process of encrypting. Turning these systems off could lead to the corruption of data and result in the loss of valuable forensic artifacts and evidence required for the forensic investigation. | Do Not Make Any Unnecessary Statements Communicating with the public on highly sensitive issues surrounding cyberattacks can result in reputational damage and have unforeseen legal consequences. Allow our legal counsel and Public Relations experts to assist with the required internal and external communications to ensure that appropriate, concise and time-sensitive messages are delivered to address the situation and limit unintended ramifications. |
Do Not Wipe and/or Attempt Restoration of Hardware or Systems Before Consulting with Forensics It could be an error to begin restoring systems before consulting with forensics. Critical systems, such as domain controllers, contain forensic evidence. Additionally, restored backups may still contain vulnerabilities that leave an environment susceptible to reinfection or encryption. A forensic expert should be consulted as part of the restoration process, and appropriate security measures should be in place before beginning restoration. | Do Not Hesitate to Delete Emails Once an email is identified as potentially malicious, it's important to delete it across the organization. Once it is reported, malicious content should be removed from all inboxes affected as promptly as possible. If possible, maintain a quarantined copy for potential forensic use. |
Help Secure Your Business with Cyber Insurance
Our experienced team of cyber risk professionals understands the complex digital threat landscape businesses operate in. Learn more about our easy-to-understand cyber risk products designed to meet the differing needs of different small and mid-sized clients.