Responding to Ransomware (a Playbook)

An open-source template for ransomware response planning

Summary

Ransomware attacks are skyrocketing and they can devastate your organization if not handled well. We’ve released a new open-source ransomware playbook to fit with our high-quality free incident response plan. This playbook adds details for all response phases, and has clear customization instructions to tailor it to your environment.

Better plans and playbooks can greatly reduce ransomware’s impact and help you get back to business as quickly as possible. You’ll sleep better having put one together — we hope this helps.

Introduction

Ransomware attacks against businesses are skyrocketing, up as much as 3.5x since 2018, and they can devastate you if not handled well. It doesn’t have to be $18.2 million (Baltimore) or $300 million (Maersk) to seriously harm your organization and the people it serves.

Security and IT teams are looking for proven templates: instructions they can give to analysts, help desks, and users, to make a real difference.

To help, we took solid existing resources and combined them with our experiences and those of our customers, to create a new high-quality, open source ransomware playbook for the community. Alongside your IR plan, detailed playbooks (“run books”) can accelerate your response and reduce the cost in time and treasure.

Ask the Hard Questions

Debate before disaster. A crisis is the worst time to navigate controversy.

Customizing your ransomware playbook forces you to tackle the tough questions that will come up during a ransomware incident.

Will you consider paying the ransom? We don’t recommend this (it does not guarantee a solution, it can go wrong, and it proves ransomware works) … but, we guarantee you’ll consider it when it happens, so it’s best to think about it before it happens. Consider:

  1. What are the organizational implications (ramifications for stakeholders in your organization)?
  2. What are the legal, regulatory, and insurance implications?
  3. What are the finance implications? The budget?
  4. What are the specific mechanisms involved? (e.g., technologies, platforms, intermediate vendors/go-betweens … would you be able to pay even if you wanted to?)

There are other hard questions to consider: for example, many playbooks recommend disconnecting infected systems from the network as a containment measure. This has some benefits, but in some cases this stopped the attacker from retrieving the keys and ruled out decryption even if the victim paid. Your playbook might find a “middle way” for your team: perhaps you implement a quarantine that prevents lateral connections but leaves open connections to the internet?

In cases like Baltimore, leaders were confident in backups that turned out not to exist. Use this playbook-creation effort to communicate truth to power and save heartache in the long run.

Make It Your Own

Like our incident response plan, this playbook is useful out of the box, but it works best when customized. Everywhere you see TODO is an opportunity to dive in and get specific. For example, the note to TODO: Expand notification requirements and procedures for applicable regulations is prime real estate for specific instructions: names, phone numbers, email templates, you name it.

The audience for your playbook is your future self. Save yourself stress, be thorough, you’ll thank yourself later.

Use a Proven Structure

Playbooks should build on your existing incident response plan as modular components: more detail for specific threats and critical systems. This playbook adds details for each phase of your response: it helps you investigate, remediate, communicate, and recover.

Investigate

An effective ransomware playbook should help you investigate to:

Determine the type of ransomware: what is the family, variant, or flavor? The playbook starts with five analysis tasks with more than 20 specific information sources, something to tweak depending on your analysis documentation and team training. This won’t be exhaustive, but gives a solid starting point.

Determine the scope: which systems and data are affected? This is perhaps the question most critical to an effective response. We recommend five general approaches using 10+ data sources, things like scanning for indicators of compromise (IOCs) and auditing changes to file metadata. Knowing your own tools, you could make this

Assess the impact: what is the functional (business) impact and information impact (i.e., to confidentiality, integrity, and availability of critical or sensitive data)? Organizational leaders are usually asking this immediately. It usually takes collaboration with business unit leaders (not just IT and security) to get a handle on this. It’s significantly easier to discuss this in advance, for example by building critical asset and information lists.

Find the infection vector(s).

Expand these goals and questions as needed.

Just building the playbook is worth it, even if it’s rarely used. Customizing the playbook details helps identify areas for improvement like better controls, better tools, and better training.

Remediate

Remediation includes containment and eradication, best done in parallel with each other and with the investigation. Our playbook reminds you that, in ransomware situations containment is critical. It prompts you to inform containment measures with facts from the investigation, and to prioritize quarantines and other containment measures higher than during a typical response.

For containment, the playbook emphasizes quarantines (logical, physical, or both) to prevent spread from infected systems and prevent spread to critical systems and data. Quarantines should be comprehensive: include cloud/SaaS access, single-sign-on, system access such as to ERP or other business tools, etc.

Your playbook should include specifics on (or automation to):

  • Quarantine infected systems
  • Quarantine affected users and groups.
  • Quarantine file shares (not just known-infected shares; protect uninfected shares too)
  • Quarantine shared databases (not just known-infected servers; protect uninfected databases too)
  • Quarantine backups, if not already secured
  • Block command and control domains and addresses

And more. And everything you write down should be attainable.

Tabletop exercises of your ransomware playbook help you assess whether it’s realistic

Eradication is just as critical. The playbook lists six areas, including rebuilding infected systems from known-good media and restoring from known-clean backups. None of these are as simple as they sound, and each requires careful consideration. For example:

  • Do we rebuild a system if it still has encrypted files we might try to get back later?
  • If we want to keep encrypted drives in the hope of future decryption, can we source enough replacement drives to restore systems?
  • Do we have enough staff to execute our eradication plan?

Communicate

This playbook includes reminders for clear communication to and from leadership, legal counsel, users, customers, insurers, regulators, law enforcement, security and IT vendors, and others.

Recover

Like the eradication steps, recovery steps can sound deceptively easy. “We’ll restore from backups.” No problem, right? Ransomware can be a true disaster, and it’s critical to leverage existing plans like business continuity and disaster recovery.

We include reminders in the playbook for big-picture things like checking backups for indicators of compromise, and to do incremental integrity testing during recovery, but this is a great place to collaborate with your IT team and business units.

Ransomware can have a long tail to its recovery, and you may find relief in the future through things like the No More Ransom! Project’s Decryption Tools page. In your strategy, you may include periodic check-ins to see if your threat gets tackled.

Conclusion

We’ve released a detailed, customizable playbook for ransomware to enhance your incident response plan and reduce the impact of ransomware incidents. We included best practices and war-stories, but you’ll know best how to make it fit your organization’s team and technology. Try it, let us know what you think, or submit a pull request with improvements!

We can help with your ransomware response and IR planning: please contact us, we look forward to helping you.