Regulating Processes

If the cat is out of the bag and your systems have been affected by a ransomware incident, you need to respond adequately. Ideally, you will have drawn up risk and contingency plans in advance and defined responsibilities. The plans include information about the criticality of individual systems and specify the extent to which you need to shut down other systems. A targeted and planned shutdown can protect your company against existential damage, even if collateral damage has to be accepted in the process. The operators of Colonial Pipeline responded in an exemplary manner and specifically removed the system from the network.

You need to inform contacts in the affected departments in good time and make sure that backup systems go online in a way that reflects the established criticality. If you are legally required to report cyber incidents, you should have appropriate forms pre-filled and make a report in a timely manner. This procedure will help you avoid penalties because you left steps out. Keep the affected systems as-is for later forensic analysis. You can handle this step yourself if your company is large enough and you have appropriate skills in your IT department; otherwise, commission an external service provider to perform the analysis. The main goal is to identify the vulnerability – one hopes you have been able to restore your data from backup. Gradually rebuild your infrastructure once you have eliminated the vulnerability. While you're at it, don't forget to set up new backup systems to cushion the effect of a new attack.

In the best of all worlds, you will also have an internal contingency plan for each department that will inform suppliers, partners, or customers in the respective areas. If you are a supplier yourself, you need to notify dependent companies in the supply chain in a timely way and inform your own suppliers in these times of zero-stock supply chains and just-in-time production.

If you were caught off guard by the attack while you are still in the process of working out your risk and contingency plans, at least try to recover what can be salvaged, including consideration of a ransom payment. However, you should arrange this in collaboration with the authorities you notified after the incident. Set up a crisis team with all the people you can identify as relevant in a timely manner and discuss the necessary measures.

Conclusions

Ransomware is a big threat to businesses, public institutions, and individuals. In recent years, the consequences of ransomware attacks have grown in scale. In this article, I looked at the various attack vectors and manifestations of ransomware from actual incidents and discussed the risk that exists and how contingency plans can help you restore operations when responding to attacks.