VanRein Compliance Podcast

7 Steps you need to Respond to a Ransomware Attack

December 07, 2021 Dawn & Rob Van Buskirk Season 1 Episode 13
VanRein Compliance Podcast
7 Steps you need to Respond to a Ransomware Attack
Show Notes Transcript

This week our hosts Dawn and Rob Van Buskirk discuss the 7 Steps you need to respond to a Ransomware Attack.  

In this week's episode, we unpack the 7 Steps you need to take to respond to a Ransom attack.

As always you can reach out to the VanRein Team to schedule a Discovery Call with one of our compliance guides. 

Every week The VanRein Compliance Podcast will help you simplify compliance, secure your business, and reduce your risk all while having some fun.  Thanks for joining us!

Rob Van Buskirk:

If you don't ever believe that you're going to get attacked by ransomware, then you're living in a cave. This week, we have some very detailed information on the steps that you need to put into your incident response. Hello, and welcome to the VanRein compliance podcast show this secures the future of your business with a clear plan to reduce your risk. I'm your host, Rob,

Dawn Van Buskirk:

and I'm Dawn.

Unknown:

And this week, we are talking about ransomware. And the ransomware response checklist. Aren't we done?

Dawn Van Buskirk:

Yes, we are. It is going to be a very good one. So please listen all the way through.

Rob Van Buskirk:

Yep, buckle up, kids, this is what you need. Because if you believe it, you're not going to get attacked, then you've already probably been attacked or compromised. Right? Done.

Dawn Van Buskirk:

Yes, that is right. It's probably coming. You don't know when it's coming. And you need to know what to expect.

Rob Van Buskirk:

Yeah, it's not like Thanksgiving or Christmas or Hanukkah, right? If those are on the calendar ransomware happens usually, oh, usually between midnight and 4am when people aren't looking and on the network, keeping an eye on things. So. So what is the first thing done that we should have on our ransomware response checklist?

Dawn Van Buskirk:

So the first thing, you're going to realize that happened? Oh god, it happened. So first step, determine which systems were impacted and immediately isolate them, shut them down. If it's a server, if it's a certain application, shut it down. So that is the first step. Obviously, there's multiple step steps underneath that. But really, what got what got compromised? Identify the system, just physically unplug it, and shut the router down. Shut your firewall down. Unplugged? Yep. Alright, so we're gonna isolate the network or isolate the infected item. All right, what what's number two? Number two, if you are unable to disconnect the device from your network, power them down to avoid further spread of the ransomware infection. So if you can't physically unplug it from the wall, take it off network, power it down. So then the spread of ransomware infection will be minimized to you know, to nothing basically avoid the further spread of it.

Rob Van Buskirk:

Yep. If things are off, don't turn them on. So less is more, keep everything off, turn everything off and isolate the Isolate the bad apple, right? Yes, absolutely. That's number two. All right. So don't worry, folks, all this info will be down in the show notes. So you'll be able to take them and put them in your incident response plan. Number three, what do we have?

Dawn Van Buskirk:

triage the impacted systems for restoration and recovery? So y'all have been through a risk assessment with VanRien? Or hopefully you have or will soon.

Rob Van Buskirk:

There's a link you can sign up!

Dawn Van Buskirk:

Absolutely. So we ask you to identify part of HIPAA as identifying prioritizing critical systems, what are those critical systems and applications and what are non critical. So in this in this instance, we need to identify and prioritize those critical systems for restoration and confirm, confirm the the nature of you know, what has been impacted on those systems. So so that is important, because if you've got, you know, multiple areas that have been impacted, you definitely need to prioritize it. Yep. And make sure you you get them one by one. And so that's that is a big key is so triage so know what your critical systems are.

Rob Van Buskirk:

One of the require questions in the administrative, administrative section of HIPAA compliance regulations is a categorization of your systems. And people always say, Why do I need to do that? Well, this is why you need to know what systems are critical. What systems have have regulated data, either its financial data, its health information, its data out of the EU, its data in Canada, and then also understanding the impact, you know, and sometimes you just shut everything off, but you need to know what is impacted. What to bring down and what to bring up systematically. Yep. So Alright, number four, John, what's number four on the list?

Dawn Van Buskirk:

This is a big key as well. And again, if you've worked with VanRein, you know this well. And if you need help with us, we are happy to help you with this console, your incident response team. So I would guess if I would ask the listeners to raise their hand if they have a disaster recovery plan and incident response team. I would hope that everyone would raise their hands but as we know, that isn't always true. Very important, have an instant response team. Because we need to to document what's going on what's happened and and really start doing the forensics part of this. So very important to have an incident response team that can include your IT guy, whether he's an internal he or she's an internal external person. Really, it's that it could be the supervisor, that that that time that that time this occurred, a manager, it could be the business owner, whoever these these folks are 123 people really need to get on the phone and start start looking at this.

Rob Van Buskirk:

Yep, yep, kind of the old Well, I worked at IBM for quite a long time. And we would call these the crit sets, or we would call the swap calls, right? So when something happens, or we call, okay, here's the list. Here's the severity, you know, one being everything is down. Nobody can do anything, two or three, and you can you triage that. And then you understand who to call. And if somebody is unavailable. Obviously, we're recording this in early part of December. So the holidays are coming. If somebody is out, they need to know who to call. And to keep things going. So that is key, you need to know who was on your incident response team. And who's going to like, you know, you got to bring food and pizza, because it's going to be a long day or two, because you're going to be restoring data. And you're not going to be paying ransom because you're going to follow the van Ryan compliance framework, which is going to actually keep you from paying that. So very good. Absolutely. Yeah. All right. So we've got an incident response team rocking and rolling Dawn, what's number five?

Dawn Van Buskirk:

Well engage your internal and external teams and stakeholders. This is so everyone has an understanding of what is going on? Yes. And if they can help mitigate, respond, recover. We have quite a few customers that are in the TAS industry, phones go down. People are wanting, needing needing those phones to be up right. 24/7. So needing to let folks know what's going on? Again, this is all part of your disaster recovery. Do you have a business continuity plan as part of that? So can you pick up and carry out your business? From a backup server, a nother location, remote, that type of thing? Can you continue your operations that is key here. So engaging your team? saying, Okay, here's what we need to do. Let's get business back, back, back up and going. But here's what we need to do. Here's what we did tell people. And here's how we need to all help. You know, all hands on deck.

Rob Van Buskirk:

Yep. And remember, it's its internal external stakeholders, right? So yes, your internal team, but your external team could be your IT folks. It could be your telco folks. It could be your cloud providers. It could be anybody. It could be your CPA, it could be your attorneys, those are external. Also think of your investors and suppliers. If you have VC money, or you have any investors, you need to let them know kind of what's going on. Because if it's big enough, and it hits the media, everybody needs to know what to say what the deal is, what the truth is, right? And say that. And one thing is you get to the stage, you really should never ever, ever pay a ransom. Never. There was no reason anybody listening, this podcast should ever pay a ransom. And why is because you have excellent data backups, excellent data, privacy and security components to your plan, and also a very detailed business continuity plan, you should be able to restore from from, you know, any type of disaster. Fortunately, we've had a couple of clients lately that have been impacted by ransomware. Yes, they were down all day. But you know what, they got the data back. And you know, what they were asked for probably three Bitcoin. Well, let's see last week was it about for about 90k. And they did not have to pay because they had solid backups. And they tested the backups, and they're able to restore painful to be down for a day. But they didn't have to pay anything, and they're up and running. So remember, it does, you know, if you pay that ransom, it does not ensure that your data is going to be decrypted. It's actually going to put you on the list. You're going to you know, like say I'm going to go back to that business because they paid once they're going to freak out and they're going to pay again. Yeah, yeah, never never pay. Alright, so we have our team, we have internal teams, we have external teams, we have our stakeholders, you know, and then now we're going to go into kind of like that containment cycle, right? What does that look like? Dawn number six.

Dawn Van Buskirk:

Yeah, so basically number six is you know, real important. Take a system image and memory capture of a sample of the effective devices that are on the workstation, the server, pictures of the flashing things that are coming on the screen, that email that the whatever the the worm is or the you know, Whatever you want to call it is happening on your screen. screenshots, screenshots, really just try to document this is going to be key into the forensics part, to know where it got in your system, collect any relevant logs, again, no logs, logs, you know, customers of ours note all about logs, audit logs, huge and HIPAA. So, that should not be an issue getting logs. So really, really, this is really key is, is really get that snapshot of what is going on. And so you can start with the figuring out how to how to get it off of everything that it got on. So

Rob Van Buskirk:

yep, so get as much information as you can, everybody has a phone, if you don't have it, everyone has a camera, take pictures of the screen, understand what's going on, there's going to be probably a you know, in the Windows environment, there'll be a notepad or there'll be a probably a txt file on the desktop says, Hey, your files have been encrypted, that's opened, it'll have the information of who did it usually. And it'll say, Hey, this is what they require. And they'll tell it, they will tell you that they will give you all your data back when they actually will not. So it doesn't fly. Take all you have to build the story. You know, this is a criminal case, it actually is it is it is classified as terrorism, cyber terrorism. So when we do go and talk to law enforcement, we need to have the details of what happened. And put all that together. That's really key data logs, in Windows environment, Linux, environment, Mac environment. Data fault, firewall logs are really key, you have got to capture everything recapture, capture, capture, and make sure you have all that. Because if not, you're not going to know what happened. And you have to put the story together. And that and then you also have to determine what type of attack it is there's hundreds of different types of ransom attacks, and bots that are used. So determining what it is will actually help you eradicate it. So definitely, absolutely,

Dawn Van Buskirk:

yep. And, and you you touched on the number seven, basically, consult federal law enforcement, you know, basically, regarding what has occurred, but until you have the images and and the documentation, you know, you you can't really say you say Oh, I got attacked, I don't know what I don't know what it is just to give them that information. So they're aware of it. And then one step further on that your cyber insurance. So you'll want to make a claim with your cyber insurance company. Because all this forensics, depending on how deep this went in your network, how big it is, how many locations you have, how many servers you have, so on and so on. This could be bigger than just, oh, it's going to cost my IT guy, eight hours, that's going to be $1,000, whatever that is, this could be 10s of 1000s of dollars, we've had customers that have spent up to 50 plus $1,000. So make sure that you make the claim, make the claim, understand what's covered. So then you can have everything in place. But until you've done all these steps one through six, you need to know what it is your IT professional, they can help you figure out what it is what you're looking at, when your uptime is, you know when how long your downtime is going to be. And when you guys are going to be up that type of thing. So really key but the the local law enforcement, federal law enforcement, both, you know, I really think that those, they're going to be able to say, oh, yeah, this is just yet another one. That's, you know, we just had this happen. Again, this is all helping them, you know, with with what's going on. And we are in a very fragile state right now. You know, everywhere, you know, since COVID, before COVID, but now we're hitting the holidays. That's when a lot of things happen. So be very alert. Be very good.

Rob Van Buskirk:

Yep, definitely. So you hit hit a very good point on about the holiday. So we're gonna do is we're gonna recap the top seven, and then let's talk about the holidays. Alright, so for all the wonderful listeners out there, let's go run through them. Number one is

Dawn Van Buskirk:

determine which systems were impacted and immediately isolate them.

Rob Van Buskirk:

Okay, number two.

Dawn Van Buskirk:

If you're unable to disconnect devices from the network, power them down to avoid further spread. Yep, get

Rob Van Buskirk:

rid of them, shut them down, rip them out of the wall. Whatever you can, you can fix you know, dramatic

Dawn Van Buskirk:

numbers scary.

Unknown:

What's gonna matter? It's more fun that way. Yeah, absolutely.

Dawn Van Buskirk:

Yeah, triage, impacted systems for restoration and recovery. Definitely triage those. Again with critical, that's your critical systems versus non critical that type of thing. Number four, consult your incident response team, develop, document, understand what's going on. Number five, engage your internal and external teams and stakeholders understanding what to do, how to mitigate how to respond to and recover from this incident. And then in the containment portion number six is going to be basically, let's get some system images. Let's capture what's going on. collect any logs, let's get the information together. So then number seven, we can consult our federal law enforcement. And then I'm going to add the number eight, contact your insurance company for your cyber insurance coverage. So there you have it,

Rob Van Buskirk:

that is the top. So actually top eight things that you need to be

Dawn Van Buskirk:

I added eight I know I added another one. How about seven s instead of 8?

Rob Van Buskirk:

Those are the keys that you need to do. That's your checklist. Those are the things how that is how you respond to a ransomware attack. And now Don, you mentioned earlier about the holidays. Yes, we're recording, this recording is December 5. So here we go. We're getting the holidays. And with this year, I know a lot of people take time off. Except for the criminals. It's cliche, but it's true. People around the world know and understand that the IT pros won't be looking at all the logs, people are away, people are disconnected. So what are the things our listeners can do now to prepare themselves for, you know, Christmas and for New Year's and the New Year?

Dawn Van Buskirk:

Gosh, hopefully you've got some of this in place. I mean, I we can't stress enough is the disaster recovery, your incident response team, your business continuity. I really hope you all have this stuff in place. I think what we all learned from COVID is a lot of our customers learned that they needed to do that look at their recovery plans again. Because they were so old. So please, make sure everyone knows what's going on. Make sure you're you're you know you're watching for things. You know, you you understand. Your your staff knows what to look for. For strange emails, phishing emails, that type of thing. Yeah, definitely.

Rob Van Buskirk:

Those are big. The also making sure your environments have the latest security patches. If it's Windows, Mac OS, Linux, whatever, Unix, make sure everything is patched. Make sure everything is secure. Make sure everything is up to date before people take time off. Spend time on the weekends, making sure you've got your the evenings whenever you got good solid backups and test your backups and make sure you've got that in place. Then also your firewalls, your firewalls and your antivirus, make sure everything is updated. So do a quick high level inventory. Know Is everything patched? Is everything set? Is everything up to date is our firewalls up to date or switches up to date. So our environment today, and then also documentation. You know, Don, you talked about that, once you kind of dive into that, unpack that a little bit, could have documentation do we need to prepare for the holidays?

Dawn Van Buskirk:

documentation would be a disaster recovery plan that includes who is on your incident response team and a business continuity plan as well. So where are those located? Do does your staff know? You know, your your management know? Your your it? Are they aware? You know where that is? What is the plan. And we're all if we're all traveling, or they're all traveling rather, you know how to get ahold of folks. So phone numbers, it's important to have in your disaster recovery plan, phone numbers, even utility phone numbers, just all those phone numbers that are important that run your business? Who do we call? Very important to document that, wherever that may be. However, you have that documented in your business.

Rob Van Buskirk:

Yep, yep, that's key. Definitely documentation. putting all that together. Well, very good. That was a lot of info to unpack for the listeners. And I know this is overwhelming. I know this is stressful. I know this is confusing. So down on the show notes you can always reach out to us you can just send an email at Hello at Van Ryan compliance calm and just schedule a free risk review. We're just here to help. So happy to just discuss this with you to go ahead and put this together look at the plans. We'll show you a sample plans. You can even build them yourself. It's perfectly fine. Don't even have to hire us we want you to but you know what? We're going to give you the templates that you need so that you can be secure yourself. That's we're going to give you so I read all the details are down in the show notes. And this was a really solid episode what people need to do to prepare for ransom attacks. Well, thank you, Dawn. This was fun as always.

Dawn Van Buskirk:

Oh, yes. Yeah, very fun subject.

Rob Van Buskirk:

It's a fun subtotal. Oh, exactly. Well, thank you listeners for joining us this week in the VanRein compliance podcast the show that secures the future for business with a clear plan to reduce your Risk Remember to like and subscribe wherever you listen to podcasts