The Complete Action Plan for Ransomware

Response Committee

RANSOMWARE ON THE RISE

How should you protect your data?

Ransomware attacks are on the rise and 2017 is going to witness a

massive data threat from ransomware attacks.

Take these resolutions and save your data!

#1 Locate your data
A Ransomware Response Committee (RRC) has to collect all the details of data in an organization.

Smart Medication
Assistive Technologies
Management

Cloud Storage Social & Health Apps

Patient / Provider / Caregiver

Robots
Communication Platform

Storage Area Network Network Attached Storage

Remote Lab Smart Body Sensors

Local Social Commerce

Networks Big Data and AI
#2 Set a recovery time objective
RRC should set a Recovery Point Objective by deciding the volume of data that could be lost and
its back-up strategy. Always keep in touch with a cyber security company so that you can
approach them at the time of a crisis.
#3 Determine type and variant of ransomware

Establish a ransomware variant If you find paying ransom is

to inevitable, the RTC should study all
determine how the malware the ransom notes left by the
works hackers
and if it is decryptable. on the infected server, calculate
the total payment and submit a
report
to the RRC ASAP.

Do an initial technical Some variants can get

assessment and forward a decrypted by using decryption
sample of the encrypted files to tools that are available on the
the CSC for a second opinion Internet. Do it if possible.
ASAP.
#4 Inform local / state law enforcement
RRM should inform relevant government authorities like FBI, share the details of the
ransomware attack with them and seek guidance from them.
#5 Should be able to adhere to contractual
obligations after a ransomware attack
After a ransomware attack, what will you do if you have contractual agreements to deliver
vendor or client data?

Force majeure type clauses should be inserted in all the

contracts stating that, if the organization is under a
ransomware attack and the data is still encrypted, the
company will not be able to provide it.

All contracts should be modified appropriately after

consulting with the organizations lawyer, and an external
law firm.
#6 Calculate cost of downtime, value of data and
future financial impact
RTC should calculate.

The number of
The average The average The revenue loss of
employees affected
employees earning overhead the organization, if
(per hour) employees cannot
costs of affected
work since they
employees
cannot access their
data (per hour)

Single-Loss Expectancy (SLE) calculation can be used to determine the damage done to organizations profits.
#7 Evaluate data restore from backup
RTC should evaluate restoring from backup and submit a report to RRC within
a pre-defined time.

Reports of last
Last backup time restore test

Is there a 3-2-1
Is everything backup strategy?
backed up?

How often are

Does SAN/NAS have
backups done?
recovery option?

Schedule of Does cloud backup have

backup time a recovery option?
#8 Pre-allocate funds to pay the ransom
Get approval and authorization from the authority to pay the ransom.
As per the pre-approval, RRC should keep few thousands of dollars in a separate account for
ransom payment.
#9 Buy digital currency in advance and make the
decision; restore or pay the ransom

Compare the data restoration time with

the time required to decrypt all the data.

This process can help in making a choice

to restore from backup or pay the
ransom and decrypt the data.

The RRC should meet and decide; RRM

should make the final decision.
#10 Tactically negotiate the final price for all the keys
If RRM decides to pay the ransom and get the decryption keys, the RRP should have all these
details:

Ensure that you have Designate a decryption

received all the keys leader from your
for expert panel.
decrypting the data.

Negotiation should be done Complete the

by someone from the Make sure of the decryption within
purchase department who availability the deadline
has excellent negotiation of bitcoins or arrange
skills. digital currency.

Now the things are almost safe ! Your data has been decrypted!
#11 Conduct a ransomware attack post-incident review
The RRC/RTC should do a post-attack analysis and share the report with management and
relevant stakeholders. The report should incorporate all the processes carried out from the
ransomware attack detection to data decryption stage.

Follow the safeguards to protect your data and say NO to RANSOMWARE attacks!