How a proven incident response plan minimizes damage and ensures GDPR compliance
Ransomware groups are becoming increasingly sophisticated and are targeting businesses of all sizes. From hospitals and schools to critical infrastructure, no organization is safe. CISOs must therefore be prepared for an emergency so they can respond quickly and effectively in the event of an attack.
The Incident Response Plan as a Key Factor
A structured incident response plan guides the incident response team in the event of an emergency. It should be practiced regularly so that everyone involved can act efficiently under time pressure. If you don’t have your own plan, external support—such as our Incident Response Team—can immediately help contain the damage and quickly restore systems.
Immediate measures to contain the situation
If a ransomware attack is detected, it is essential to stop its spread immediately.
- Network isolation: Isolating affected systems, blocking data traffic at the firewall level if necessary, or temporarily disconnecting them from the Internet
- Device isolation: Isolating individual devices from the network, using EDR solutions to block processes in real time
Identify the ransomware variant and the initial point of entry
Identifying the malware used can provide clues about potential decryption tools. It is equally important to determine the initial point of entry in order to close the backdoor; this is often compromised login credentials or exploited vulnerabilities in externally accessible services.
Detecting malware and data exfiltration
In addition to encryption, data is often exfiltrated to put additional pressure on the victim. CISOs should look for signs of unusual data transfers or communication with command-and-control servers.
Back up and verify backups
Since attackers specifically target backups, they must be checked for integrity. If attackers have been in the network for some time, the backups may also have been compromised.
Clean up or reset systems
Once it has been confirmed that no malware is active, systems can be cleaned up. If this cannot be confirmed with certainty, the safest approach is to reinstall the system in a clean environment.
Reporting Requirements and Communication
Under Article 33 of the GDPR, the incident must be reported to the competent authorities within 72 hours. If the organization has cyber insurance, the incident must also be reported immediately.
Dealing with ransom demands
Authorities do not recommend paying ransom. If a payment is made nonetheless, it is advisable to do so only with the assistance of experienced experts. Regardless, all vulnerabilities that led to the attack must be addressed immediately.
Conclusion
A well-designed incident response plan is the most important tool in the fight against ransomware. Companies that do not yet have a plan should not wait; ITanic GmbH offers incident response services to enable immediate action in the event of an emergency and minimize downtime.