{"id":49534,"date":"2021-02-11T14:48:12","date_gmt":"2021-02-11T10:48:12","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=49534"},"modified":"2022-07-19T16:12:08","modified_gmt":"2022-07-19T12:12:08","slug":"designing-a-ransomware-response-plan","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/designing-a-ransomware-response-plan\/","title":{"rendered":"Designing a Ransomware Response Plan"},"content":{"rendered":"<p>Ransomware attacks, which have grown at rates of as much as <a href=\"https:\/\/purplesec.us\/resources\/cyber-security-statistics\/ransomware\/\">350 percent per year<\/a> in recent years, are one of the most pressing security challenges facing businesses today. And, while the best strategy is to take steps to <a href=\"https:\/\/www.msp360.com\/resources\/blog\/how-to-be-protected-against-ransomware\/\">prevent ransomware attacks<\/a> from happening in the first place, the reality is that there is no way to guarantee your data won\u2019t be held for ransom.<!--more--><\/p>\n<p>That\u2019s why it\u2019s crucial to have a ransomware response plan in place. This plan helps both internal IT departments and managed services providers, or MSPs, react quickly and effectively when ransomware strikes.<\/p>\n<p>Keep reading for tips on building a solid response plan tailored to your organization\u2019s needs.<\/p>\n<div class=\"table-of-content \">\n\t\t\t\t<p>Table of Contents<\/p>\n\t\t\t\t<ul><\/ul>\n\t\t\t\t<\/div>\n<h2>Why Create a Ransomware Response Plan?<\/h2>\n<p>There are several reasons to create it, as opposed to managing ransomware recovery on an ad hoc basis with no plan in place.<\/p>\n<p>Perhaps the most obvious reason is that having a plan in place for responding to a ransomware incident helps to ensure that you can actually recover from the attack without paying the ransom. If recovery is expected to take too long because of the lack of a plan, the business you support may choose to pay the ransom in order to restore operations, even if the data could be recovered through other means. That\u2019s not an ideal outcome. Not only will it cost the business money, but it also harms the reputation of your IT team.<\/p>\n<p>An important factor is that ransomware attacks cost businesses large sums of money. The typical business suffers financial losses of <a href=\"https:\/\/invenioit.com\/continuity\/cost-of-data-loss\/\">$7,900 per minute<\/a> when data is rendered unavailable by a ransomware attack or other problem. By enabling faster data recovery, ransomware response plans save money.<\/p>\n<p>A response plan also helps ensure that you are in a stronger position to prevent ransomware attacks from recurring. If you don\u2019t have a formal response plan in place that includes steps to prevent future breaches, you are more likely to keep suffering the same types of attacks over and over.<\/p>\n<p id=\"last\">A third reason to create it is to help protect your business\u2019s reputation. Even if the direct financial impact of downtime is minimal, the business\u2019s brand is likely to be harmed if services are disrupted by a ransomware attack. With a response plan in place, you are in a better position to recover data before customer operations are critically disrupted.<\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" data-portal=\"5442029\" data-id=\"4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><span class=\"hs-cta-node hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" id=\"hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/how-to-respond-to-cyberattacks\/\">Responding to Cyberattacks: 6 Top Tips<\/a><\/p>\n<h2>Who Needs a Ransomware Response Plan?<\/h2>\n<p>Ransomware affects businesses of all types and sizes, and across all industries. Whether you support a large enterprise or a small business with just a handful of employees, you should be prepared to respond to ransomware.<\/p>\n<p>In addition, as noted above, ransomware response plans are also a valuable resource for both internal IT teams and MSPs who provide IT support to businesses on an outsourced basis.<\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 55%;\">\n<div class=\"call-to-action__title\">The MSP\u2019s Response Guide to a Ransomware Attack [PDF]<\/div>\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 45%;\">\n<p style=\"text-align: center;\"><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-4a2062ec-621f-4c77-8987-132c5b498734\" data-portal=\"5442029\" data-id=\"4a2062ec-621f-4c77-8987-132c5b498734\"><span class=\"hs-cta-node hs-cta-4a2062ec-621f-4c77-8987-132c5b498734\" id=\"hs-cta-4a2062ec-621f-4c77-8987-132c5b498734\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/4a2062ec-621f-4c77-8987-132c5b498734\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-4a2062ec-621f-4c77-8987-132c5b498734\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/4a2062ec-621f-4c77-8987-132c5b498734.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/p>\n<\/div>\n<\/div>\n<h2>Ransomware Incident Response Plan Template<\/h2>\n<p>These plans will vary from one team to another. They should reflect the specific types of data that are at risk, the backup tools and processes the team has in place, and the resources available for responding to ransomware attacks.<\/p>\n<p>In general, however, the following is an outline of what a typical ransomware response plan looks like.<\/p>\n<h3>Define the Scope of the Attack<\/h3>\n<p>The first step in responding to virtually any ransomware attack is to determine how much data was affected, and how many systems were breached. Was the attack limited to a single server or a single S3 bucket, for example, or was all the data within your data center or cloud environment impacted?<\/p>\n<h3>Disable Affected Systems<\/h3>\n<p>After identifying the affected systems, your next step should be to disable them in order to prevent the attack from spreading further.<\/p>\n<p>You can disable them by shutting them down or simply disconnecting them from the network. Whichever approach you take, however, make sure you act in a controlled manner, rather than panicking: Specify in your plan which systems will be disabled first, how they will be disabled and which steps must be taken during disabling to ensure that data remains intact when the systems go offline.<\/p>\n<h3>Assess the Damage<\/h3>\n<p>Once you\u2019re sure the attack is no longer active and spreading, you can assess the extent of the damage. Determine how much data was held for ransom, whether backups are available, and (if applicable) how recent those backups are.<\/p>\n<p>Your ransomware response plan should also include an assessment of whether recovery plans exist for any backup data you have on hand. Ideally, you\u2019ll have specific<a href=\"https:\/\/www.msp360.com\/resources\/blog\/disaster-recovery-plan-checklist\/\"> data recovery plans<\/a> already in place that you can execute quickly to recover the data.<\/p>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-a99bf554-4786-40d2-8e73-43bf625d6417\" data-portal=\"5442029\" data-id=\"a99bf554-4786-40d2-8e73-43bf625d6417\"><span class=\"hs-cta-node hs-cta-a99bf554-4786-40d2-8e73-43bf625d6417\" id=\"hs-cta-a99bf554-4786-40d2-8e73-43bf625d6417\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/a99bf554-4786-40d2-8e73-43bf625d6417\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-a99bf554-4786-40d2-8e73-43bf625d6417\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/a99bf554-4786-40d2-8e73-43bf625d6417.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<h2>Disclose the Attack<\/h2>\n<p>Sometimes, compliance regulations may require you to disclose the attack. For example, ransomware attacks that impact data that the GDPR defines as sensitive <a href=\"https:\/\/www.gdprregister.eu\/gdpr\/ransomware-gdpr\/\">require mandatory disclosure of the attacks<\/a>, regardless of the volume of data affected. On the other hand, data that is not considered personal or sensitive will generally not require disclosure of a breach.<\/p>\n<p>If disclosure is required, follow the steps specified by the relevant regulatory framework to disclose the attack. Typically, disclosure involves notifying government authorities and\/or notifying consumers whose personal data was breached.<\/p>\n<h3>Prepare a Recovery Plan<\/h3>\n<p>Next, you can develop a plan for recovering your data.<\/p>\n<p>If all the affected data was backed up recently and you have recovery plans already in place for those backups, your ransomware recovery process can be as simple as executing your existing recovery plans.<\/p>\n<p>If you weren\u2019t so well prepared, however, you\u2019ll need to design a recovery plan following the attack. Developing a plan will take some time, but it\u2019s important to build a complete plan before you begin actual recovery. Otherwise, you are at a higher risk of making mistakes or overlooking important details during the recovery process.<\/p>\n<p>You may also need to consider how to recover data if you don\u2019t have recent backups for it. In some cases, this may simply be impossible. In others, however, you may be able to recover at least some data. For example, there may be production systems that weren\u2019t breached that contain copies of some of the impacted data; you can use these to restore that data. You could also choose to restore from outdated backups, which may be better than nothing.<\/p>\n<p>During the recovery planning process, it\u2019s often valuable to consult with business stakeholders. Let them know what to expect regarding when recovery will be complete and how much data will be restored to its original state. They may also be able to offer perspective on which data it is most important to recover first.<\/p>\n<h3>Recover the Data<\/h3>\n<p>With your recovery plan in place, you can execute it to recover data, depending on how your data was backed up.<\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/cloud-disaster-recovery\/\">Guide to Cloud Disaster Recovery<\/a><\/p>\n<h3>Perform a Security Audit<\/h3>\n<p>Once the data is recovered and operations have been restored, take time to determine how your systems were breached. Did the ransomware enter your environment via <a href=\"https:\/\/www.msp360.com\/resources\/blog\/types-of-phishing\/\">phishing<\/a>, malware, a malicious insider, or something else? Identifying the source of the breach will help prevent it from happening again.<\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/it-security-audit-guide\/\">IT Security Audit: A Comprehensive Guide<\/a><\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 50%; text-align: center;\">\n<p><img decoding=\"async\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2020\/05\/IT-Security-Assessment-1.png\" alt=\"Whitepaper icon\" \/><\/p>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" data-portal=\"5442029\" data-id=\"6cae84c3-fb62-47b1-a1f2-6744125b00e5\"><span class=\"hs-cta-node hs-cta-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" id=\"hs-cta-6cae84c3-fb62-47b1-a1f2-6744125b00e5\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/6cae84c3-fb62-47b1-a1f2-6744125b00e5\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/6cae84c3-fb62-47b1-a1f2-6744125b00e5.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 50%;\">\n<div class=\"call-to-action__title\">IT Security Assessment Checklist<\/div>\n<div class=\"call-to-action__text\">\n<p>Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:<\/p>\n<ul>\n<li>a ready-to-print PDF file<\/li>\n<li>an Excel file to help create a customizable assessment resource<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<h3>Create an Incident Report<\/h3>\n<p>The final step in many ransomware response plans is to write an incident report detailing the narrative of the attack, the data, and systems it affected, and the steps you took in response. The report may also include steps you will take or have taken to prevent a similar attack from happening again in the future.<\/p>\n<h2>Response Plan Lifecycle<\/h2>\n<p>Your planning for <a href=\"https:\/\/www.msp360.com\/ransomware-protection\/\">ransomware protection<\/a> shouldn\u2019t end with simply creating a ransomware incident response plan template. You should take additional steps to make sure the plan will actually work as required. Those steps include:<\/p>\n<ul>\n<li><strong>Define your response team:<\/strong> Determine who will be responsible for carrying out the response plan following a ransomware attack.<\/li>\n<li><strong>Test the plan:<\/strong> Do a dry run of the plan ahead of time to identify any gaps or unexpected problems.<\/li>\n<li><strong>Retest the plan:<\/strong> Design a schedule for testing the plan again on a periodic basis. This is important, because your systems will change, and you\u2019ll need to make sure your ransomware response plan keeps up.<\/li>\n<li><strong>Update the plan:<\/strong> Don\u2019t wait until you test the plan to discover that it no longer fits your systems. You should also update the plan whenever you implement new technology (such as a new type of cloud service or new servers) or new policy (like allowing users to work from home).<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>Ransomware affects all businesses, across all industries. There\u2019s no hiding from it, and even the most meticulous cybersecurity strategy can\u2019t guarantee that your data won\u2019t be impacted by ransomware.<\/p>\n<p>In order to protect the business you support, then, it\u2019s essential to design a ransomware response plan, test it and update it regularly. With a plan in place, you\u2019re in a better position to respond quickly and effectively when ransomware strikes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware attacks, which have grown at rates of as much as 350 percent per year in recent years, are one of the most pressing security challenges facing businesses today. And, while the best strategy is to take steps to prevent ransomware attacks from happening in the first place, the reality is that there is no [&hellip;]<\/p>\n","protected":false},"author":59,"featured_media":49536,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885],"tags":[],"class_list":["post-49534","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-other"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/49534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=49534"}],"version-history":[{"count":4,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/49534\/revisions"}],"predecessor-version":[{"id":54415,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/49534\/revisions\/54415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/49536"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=49534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=49534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=49534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}