Eleven steps to an effective ransomware response checklist

Issue 1 2023 Editor's Choice, Information Security

FortiGuard Labs' research shows that organisations in almost all areas around the world are possible targets for ransomware attacks. Therefore, it is important to keep in mind that no sector is safe from ransomware. Organisations should consider this ransomware attack response checklist to effectively deal with an active ransomware attack.

1. Don’t panic

Once you realise you have been targeted, you need to stay calm and act purposefully. If you could not make a response plan or were caught off guard, reach out to your security vendor for help or report the incident to your insurance company; they may already have a list of expert security providers who can help you.

Further, consider the potential impact the security incident may have. Take into account not only the obviously compromised areas, such as data encryption and application removal, but also additional areas of potential compromise. Try to get a running list of all possible areas that may be affected.

2. Isolate your systems and stop the spread

First, identify the range of the attack. If the incident is already known to be widespread, implement blocks at the network level (i.e., isolating traffic at the switch or the firewall edge) or consider temporarily taking down the internet connection. If the incident scope is confirmed to be narrow, infecting only a few systems, isolate attackers at the device level by possibly pulling the ethernet or disconnecting the Wi-Fi.

If available, endpoint detection and response (EDR) technology may block the ransomware attack at the process level, which would be the best immediate option with minimal business disruption. Most ransomware attackers find a vulnerability to get into your organisation, such as exposed RDP, phishing emails, or other types of similar methods.

3. Identify the ransomware variant

Many of the tactics, techniques, and procedures (TTPs) of each ransomware variant are publicly documented. Determining which strain you are dealing with can give you clues on the location of the threat and how it is spreading. Depending on the variant, some decryption tools may already be available for you to decrypt your ransomed files.

4. Identify initial access

Determining the initial access point, or patient zero will help identify and close the hole in your security. Common initial access vectors are phishing, exploits on your edge services (such as remote desktop services), and the unauthorised use of credentials. Determining the initial point of access is sometimes difficult and may need the expertise of digital forensics teams and IR experts.

5. Identify all infected systems and accounts (scope)

Identify any active malware or persistent leftovers on systems that are still communicating to the command-and-control (C2) server. Common persistence techniques include creating new processes running the malicious payload, using run registry keys, or creating new scheduled tasks.

6. Determine if data was exfiltrated

Oftentimes, ransomware attacks not only encrypt your files but also exfiltrate your data. They will do this to increase the chances of ransom payment by threatening to post things like proprietary or embarrassing data online. They may even contact your business partners if they identify any of their data that was stolen and threaten them as well. Look for signs of data exfiltration, such as large data transfers, on your firewall edge devices. Search for odd communications from servers going to cloud storage applications.

7. Locate your backups and determine integrity

A ransomware attack will attempt to wipe your online backups and volume shadow copies to decrease the chances of data recovery. Because of this, ensure your backup technology was not affected by the incident and is still operational. With many ransomware attacks, attackers have usually been in your network for days, if not weeks, before deciding to encrypt your files. This means that you may have backups that contain malicious payloads that you do not want to restore to a clean system. Scan your backups to determine their integrity.

8. Sanitise systems or create new builds

If you feel confident in your ability to identify all of the active malware and incidents of persistence in your systems, then you may be able to save some time by not rebuilding. However, it may just be easier and safer to create new, clean systems. You may even consider building an entirely separate, clean environment that you can then migrate to. This should not take too long if you are running a virtual environment. When rebuilding or sanitising your network, ensure the appropriate security controls are installed and are following best practices to ensure devices do not become reinfected.

9. Report the incident

It’s important to report the incident. You should also determine if reporting to law enforcement is needed and required. Your legal team can help address any legal obligations around regulated data.

10. Paying the ransom?

Law enforcement advises against paying the ransom. However, if you are considering it, you should hire a security company with specialised skills to help you. Additionally, paying the ransom or working out a settlement is not going to remediate the vulnerabilities that the attackers exploited, so it is still essential to ensure you have identified the initial access point and patched the vulnerabilities.

11. Conduct a post-incident review

Review your ransomware incident response to understand what went right and to document opportunities for improvement. This ensures the continuous improvement of your response and recovery capabilities for the future. Consider simulating the technical and non-technical details of the attack in the red team and table-top exercises so you can review your options. You can also consider doing proactive playbook building focused on different attack scenarios such as ransomware. If IT or security team staffing is limited, consider building a playbook using a service.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Winners of the 2025 Southern Africa OSPAs
Editor's Choice
The winners of the 2025 Southern Africa Outstanding Security Performance Awards (OSPAs) were revealed on Wednesday, 4th June, at Securex South Africa. Winners from all categories (except the Lifetime Achievement) will be featured in the second Global OSPAs set to take place in 2026.

Read more...
Deepfakes and digital trust
Editor's Choice
By securing the video right from the specific camera that captured it, there is no need to prove the chain of custody for the video, you can verify the authenticity at every step.

Read more...
A new generational framework
Editor's Choice Training & Education
Beyond Generation X, and Millennials, Dr Chris Blair discusses the seven decades of technological evolution and the generations they defined, from the 1960’s Mainframe Cohort, to the 2020’s AI Navigators.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
Key design considerations for a control room
Leaderware Editor's Choice Surveillance Training & Education
If you are designing or upgrading a control room, or even reviewing or auditing an existing control room, there are a number of design factors that one would need to consider.

Read more...
CCTV control room operator job description
Leaderware Editor's Choice Surveillance Training & Education
Control room operators are still critical components of security operations and will remain so for the foreseeable future, despite the advances of AI, which serves as a vital enhancement to the human operator.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...
A passport to offline backups
SMART Security Solutions Technews Publishing Editor's Choice Infrastructure Smart Home Automation
SMART Security Solutions tested a 6 TB WD My Passport and found it is much more than simply another portable hard drive when considering the free security software the company includes with the device.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.