In the aftermath of a ransomware incident, an organization has limited time to decide how to react, as they face both the need to get their business back to an operational state, and to decide whether to comply with or ignore any demands from those behind the attack.
At a recent SecTor virtual conference, Julian Pileggi, a technical manager for incident response at Mandiant, offered some advice in IT World Canada as to how best approach a response. Among the key recommendations were:
- Disconnect the network from the Internet, to prevent attackers from using it further for communications
- Gather information on the note and encrypted file types, to help identify the specific type of ransomware used in the attack
- Confirm the status of all backups, and keep them isolated until you’re ready to restore
- Don’t wipe encrypted systems, until you’ve created a copy, to help with any forensic investigations, legal actions, or insurance claims
Source:
