Ransomware incident response plan

Ransomware can have a very disruptive effect on organisations. And what do you do then? Or how can you prepare for this? The NCSC provides answers to these questions with the incident response plan for ransomware. Every incident and every organisation is different, of course. The incident response plan therefore does not offer a ready-made solution for all possible situations, but is more of an inspiration to get started quickly. And thus increase the digital resilience of organisations.

Because speed counts in the case of a ransomware attack. Especially when your organisation encounters malicious actors on its network and the ransomware has not yet been installed. Then it is important to execute every step of the incident response cycle carefully – and not rushed. How do you go about containing the breach, fixing the exploited vulnerability, removing the malware that has already been deployed and then denying criminals from having access so that they will not regain access easily? And a crucial question is also: have they already been exfiltrating data?

If the ransomware has struck, it is of course a different story. Recovery is then the first thing that must happen. But even then, it is important to run through the incident response cycle in parallel with the recovery activities. In order to determine which malware has been deployed, to remove possible remnants or backdoors and to ensure that intruders cannot regain access. A complex operation in which many aspects must be taken into account.

Under pressure of a breach, it is especially important to plan ahead. This is often a difficult challenge because the first response is often: “We must throw them out as soon as possible and limit further damage!”  And of course this must be done, but without skipping essential steps. It can be helpful to have prepared these plans in advance and to have a defined starting point. The ransomware incident response plan can be of assistance here. It mentions all kinds of aspects, from general and abstract to very specific and concrete. Not everything is applicable to every organisation, and you can add issues specific to your organisation. This quickly leads to a targeted and planned approach.

But preparation can also be a goal for using the ransomware incident response plan. Much of the document is focused on this phase. How, for example, do you ensure that you can detect an attack early on or that you can see that data is being exfiltrated? The topics from the Guide to Cyber Security Measures are, of course, also partly included. A good backup, tested and verified for integrity and without malware or unwanted encryption, is obviously essential. And only a restore test of an entire volume or system shows what realistic recovery times are.

This incident response plan can of course also be customised for a specific organisation in preparation for ransomware attacks. An extra step that makes it easier to act quickly when needed. The NCSC would like to hear about experiences with this plan and what relevant information should be added in future versions. Our hope and expectation is that this incident response plan can contribute to the resilience of your organisation.