Please note that CONTEXT is king. The steps have to be judiciously done based on the situation. The attacker is in your network and observing your moves.

Invoke Crisis Management Team (CMT) if any critical severity impacts observed

Invoke Crisis Management Team (CMT) if key business processes are impacted.

Check if attack happening in all locations

Out of Band communication channels are key.

Identify Ransomware family

Download an authoritative Write-Up (if available) for the Specific Ransomware Variant(s) Encountered. Get additional Indicators from the Report(s).

Check if distributed attack with lateral movement. Check spread.

Check if manual propagation or automated propogation

Do the scoping and plan for containment

Check if Decryption Tools available

Identify if targeted attack or collateral damage

Mobilize the team

Have a clear strategy for multi cloud and on-premise systems.

Take as much help as possible.

Detection triggers investigation to the Infosec Incident Response team.

Analyze the Ransomware pop up message based on availability. Eg of CryLock attached

Identify impacted data and systems

Based on impact CISO needs to provide update to the Crisis Management Team (CMT) and to declare crisis due to Ransomware

Look at the IoCs and ensure you know the ransomware-type and the variant.

Classify the Ransomware by submission to Threat Intelligence sites like virustotal. Caution - Do not upload file.

Understand the TTPs

Review and hunt affected infrastructure for IoCs.

Scan systems (desktops/servers) for any abnormal patterns. Check for known IoCs on a continuous basis till complete eradication.

Check if the backups are impacted. Check to what point of time the systems can be restored. Understand you need to restore enough to ensure business as usual first. Large past transactional and analytical data can be restored eventually. This could be a major decision point for response strategy.

Check for infected device - connections to other network and domain. Check connections to any malicious C&C servers

The Incident Response steps are executed by the Infosec IR team to isolate the malicious software

The containment of the infected system is executed by IT via various controls, that is Port blocking, NAC, EDR, WIFI block.

Quarantine affected systems

Suspend login credentials for compromised accounts

Inform business data owner(s) and stakeholders of the progress of containment activities

Quick list of Containment Steps - Quarantine infected systems - Quarantine affected users and groups. - Quarantine file shares (not just known-infected shares; protect uninfected shares too) - Quarantine shared databases (not just known-infected servers; protect uninfected databases too) - Quarantine backups, if not already secured - Block command and control domains and addresses - Remove vector emails from inboxes - Confirm endpoint protection (AV, NGAV, EDR, etc.) is up-to-date and enabled on all systems. - Confirm patches are deployed on all systems (prioritizing targeted systems, OSes, software, etc.). - Deploy custom signatures to endpoint protection and network security tools based on discovered IOCs

Blocking IP address has to be done smartly as they could be continuously changing.

Steps to stop spread (as recommended by FireEye/Mandiant guide):

STOP: Lateral dispersion amongst systems via vulnerability exploitation or legacy protocol abuse

STOP: Lateral dispersion amongst systems using standard Windows Operating System protocols

STOP: Lateral dispersion between systems via Windows Remote Management (WinRM) and PowerShell remoting

STOP: Lateral dispersion amongst systems via binding to administrative shares for tool or malware deployment (eg. • ADMIN$• C$• D$• IPC$)

STOP: Lateral movement and propagation using domain-based accounts

STOP: Lateral movement and propagation using the built-in local administrator account on endpoints

STOP: Obtaining cleartext credentials in memory for credential harvesting

Leader

Roles & Responsibility - [LINK](TO-BE-ADDED)

Periodically ensure the Crisis Management Team (CMT) team meets and aligns

Plans for establishing management succession and emergency powers when in crisis.

During Crisis: Below steps

Factors for decision making clearly communicated. Tracking what are the decision milestones coming up - external and internal

Clear alignment on: What happened? What should we do? What is the Impact? Ensure business continuity Ensure compliance

Internal and external stakeholder announcements based on context. Ensuring regular communication flow happens across

Budget approvals and authorizations.

Updates to Stock exchange regulatory - Before the day starts - say 8:30am 10 am NSE Opens Investor consideration Customer consideration Police Line up of milestones -> Impacts course of actions

Arrangement of funds for recovery

Quick vendor empanelment

Have an arrangement for cryptocurrency procurement

Align with heads of each location/BU.

Strategic decision making for all work streams