The First 48 Hours of Ransomware Incident Response

The initial response to a ransomware attack is crucial for determining the damage in terms of downtime, costs, data loss and company reputation. The sooner you detect the activity associated with ransomware, the sooner you can slow its spread. From there, you can take remedial actions to significantly reduce the effects of the attack. 

In this blog, we’ll outline key steps organizations should take during the first 48 hours after a ransomware infection is detected. We’ll link to a recent Progress Flowmon webinar on the topic that also discusses how national recommendations and regulatory frameworks, such as NIST and NIS2, provide guidance on cyber responses. The webinar outlines how Flowmon solutions can help with early detection and response to ransomware attacks.  

Ransomware Is Still a Threat 

Before we dive in, it’s worth emphasizing that ransomware is still a significant threat to any organization. Therefore, it’s reasonable to say that it’s not if you will suffer a ransomware attack but when. 

Reported or recorded ransomware attacks each year are still running into the hundreds of millions. For infected organizations, the average recovery costs can total millions of dollars for ransom payments and operational recovery costs. Even if an organization doesn’t pay a ransom, there are still significant recovery costs. 

In addition to the direct impact of data encryption, the cybercriminals behind these attacks use their illicit access to copy and steal data before triggering encryption. The 2023 Verizon Data Breach Investigations report concluded that 25% of all data breaches were part of a broader ransomware attack. 

Greatly reducing ransomware infections is the ideal scenario. But in the real world, people make mistakes and bad actors exploit systems with zero-day vulnerabilities. With this in mind, it is crucial to deploy solutions capable of detecting anomalies early. 

The First 48 Hours After Detecting an Attack 

Once you detect a ransomware attack on your network, there are actions that should be taken immediately (within two hours), rapidly (within six hours) and continuously throughout the first 24 to 48 hours. 

For the first 48 hours, communication between internal and external stakeholders is vital to the response. The technical response team should communicate so that everyone knows their responsibilities and what is happening. There should be designated contact points between the internal team and any external cybersecurity vendors or service providers they work with. 

Additionally, this team needs to communicate with management at all organizational levels so that staff understands the situation and the projected time for a return to business-as-usual operations. 

Staff should also know that they cannot discuss what is happening with anyone outside their group within the organization, and especially not with anyone external. Staff members should understand that they can escalate any questions about what’s happening to management or to the business’s PR team to handle. Reputation management is crucial to the long-term recovery process after a ransomware attack. 

Immediate Response: The First Two Hours 

Here are the three most important steps your IT team needs to take within the first two hours after the detection of ransomware activity. Don’t wait two hours to do them and follow these steps as soon as possible. 

• Disconnect backup servers and storage from the network: Modern ransomware infects and encrypts data by seeking out the most crucial backup software installations. Criminals do this to increase the chance that an organization will pay their ransom to get their encrypted data back. 

• Disconnect the infected portions of the network: It seems obvious, but this step needs to be emphasized. Disconnect and isolate any parts of the network that have exhibited ransomware activity. This should include individual devices, subnets, locations or, depending on the level of infection, entire networks. Doing this early and as close as possible to the initial infection points helps decrease spread and damage. 

• Block access to cloud services: Ransomware can come from and spread to services or infrastructure you have deployed in cloud platforms like AWS, Azure and GCP. You need to disconnect access to these cloud services immediately to help minimize ransomware spread. 
  

Rapid Follow-up: The next six hours 

After the three immediate actions outlined above, your IT team should perform the following action items within the first six hours. 

• Check the integrity of backups: Recent backups may be the ultimate safety net to recover from the ransomware attack. If systems are encrypted and you decide not to pay the ransom, restoring systems from backups will be required. Check that this is possible and feed this information into the post-attack recovery process. Many organizations that pay a ransom don’t have a reliable working decryption tool or code to unlock their data. You’ll need reliable backups in this scenario as well. Check to see if your backups could introduce a risk of becoming infected with the ransomware. 

• Initiate an incident resolution process: Ideally, the response to a ransomware attack will have been planned and practiced before it happens. During these first six hours, you should assemble the incident response team and confirm responsibilities. Also, your organization may require internal and external expertise on a particular type of ransomware. 
  

• Collect digital footprints: Depending on their tool of choice, an attacker’s activity will leave a digital footprint as they maneuver in the network. Digital footprints are valuable information when planning how to respond and recover, as they show what attack methods the incident response team can look for and remove. 

• Review incident response (IR) plan: By planning in advance, your IR team should have created a plan to follow in the case of a ransomware attack. If not, then one needs to be quickly created using the collected information about the attack. If needed, the IR team should update any existing plan based on information about the current attack. 

• Identify how the attack is spreading: The incident response team should identify the ransomware type and other attack vectors that have infected the network. They should also determine how it is spreading and take any further steps to slow it if existing actions have not stopped it. 

Ongoing Response: Within 24 to 48 Hours 

After the immediate and rapid response actions, there will need to be a concerted effort over the next 24 to 48 hours to remove the infection and recover from its impact. In some severe ransomware incidents, full recovery can take longer than 48 hours. However, these first two days are crucial.  

• Implement the IR plan: The IR plan outlines steps that need to be taken and responsibilities team members are tasked with to reduce the ransomware infection and start the recovery process. 

• Restore essential systems from backups: Some systems will be critical for business operations and, potentially, the organization’s survival. The IT team should prioritize restoring these systems from backups to return to essential functionality. Then they should restore other systems in order of importance. 

• Reconfigure infrastructure: The attack analysis might highlight some infrastructure configurations as well as what needs to be modified to reduce the risk of future attacks. This should be discussed, agreed, planned and, if possible, implemented within the first 48 hours. 

• Identify any missing security tools: The incident may also highlight gaps in your organization’s IT management and security tools that may have contributed to the ransomware infection. 

• Deployment of tools to plug security gaps: Any useful security tools identified should get deployed. This will help plug any gaps that the attackers used and help address other gaps that may pose a future risk. 

• Additional necessary steps: Other steps that need to be taken within the first 48 hours include: 

• Securing the storage and initial analysis of the digital footprint. This will need additional analysis in the post-incident investigation. 

• Removing ransomware from all systems. Use tools to aid in removing it, even when using persistent attack methods. Restoring systems from uninfected backups will be crucial to this process.  

• Confirming there is 24x7 monitoring and alerting on all networks and systems to support efforts during future ransomware attacks. Continuous monitoring helps detect anomalies more quickly. Attackers often deploy backdoors and other ways to reinfect networks. It can be challenging to find these all while under the pressure of an ongoing attack. Flowmon’s network detection and response capabilities help you find and isolate incidents from multiple types of attacks. 

Webinar: The First 48 Hours of Ransomware Incident Response 

Roman Cupka, Senior Principal Solution Consultant, and Filip Cerny, Flowmon Product Marketing Manager, discussed these topics in a recent webinar. You can access it via YouTube.  

The webinar also covers what an organization should do after a ransomware incident to help reduce the risks of future attacks. It also highlights how Flowmon solutions assist you with network monitoring and early detection of attacks to help reduce the damage. 

We’ll cover these additional threat response-related topics in a follow-up post.  

Find Out More 

Visit the Flowmon platform page for details of the current Flowmon release and the Flowmon ADS page for information on our extensive and efficient network anomaly detection system. Contact us to talk with an expert on how Flowmon can help defend your networks from ransomware and other threats.  

To learn how Flowmon can deliver actionable network insights for your organization in minutes, request a free 30-day free trial . Our support team can assist during your free trial testing. Use the contact page to start a conversation with the support team.  

This blog was prepared by Filip Černýi n their personal capacity. The opinions or representations expressed herein are the author’s own and do not necessarily reflect the views of Progress Software Corporation, or any of its affiliates or subsidiaries. All liability with respect to actions taken or not taken based on the contents of this blog are hereby expressly disclaimed. The content on this posting is provided "as is" with no representations made that the content is error-free.