Cyber Ransomware Attack Action Plan: What Happens Next

Cyber Ransomware Attack Action Plan: What Happens Next

Every 14 seconds, a cyber ransomware infections attack occurs with the potential to cause long-lasting financial and reputational damage. It will seem like another alarming statistic — until it happens to your organization. 

In a previous life, I experienced a ransom attack. The system breach was discovered in the early morning — and spread like wildfire. A task force was assembled, signs were posted to inform employees, and the main conference room was converted into a makeshift war room. Our third-party incident response team and forensic specialists started strategizing and developing ransomware action plans. I was called in to help due to internal audit’s knowledge of risk management, business processes, and the overall control environment.

Based on my experience, I wanted to share key lessons I learned with fellow audit, risk, and compliance leaders who — given the increasing frequency of attacks — may find themselves in a similar situation. In this two-part article series, I cover what to expect during the immediate response to a ransom attack and key challenges and success factors for Internal Audit during containment and post-event recovery. 

What Is a Ransomware Attack? 

Ransom attacks are the most pervasive type of cyberattacks today, and these are intended to generate revenue from unsuspecting victims. The two most common types are:

  • Crypto — where ransomware infections  encrypt files, folders, and hard drives on the infected device 
  • Locker — where ransomware incidents simply lock users out of devices 

Attackers use your data and information against your organization, holding it ransom by threatening to release incriminating evidence or proprietary information. The attacks will cost companies an estimated $20 billion by 2021. An estimated 76% of organizations anticipate they will be victims of a ransomware incident in the next year, and 55% of those don’t think they could identify or block a potential attack. 

The pervasiveness from ransom attacks makes security audits a priority for internal audit teams — especially with the increased attack frequency in the aftermath of COVID-19 as IT departments relax their endpoint or user privileges for employees to work remotely and security budgets are reduced. 

What Do You Do in the Event of Ransomware?

After an attack, the situation escalates quickly, so having a ransomware action plan is necessary. Start by understanding the impact of the attack, finding the source (e.g., phishing emails), and sharing the information with management. At this point, take your systems offline, turn off all potentially infected hardware, and disconnect these from the network. The attackers typically will leave behind a text file that identifies what they have done and the next steps. Now you have to decide to restore from a pre-attack backup or pay the ransom. The decision to pay the ransom is risky since they may attack again or take the money and not provide the decryption tool. 

Critical First Steps During a Ransomware Attack

When a breach is discovered, it’s essential to act comprehensively and quickly to prevent exposure to more business areas. The following are organization-wide best practices internal audit should expect and support to reduce the damage. 

1. Share a succinct message with employees. 

Involve human resources in getting control of the message to employees. Let employees know:

  • There was a breach.
  • What it means.
  • What actions are being taken.
  • What to expect from the downtime.
  • The impact on their work.

2. Stop the damage from spreading.

Disconnect everything, take real-time snapshots of infected computers, virtual machines, and storage devices. Know what data was impacted, what’s potentially corrupted, and which of your critical systems need to be up and running — and back up your data. 

3. Trace the attack.

Audit can assist forensic teams in identifying where the attack took place, which is typically through a website or phishing emails. Forensic teams may build a schematic of the attack sequence to illustrate the timeline, motivation, and origin of the attack information included in data files, binary scripts, and the attack characteristics, which will be crucial later to share with authorities. 

4. Assess the impact.

When faced with a ransomware incident, your first instinct may be to launch into a ransomware action plan immediately, but this can waste precious time and effort as the infection spreads. Before you kick off defensive and corrective actions, take a step back from the chaos and perform a comprehensive assessment of the damage. Internal audit can propose the following analysis efforts to establish the what, who, when, and where of the incident:

  • Perform host analysis on systems identified as being part of the initial intrusion.
  • Analyze network log data to identify ongoing or historical attacker movement within the environment.
  • Analyze available Domain Controller server logs to identify suspicious access activity.
  • Correlate relevant events to establish a timeline of malicious activity.
  • Develop recommendations based upon observations during analysis.

This assessment should be the basis of your subsequent course of action.

5. Notify the authorities.

A ransomware attack is a criminal incident. Notifying the authorities about the cyberattack on your organization is essential to protect both your reputation and your customers. If your organization is in GDPR alignment, you must do this and adhere to other regulatory aspects. Swiftly reporting the incident can provide your organization more knowledge and insight if authorities work with other organizations attacked by the same individuals or the same malware.

6. Notify customers.

Notifying customers will be difficult, but being authentic will build a stronger relationship. Significantly, your legal team and public relations teams must be involved to establish a single voice and put out fact-based statements.

Conclusion: Cyber Ransomware Attack Action Plan

While internal audit may not play a starring role during the immediate response to a ransomware attack, we have an opportunity to learn, help review the process in real-time, and make needed improvements. An awareness of these critical first steps will help your organization respond effectively in the early days of the attack. After containment and remediation, internal audit can impact by conducting an independent review of the company’s ransomware action plan to stay ahead of future threats. Stay tuned for the second part of this series, where I will examine what internal audit can do to support effective ransom attack containment and forward-looking recovery. 


Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.