Breach Response Checklist

What to do if you have Ransomware or
are under attack

Step #1
Isolate potentially infected Systems by unplugging them from the network at the switch level. 

DO NOT power off systems unless absolutely necessary

So clearly it’s important to attempt to determine the scale of the problem as quickly as possible, as this will influence the nature of your response.  This is done to preserve any logs that help the investigation and trace where the infection came from.

Inform IT staff and remind them to NOT communicate with anyone outside the team.  Use text messaging and NOT internal email (explained in the next step)

Step #2
Notify your leadership and legal counsel immediately.

Do not delay doing this, it does no good to try to cover up an attack, notifications are key.

After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken.

Step #3
Contact your Cyber Insurance Carrier - they may have an incident response company they require you to work with. 

Ideally this should already be documented and in your Incident Response Plan 

If your insurance carrier does not have a preferred vendor then contact the Breadcrumb Cyber Emergency Hotline at (866) 486-0070 for immediate, expert assistance.

Or email them at: 911@breadcrumbcyber.com

Step #4
Notify your customers or school parents 

Communication is key and often required by law.  You incident response plan should have ONE person who is responsible for communication.  Wrong information can be as damaging as the attack itself.

Step #5
Communicate appropriately

Lack of information ALWAYS leads to wrong assumptions and makes the situation worse.  Even if you have no new information communicate with your customers and clients on a regular basis.

Key Success Factors

The very basics of Incident Response:

1) Logging MUST be enabled on all systems, this is critical to the forensic investigation.
2) You MUST have an incident response plan BEFORE you actually need it.
3) You MUST have encrypted offline backups of your data that go back multiple months.  Often you are infected for months and don't realize it and your recent backups may be infected as well.

Contact us today if you need help developing an Incident/Ransomware Response Plan.




Call/Email for a Free Consultation Today 
559-794-2200
info@EnsightAdvisers.com