DO NOT power off systems unless absolutely necessary
So clearly it’s important to attempt to determine the scale of the problem as quickly as possible, as this will influence the nature of your response. This is done to preserve any logs that help the investigation and trace where the infection came from.
Inform IT staff and remind them to NOT communicate with anyone outside the team. Use text messaging and NOT internal email (explained in the next step)
Do not delay doing this, it does no good to try to cover up an attack, notifications are key.
After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken.
Ideally this should already be documented and in your Incident Response Plan
If your insurance carrier does not have a preferred vendor then contact the Breadcrumb Cyber Emergency Hotline at (866) 486-0070 for immediate, expert assistance.
Or email them at: email@example.com
Communication is key and often required by law. You incident response plan should have ONE person who is responsible for communication. Wrong information can be as damaging as the attack itself.
Lack of information ALWAYS leads to wrong assumptions and makes the situation worse. Even if you have no new information communicate with your customers and clients on a regular basis.
The very basics of Incident Response:
1) Logging MUST be enabled on all systems, this is critical to the forensic investigation.
2) You MUST have an incident response plan BEFORE you actually need it.
3) You MUST have encrypted offline backups of your data that go back multiple months. Often you are infected for months and don't realize it and your recent backups may be infected as well.
Contact us today if you need help developing an Incident/Ransomware Response Plan.