How to Prepare for and Respond to a Ransomware Incident

Hide Featured Image
Graphic of a black pirate flag with a red background on a laptop screen

On Oct. 11, the U.S. Secret Service, FBI Denver Cyber Task Force, Cybersecurity and Infrastructure Security Agency (CISA), Boulder County Chief Information Security Office and the Governor’s Office of Information Technology (OIT) gathered to talk about cybersecurity and ransomware. Here, we share some of that discussion so you can be ready if you run into a ransomware attack at work.

What is ransomware?

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

What to do if an incident occurs.

Johnathan Reaghart, Supervisory Special Agent for the FBI Denver Cyber Task Force, says that first and foremost, it’s important to inform state and federal cybersecurity experts so they can collect digital evidence, which could include the malware, suspicious files, data logs, etc. This threat intelligence will then be organized and analyzed to start the mitigation process.

The Secret Service will then work with partners across the country to gather intel and share information on the incident. Cyber actors are rarely confined to the U.S., so instead of working on financial sanctions, diplomatic sanctions come into play and the State Department works with overseas entities to deny the infrastructure the bad actors are using in order to dissuade and disrupt them. In parallel, CISA focuses on discovering the technique and tactic that the bad actor used to get access, as well as asks a lot of questions. How will this incident affect the community at large? What is the most critical service that could be impacted in the community? How can that impact be minimized? The first 24 hours after an incident has occurred are critical and assistance mitigating the issue(s) will need to be outsourced if it was a major attack. 

Build the boat before the storm.

The more time and energy you spend on preparedness, the less crippled your organization will be if you’re attacked. Ensure that you have an incident response plan (IRP) with current staff members who understand how to implement it, as well as have policies in place that will give that plan authority. Every organization that cares for critical infrastructure needs to have a cybersecurity person on staff. 

But remember, this is a team sport. Connect with an Information Sharing and Analysis Center (ISAC). These committees offer federal grants to those with cybersecurity needs as well as mentorship opportunities. ISACs also encourage the exchange of information like trading acceptable use policies between entities. Colorado has a connected cybersecurity community of managers and leaders in the field, so it is to your benefit and advantage to engage this larger ecosystem.

Ransomware has been around since 1989, but the tactics haven’t changed.

Phishing is still the number one avenue for attackers to place ransomware on your network, accounting for 95% of attacks. The bad guys get in the door by someone making a mistake. Bad actors will always exploit known vulnerabilities because that’s the easiest route. The best defense is user education and ensuring that you’re using the most up-to-date technology, including hardware and software updates.

We need to be more diligent about our cyber hygiene: 

  • Create strong and unique passwords. 
  • Use multifactor authentication to keep accounts secure.
  • Recognize and report phishing attacks.
  • Download the latest software updates.
  • Hire trained cybersecurity staff members. 
  • Connect with other cybersecurity organizations and professionals.
  • Develop an incident response plan.

“Education is the key. We need to make security a part of the conversation at every instance of our lives.” – Craig Hurter, Senior Director - Information Security Office, OIT

Watch the recording of this webinar on TechU.