Preparing for a Ransomware Attack: Cyber Response Planning for CUs & Responding in the First 24 Hours

As ransomware and other cyber incidents continue to increase, it is critical that credit union leaders have an incident response plan and are prepared should a cyber incident occur. Here, we’ll cover how to plan for and respond to a ransomware attack, including important dos and don’ts.

The Up Front Work: Cyber Response Planning

1. Plan, Plan, Plan. The first and potentially most critical step to effectively navigating a ransomware attack is ensuring that you are prepared for the incident. Having an incident response plan is foundational as it provides instructions to help your cyber team detect, respond to and recover from a security incident. It covers specific response actions based on the type of security incident – from ransomware to a breach to an account compromise – and provides a playbook for how to respond and who to notify.

2. Build a Response Team. During a security incident or ransomware attack is not the time to discover you do not have the staff, or partner, to support your response. As part of response planning, you must build an emergency response team or CIRT (Cyber Incident Response Team), defining rules and responsibilities.

If you do not have the internal security staff to manage a ransomware attack, consider finding an incident response (IR) partner now to keep on retainer for emergency response. The retainer approach is less expensive than ad-hoc emergency response services. If you maintain cyber insurance, your insurance provider may have a list of approved IR vendors, so ensure you select a partner that will be covered.

Finally, given that credit unions are heavily regulated, maintaining a sound cyber incident forensics chain is key to determining notification requirements. The forensics chain will allow you to follow the intruder and know what systems, records and data were impacted. As part of response planning, ensure you have the technology and processes to capture and maintain the digital fingerprints.

3. Conduct Tabletop Exercises. To test the plan and support a seamless response, credit unions should conduct exercises at least annually on ransomware. This ensures that the first time you have an incident is not the first time you’re following the plan.

4. Maintain a Modern Backup Strategy. Backups and ransomware recovery go hand-in-hand but not all backup strategies are created equal. There is a big difference between having backups and having a backup strategy supported by modern technology that enables rapid recovery as well as prevents ransomware from encrypting the backups.

The Technical Response to Ransomware

The four steps outlined above (plan, response team, practice and backups) will enable a credit union to swiftly initiate the ransomware response including the following phases.

1. Isolate: Isolate and contain is the name of the game. Organizations must quickly stop the spread as ransomware is built from jumping from machine to machine and spreading laterally quickly.

2. Containment: Preserving forensic evidence while containing the ransomware is essential. While instinct may say “pull the power cord,” do not do it. New malware is not written to disk, rather everything is in the memory. If power is turned off, the machine’s memory is erased and forensic data is lost.

Instead, pull the network cable or use your endpoint solution to isolate the machine(s) to prevent communication on the network. To “pull the network cable” in a virtual environment, you can disable the network interface on the hypervisor.

Once the attacker loses access, it prevents them from executing anti-forensic actions to cover their tracks or destroy evidence. Skilled attackers will patch the vulnerabilities they used to gain access, delete their tools and erase logs to compromise a forensic investigation.

3. Eradicate and Recover: With isolation and containment executed, the next phases are eradication and recovery. The forensic investigation and business restoration are typically conducted simultaneously. The forensics team will focus on collecting data and logs as well as building a virtual copy of the impacted machines to following the chain. For business restoration this is where backups are critical as they allow credit unions to easily recover valuable data and avoid paying the ransom.

In conclusion, the risks of ransomware are real and growing exponentially. Credit union leaders must prioritize planning and preparation, as well as allocating proper budget to cybersecurity technology and programs.

Stephen Jones is Senior Director of Cybersecurity for Dataprise, a Rockville, Md.-based provider of managed IT services to credit unions.