Experiencing a business ransomware attack can be a daunting and chaotic event for anyone. Knowing whom to contact and what to expect can significantly aid in managing the situation effectively and minimizing damage. Here’s a detailed guide on the key contacts and steps to take immediately following a business ransomware attack.
1. Internal IT Department or Managed Service Provider (MSP)
Who to Contact: Your internal IT team or external Managed Service Provider (MSP).
Why: The first line of defense in a business ransomware attack is your IT department or MSP, who can initiate immediate response protocols. They will assess the extent of the breach, secure the network, and prevent further damage.
Ideally, they should have tools in place to isolate the business ransomware attack in addition to providing information and insights around the compromise point and method.
What to Expect in a Business Ransomware Attack:
- Initial Assessment: The IT team will conduct an initial assessment to understand the scope and impact of the business ransomware attack.
- Containment Measures: Immediate steps will be taken to contain the breach, such as isolating affected systems.
- Recovery Plans: They will begin the recovery process, including restoring data from backups if necessary.
If you do not have either, this will make the process of recovery incredibly difficult since you most likely do not have documentation about the network nor does anyone have experience resolving issues like this.
This is why it is important to have a provider in place BEFORE a business ransomware attack occurs. If it is a best in class provider – like ThrottleNet (wink, wink) – they should have a fully comprehensive stack of security solutions designed to prevent an attack that would result in unscheduled downtime or a ransom payment. As they say, a ounce of prevention is worth a pound of cure.
2. Cybersecurity Incident Response Team (CSIRT)
Who to Contact: A Cybersecurity Incident Response Team, if you have one, or an external incident response service. These can be accessed via your insurance provider as they typically have teams like this on standby. Their ability to do so is also dependent on your coverage which is why we encourage everyone to have cyberliability insurance.
Why: A CSIRT is specialized in dealing with cyber incidents and can provide expert guidance and technical support.
What to Expect:
- Detailed Investigation: The CSIRT will perform a thorough investigation to identify the attack vector and root cause.
- Forensic Analysis: They will conduct forensic analysis to trace the attack and determine the extent of data compromise.
- Mitigation Strategies: The team will develop and implement strategies to mitigate the impact and prevent future attacks. In some cases, they will provide temporary solutions to secure the network until such time as a permanent solution is in place.
3. Report your Business Ransomware Attack to Law Enforcement
Who to Contact: Local law enforcement agencies or specialized cybercrime units like the FBI’s Internet Crime Complaint Center (IC3) in the United States.
Why: Reporting the business ransomware attack to law enforcement can help in tracking down the perpetrators and may be necessary for legal and insurance purposes.
What to Expect:
- Incident Report: You will need to provide detailed information about the incident for their records.
- Investigation: Law enforcement may initiate an investigation, though this may not always result in immediate action.
- Guidance: They may offer guidance on further steps and connect you with additional resources.
Keep in mind, most of these business ransomware attacks are perpetrated by threat actors outside of the U.S.; meaning local law enforcement is limited in what they are able to do given these are not your typical criminals.
4. Insurance Provider
Who to Contact: Your cyber insurance provider.
Why: If you have cyber insurance, your provider can offer financial assistance and resources to deal with the aftermath of the attack.
What to Expect:
- Claim Process: Initiate the claim process by providing details of the incident.
- Coverage Details: Understand what is covered under your policy, including costs for recovery, legal fees, and potential fines.
- Support Services: Some providers offer additional support services, such as access to cybersecurity experts and legal advisors.
Even if you do not have cyberliability coverage, you should still reach out to your insurer as we have seen a number of them go above and beyond to assist their clients in recovering from an attack – regardless of coverage.
5. Legal Counsel
Who to Contact: Your organization’s legal counsel or external legal experts specializing in cyber law.
Why: Legal counsel can help navigate the legal implications of the breach, including compliance with data protection regulations and managing liability.
What to Expect:
- Regulatory Compliance: Guidance on notifying affected parties and regulatory bodies as required by law.
- Legal Strategy: Development of a legal strategy to address potential lawsuits and fines.
- Documentation: Assistance in documenting the incident and response efforts for legal purposes.
6. Affected Stakeholders or a Public Relations Company
Who to Contact: Customers, partners, and any other stakeholders affected by the breach.
Why: Transparency with affected parties is crucial to maintain trust and meet legal obligations.
What to Expect:
- Notification: You should inform stakeholders about the breach, its impact, and steps being taken to address it. This may include your clients depending on the nature of the breach, number of records compromised and any compliance requirements to do so. This can be an uncomfortable issue, but it is better your clients find out from you as opposed to someone using their information for nefarious purposes.
- Support: Provide resources and support to affected individuals, such as credit monitoring services for those whose personal data was compromised.
- Communication Plan: Implement a clear communication plan to manage the situation and provide regular updates.
Depending on the nature of the breach, the size of your organization and any industry specific compliance requirements, it may be necessary to involve a public relations company to assist in communicating what happened and the actions taken to resolve and prevent it from happening again.
A well-coordinated response to a business ransomeware attack involves contacting multiple parties, each playing a crucial role in managing the incident and mitigating its impact. By promptly reaching out to your IT team, cybersecurity experts, law enforcement, insurance providers, legal counsel, and affected stakeholders, you can navigate the complexities of a cyber incident more effectively. Preparing in advance and knowing whom to contact can make a significant difference in your ability to respond swiftly and minimize damage.
Chris Montgomery
ThrottleNet Sales Director
cmontgomery@throttlenet.com