incident-responseEvery minute counts.

That’s the truth when it comes to recovering a client, a prospect (or your MSP) from a ransomware attack.

As we’ve audited over a thousand MSPs at this point, one flagrant oversight in many organizations has been their lack of planning for an event like the ones hitting SMBs and their IT support teams over the past few years.

Many in MSP leadership don’t have a starting point. How do you break down a response into bite-sized pieces that any technician could accomplish? That’s where a lot of MSPs get stuck.

It’s not that they aren’t capable of doing the work. It’s that no one really trains you how to do this type of work. No one has triggered a process or way of thinking that aligns to a mindset of recovery.

Creating a mindset towards recovery takes a little bit of preparation on your part.

If you were an ER doc, I’m sure you wouldn’t just tackle every situation using a strict routine of stethoscope, thermometer, blood pressure reading, then tongue depressor.

If you did, you probably were missing the glaring symptoms reflected in the emergency!

As a first responder to growing ransomware attacks, you have tons of tools at your disposal. Many are things you’re using to manage your clients. What I want you to think about is priming yourself and your team to be conscious of their environment, the mindset and goals of the organization you are recovering and devising a strategy that will get your client to their desired goal (or at least as close as possible to it).

Here are some basic steps I use to help MSPs navigate their ransomware response:

  1. Incident Log — I highly suggest you record EVERYTHING. Let me repeat that for some of you that shudder at the word documentation. Document EVERYTHING. This will help you understand what worked and what didn’t in your response effort. It will also help any forensic investigators hired by the insurance company to figure out what exactly happened. If you go ahead and erase information or forget what you’ve done, they may start pointing their fingers at you. I want you to be squeaky clean in your client’s eyes. The best track is to get everyone on your team on board with a killer documentation process. For our partners, I’d recommend starting with our Incident Response Log as a starter.
  2. Disconnect Everything — get everything offline. Take an inventory of what devices were on the network and make sure you’ve gotten everything off of it. I’d focus on getting machines known to be impacted first. The key goal here is to identify and remove all known breached devices from the network as soon as possible.
  3. Determine The Scope Of The Attack — figure out how much data and what devices appear to be impacted. You may need to use a variety of tools here. At first glance you’ll be able to see which machines contain encrypted data. Beyond that, you may also want to find an antivirus software that can detect the variant—or at least similar variants—to the one you’re dealing with. Try and figure out how much has been compromised to get an idea of what will need to be done to completely recover.
  4. Determine Credentials Compromised — identify what credentials were likely compromised during the attack and get users to change those passwords as soon as possible. I’d recommend checking your log files here. I’d also recommend you look at your firewalls.
  5. Get The Insurance Claim Rolling — even if your client doesn’t have cyber liability insurance (although I highly suggest any SMB carry cyber insurance in this day in age), get them to submit a claim. You should anticipate having to turn over evidence to a forensic team, so refrain from reimaging machines until you are given the green light (in the meantime, keep those machines powered off and off the network).
  6. Respond To The Ransom Demands — get your client to decide where their choose your own adventure will go from here. Will they simply pay the ransom and cross their fingers? Not pay the ransom and decrypt or recover from backup? Start anew? Do they not need their data? Whatever you help them decide, you’ll be integral in keeping expectations reasonable and an outcome that fits your strategy.
  7. Eradicate — get the virus off of all devices. Often, you will want to reimage machines to make sure they are clean. Whether you reimage or attempt at wiping the virus (which is a huge ordeal in itself), you will likely need to come up with a methodology that proves to some higher up that the virus is no longer on your network. This will become especially important when proving to vendors that your client needs to reconnect to do business.
  8. Recover — I imagine that you are fully prepared with backups to restore. Make sure your client understands that some files may not be recoverable (depending on the timing of their last backup). Be prepared with time estimates for the recovery and get them accepting and planning for a period of recovery. That might also entail some of their team prioritizing what gets recovered first (critical processes) and accepting that some data may have been lost during the event.
  9. Digest — once the dust has settled, it’s time for your team to review the recovery process. What worked? What didn’t? Get a complete post-mortem of your recovery and come up with ways to improve your process in the future. Maybe you need to add to your recovery checklist or clarify steps that were hard to implement.
  10. Prepare — get your team ready to better prepare to avoid events like this in the future. One of the biggest ways to do this is by communicating to your clients and team the risks involved with network breaches. We’ve found the easiest way to communicate this is through penetration testing. Get your client or team to click on a link and see what they’re jeopardizing in the event of an attack. Get them to connect the dots and you will have a much easier time getting on board with (1) changing the way they do things (their cyber culture) and (2) investing in cybersecurity tools that will keep them safe.