We try to minimize as much as we can any potential ransomware attacks by following certain important principles including in the underneath.
- Be aware to phishing attempts and other social engineering tactics used by attackers to deliver ransomware.
- Enforcing the least privilege limit to user access rights to restrict the spread of ransomware
- Keep all software and operating systems up to date with latest patches
- Maintaining mirror systems for databases to ensure easy recovery of any affected systems
Upon detection of a ransomware attack this the policy to be adopted
- Detection: Upon detection of a ransomware attack, the CTO should be immediately notified about such incident.
- Containment: If the attack involves any internal network the affected systems should be disconnected from the network
- Assessment: The infection should be assessed to identify the affected system and evaluate impact on business
- Communication: Communication with relevant stakeholders, including executive management, IT teams, legal counsel, and law enforcement agencies, is established to provide updates on the situation and coordinate response efforts.
- Decision Making: Based on the assessment findings, decisions are made regarding the appropriate course of action, such as paying the ransom, restoring from backup, or rebuilding affected systems from scratch.
- Recovery: Recovery efforts are initiated to restore affected systems and data to normal operation. This may involve restoring from backup, decrypting encrypted files (if decryption keys are available), or rebuilding infrastructure from scratch.
- Post-Incident Analysis: After the ransomware attack has been contained and mitigated, a post-incident analysis is conducted to identify lessons learned, areas for improvement, and recommendations for enhancing the organization's ransomware defense capabilities.