TTCSIRT-242.110719: TT-CSIRT ADVISORY – RANSOMWARE RESPONSE PLAN
In light of the ongoing Emotet malware campaign and the reports of threat actors exploiting the BlueKeep vulnerability, TTCSIRT has developed the following response plan in the event your organization becomes infected with ransomware:
- Isolate the infected computer(s) immediately – Infected systems should be removed from the network as soon as possible to prevent the ransomware from spreading to other systems.
- DO NOT power off infected devices – ransomware encryption keys are sometimes stored in memory. Restarting or shutting down the infected machine my result in your data being permanently lost even if you pay the ransom.
- Immediately secure backup data or systems by taking them offline. Also ensure that backups are not already infected.
- Contact TTCSIRT and the TTPS Cyber Crime Unit immediately upon discovery to report a ransomware event and request assistance.
This ransomware response plan is meant to be incorporated into your organization’s security incident response and business continuity plan. Organizations should always ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data. TTCSIRT does not encourage paying a ransom to criminal actors.