Skip to content

Whitepapers & Datasheets

Checklist: CIOs Ransomware Checklist

CIOs Ransomware Checklist Whitepaper

Table of content

The Ransomware Pre-game Checklist

Plan, Plan, Plan. The first and potentially most critical step to effectively navigating a ransomware attack is ensuring that you are prepared for the incident.

Having an incident response plan is foundational as it provides instructions to help your cyber team detect, respond to and recover from a security incident. It covers specific response actions based on the type of security incident – from ransomware to a breach to an account compromise – and provides a playbook for how to respond and who to notify.

Build an Incident Response Team or Identify an IR Partner. As the CIO, you’re the leader but it takes a team. During a security incident or ransomware attack is not the time to discover your staff isn’t prepared. As part of response planning, build your emergency response team or CIRT (Cyber Incident Response Team) and define clear rules and responsibilities.

If you do not have the internal security staff to manage a ransomware attack, consider finding an incident response (IR) partner now to keep on retainer for emergency response. The retainer approach is less expensive than ad-hoc emergency response services. If you maintain cyber insurance, your insurance provider may have a list of approved IR vendors, so ensure you select a partner that will be covered.

Prepare for Sound Forensics. Finally, if you operate in a heavily regulated industry, maintaining a sound cyber incident forensics chain is key to determining notification requirements. The forensics chain will allow you to follow the intruder and know what systems, records and data were impacted. As part of response planning, ensure you have the technology and processes to capture and maintain the digital fingerprints.

Conduct Tabletop Exercises. To test the plan and support a seamless response, conduct exercises at least annually on ransomware. This ensures that the first time you have an incident is not the first time you’re following the plan.

Maintain a Modern Backup Strategy. Backups and ransomware recovery go hand-in-hand but not all backup strategies are created equal. There is a big difference between having backups and having a backup strategy supported by modern technology that enables rapid recovery as well as prevents ransomware from encrypting the backups.

Game Time: Ransomware Response Checklist

The steps outlined above (plan, response team, practice and backups) will enable your team to swiftly initiate the ransomware response including the following phases.

Isolate: Isolate and contain is the name of the game. Organizations must quickly stop the spread as ransomware is built jumping from machine to machine and spreading laterally quickly.

Containment: Preserving forensic evidence while containing the ransomware is essential. While instinct may say “pull the power cord,” ensure your employees know not to do this. New malware is not written to disk, rather everything is in the memory. If power is turned off, the machine’s memory is erased and forensic data is lost.

Instead, pull the network cable or use your endpoint solution to isolate the machine(s) to prevent communication on the network. Remind your team that to “pull the network cable” in a virtual environment, you can disable the network interface on the hypervisor.

Once the attacker loses access, it prevents them from executing anti-forensic actions to cover their tracks or destroy evidence. Skilled attackers will patch the vulnerabilities they used to gain access, delete their tools and erase logs to compromise a forensic investigation.

Eradicate and Recover: With isolation and containment executed, the next phases are eradication and recovery. The forensic investigation and business restoration are typically conducted simultaneously. The forensics team will focus on collecting data and logs as well as building a virtual copy of the impacted machines to following the chain.

For business restoration this is where backups are critical as they allow organizations to easily recover valuable data and avoid paying the ransom.

More from the Ransomware Pros: CISA’s Checklist Summary

The Cybersecurity and Infrastructure Security Agency (CISA) published a detailed Ransomware Checklist, which goes into great depth on each step an organization should take. Following are the categories it covers to help frame your planning. Download the full Checklist for more detail.

Bonus: Incident Response Tabletop Exercise

Tabletop exercises are designed to help organizations walk through potential cyber risk scenarios, evaluate cybersecurity posture, and identify potential gaps.

Download the full CIO’s Ransomware Checklist PDF to access our Tabletop Exercise which is a constructive and convenient tool that can be completed within 30 minutes.

Recent Tweets


Want the latest IT insights?

Subscribe to our blog to learn about the latest IT trends and technology best practices.