Scribd
Upload
14 views

Flowchart Ransomware-108

Uploaded by

srja.canada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

Flowchart Ransomware-108

Uploaded by

srja.canada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Solicit relevant Outline the Re-asses

Preparation Attempt to Execute


Investigation data on the asset and user, Conduct data compromise
activities for Initial Alert to Is this a false determine preliminary
Start ticket if one alert and Attaching No collection, and scale and collect
ransomware AW/company alert? compromise containment
does not exist attach to the details in the analysis additional log
attacks steps steps
ticket ticket artifacts

Yes

Levarage Appendix A :
Monitor alerts from processes and technologies that indicates a breach has happen Use the relavant/guidance questionaire:
1. What triggered the device encryption?
Close Malware validation Levarage Appendix B :
or is currently undergoing, Refer alerts from: Finding the malware sample -
2. How did the trigger end up on the device? checklist
1.Alerts from monitoring services such as Siem and MSSP/AW Technical Guidance
2.Log files from relevant source such as network devices,applications,etc 3. Was there an end user's action at play?

Notify external
Senior stakeholders Query
leadership as per endpoints for
briefed regulatory IOC's
requirements

Eradication
and Post-
Yes Close
Containment
Activate IR steps
Team protocol

High level incidents that destroy or compromise


sensitive data, IR team will review the incident and
inform a crisis team and together will take a decision
to invoke the IR plan and if payment was attempted
and decryption key was obtained,decrypt the entire
file system instead.

Test
the
Decrypt files in
Decryption decryption on an
Yes Yes an offline environment,
method found? isolated file, If
If successfull?
successful?

No
No

Yes

Make
Is there a need payment via
to respond to the Is Payment worth third party to get Consult BC/DR
Yes Yes No
demand/ransom? attempting? decryption key, If plans
succssful?

No

No

No

Note - The following ransomware incident response flowchart is not an official


document from arctic wolf and is solely created by the CST team as a template/
reference for incident response plan and all the points/recommendations in the
document are to be reviewed with your cyber insurance and internal teams
before implementation.

You might also like