Ransomware Attack - Action Plan

The following action plan has been prepared to guide your response in the case your Managed Service Provider (MSP) becomes a victim of a ransomware attack. In this critical situation, it is essential that your company responds quickly and effectively to minimize potential damage and protect your data.

1. Activate your Incident Response Plan: Immediately initiate your company's incident response plan (if present), which outlines the steps to take, roles and responsibilities of the response team, and communication protocols.
2. Isolate affected systems: Disconnect any systems managed by the MSP from your network to prevent the spread of ransomware to other devices. This includes computers, servers, and other network-connected devices.
3. Maintain communication with the MSP: Stay in touch with your MSP's support team to understand the extent of the attack and the measures they are taking to mitigate it. Request regular updates on their remediation efforts.
4. Notify internal stakeholders: Inform key personnel within your organization, including IT, legal, public relations teams, and your cyber insurance company about the incident. Ensure everyone is aware of the situation and their responsibilities in addressing and mitigating the situation. Your professional liability insurance company might be able to provide additional considerations.
5. Assess the impact: Work closely with your MSP to determine the extent of the damage and identify affected systems and data. This information is crucial for prioritizing recovery efforts and understanding potential business impact.
6. Implement backup recovery: If you have well-maintained and secure backups, restore affected systems and data from the most recent backup before the attack occurred. Ensure that the restored data is free from any ransomware before reintegrating it into your network.
7. Strengthen security measures: Implement additional security measures, such as patching vulnerabilities, updating antivirus software, and strengthening access controls to prevent similar incidents in the future. We suggest taking a look at CyberSecure Canada for security best practices.
8. Notify law enforcement: Report the incident to appropriate law enforcement agencies, as they may provide guidance and support during the investigation.
9. Communicate with affected parties: If client data or services are impacted, prepare a plan for notifying affected parties promptly and transparently. Provide information about the steps you are taking to address the situation and any potential risks to their data or systems. Consult your legal team to determine the extent and form of this communication.
10. Review and update your Incident Response Plan: Once the incident has been resolved, conduct a thorough review of your response efforts. Identify any gaps or areas for improvement and update your Incident Response Plan accordingly to enhance your organization's resilience to future attacks.