The Ransomware Playbook

11 Sep / 2020

Cyber Awareness

[Updated March 2021] Ransomware incidents are becoming prolific. We’re seeing a steady stream of Australian businesses come to us to help them respond to ransomware incidents (we’ve had several in the last week alone), or deploy preventative controls after mopping up an attack.

The Australian government‘s announcement of an increase in risk around cyber attacks is being borne out in the field. Organised crime and state-sponsored actors are doubling down on ransomware based attacks, fuelled by a rise in payments of bounties by large corporates and insurers trying to recover data.

This post attempts to summarise some of the steps you can take to prepare for a ransomware incident, or if you are unlucky enough to be in the middle of one, some tips in responding.


Preparing and hopefully preventing a ransomware attack is definitely better than the cure. Most of these suggestions are not groundbreaking, but are missed by organisations time and time again.

Train your people – Upskilling staff on cyber security topics and ways to identify potential phishing and scams is a low cost, high return way of protecting your front line.

Deploy multi-factor authentication – Enabling multiple factors of authentication instead of just relying on passwords reaps huge rewards from a security standpoint. Deploying multi-factor is not simple and 100% coverage is difficult, but start with your critical applications such as Office365 and anywhere client data is stored.

Patch your systems – This again seems easy but is often forgotten about when you’re focused on just doing business. Enforcing regular updates on endpoints and servers keeps you ahead of many vulnerabilities. Be sure to include software such as Office and Adobe in updates.

Backup regularly – If you do suffer a ransomware incident, good backups are often the only way you can recover your business. Ensure backups exist in a separate network, or offsite completely. Also utilise the inbuilt backup capabilities in Windows 10 and MacOS

Protect endpoints and servers – Good next-generation antivirus can prevent malware from spreading, and combining it with Endpoint detection and response can help you find bad guys already on your network.

Segment your network – Attackers love big, flat networks. It allows them to move between machines with ease, and infect your entire organisation quickly. Segmenting your network provides controls and a ‘blast radius’ around critical parts of your network. Even separating your corporate IT from any infrastructure and guest networks is a good start.

Monitor – A big part of staying ahead of security incidents is ensuring you’re monitoring your environment. Desktops, servers, infrastructure and cloud environments should all be monitored for anomalies. Managed Detection & Response is built specifically for this requirement.


In the event you’re responding to an incident already, here’s a handy checklist of tips you can use to assist you in responding.

  • Isolate affected hosts from the network, and remove their network access completely. If you think you’ve picked it up mid-lock, hibernate or power down the machine.
  • If possible obtain a copy of the malicious code, ransomware note/email or a locked file. These will assist in identifying the ransomware variant.
  • Submit any samples you have to help identify the ransomware and if there are any removal procedures. Malwarehunterteam have an ID Ransomware site, otherwise if you have a file sample you can also use Virustotal.
  • Try to determine where the ransomware originated from. This can help you build file samples, email addresses or IP’s that you can block on your firewalls, mail filters and AV to stop continued distribution.
  • If not using multi-factor: an organisation wide password reset, including any admin accounts is recommended.
  • Reimage and recover infected machines and look to re-integrate them into the network once you have preventative controls in place.

This isn’t an exhaustive list by any means but part of Cythera’s mission is to protect Australian businesses from cyber threats and risk, and altruistically we don’t want to keep seeing businesses crippled by these sorts of incidents.

Parts of the above tips have been taken from our Security Platform as well as our Managed Detection & Response capability. If you need assistance with protecting your business or detecting and responding to cyber threats reach out to our team.


You may be interested in

Windows enterprise environments vulnerable to KrbRelayUp attacks.

WHAT’S HAPPENING?In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researche…

Read More arrow_forward

Unlocking Cybersecurity with Cythera's Penetration Testing

Unlocking Cybersecurity with Cythera's Penetration TestingPenetration testing, often referred to as pen testing, is a vital cybersecurity measur…

Read More arrow_forward

How we’re using Secure Web Gateway to quickly adapt customer’s security

Even post-COVID, a permanent shift to more remote and flexible working seems to be a theme for most organisations. This throws up some challenge…

Read More arrow_forward