Limit the Spread - Identify the impacted systems and turn off network access

• If several systems/computers or subnetworks appear impacted, take the network offline at the switch level. It may not be possible to disconnect individual systems during an incident.

• If taking the network temporarily offline is not immediately possible, locate the network (e.g. Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.

• BEWARE: Don't tip off the bad actors that you know that you have been compromised. Bad actors often monitor your organization's activity and communications to determine if their compromise has been detected. Isolate systems in a coordinated manner and use things like phone calls or in-person conversations (if possible) to address the compromise. If you use communication that is on the system, the bad actors may be able to track your moves and stay ahead of you to preserve their access - or even deploy ransomware widely before you take the network offline.

Power Down - But ONLY in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.

• Note: This step will prevent you from maintaining ransomware infection artifacts and potential evidence that can be used to catch the bad actors. Powering down should only be carried out if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.

Prioritize Your Systems - Identify critically impacted systems for restoration and recovery

• Identify and prioritize critical systems for recovery and restoration, and confirm what type of data is on those systems.

• Take note of the systems and devices that do not appear to be impacted so they can deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.

• Note: This process is much easier to do if you have already worked through your critical assets, including systems necessary for health and life safety, personally identifiable information, revenue generation, or other critical services.

Document What Happened - Work with your team to develop and document an initial outline of what occurred

• Work with the first responders to the incident on your team to identify when the first indicator of compromise (IOC) was noticed, how it presented itself (files blocked, ransom note, etc.), and the initial steps taken to control the damage.

• Next, identify what steps were taken to preserve the critical systems and ensure their continued operation.

• Document who was contacted and when within your organization (as well as any outside help you may have sought) to ensure that all necessary individuals were notified.

Get Support - Engage your internal teams and stakeholders, as well as outside entities that can help

• Connect with the most important people within your organization (e.g. departmental and elected leaders) and external entities that can help. External entities include your cyber insurance provider (if you have one), local or state jurisdictions with which you have a mutual aid agreement in place, CISA, MS-ISAC's CERT team, among others.