After - Recovery and Post-Incident Activity
- Reset authorization credentials including passwords.
- Confirm that the infected device has been completely cleaned and reinstall the operating system.
- Before using the backup to restore, it is necessary to confirm that the backup does not contain any malicious software. If the backup and the equipment connected to it are very clean, the restoration should only be performed from the backup.
- Connect the device to a clean network to download, install, and update the operating system and all other software.
- Install, update and run antivirus software.
- It is recommended to share attack event information through TWCERT/CC (de-identification) to help other domestic and foreign enterprises and organizations prevent related attacks and reduce the impact of ransomware.
- Investigate the cause of the incident to ensure that the same incident does not happen again.
- Making improvement plan and execute according based on the cause of ransom and hacking.
- In addition to encrypting files, ransomware also conducts extortion by exposing data. Investigate whether information has been leaked in places such as Internet and the darknet. Investigate through tools such as haveibeenpwned, Firefox Monitor, OSRFramework, or seek help from outside information security companies.
- In the event of a data breach, the severity of Confidentiality, Integrity, and Availability should be assessed, and report to the relevant stakeholders.