如果你明天上班时发现公司遭到了勒索软件攻击，你知道该怎么办吗？你会打给谁求助？如果你的电脑被锁定，你将如何找到他们的电话号码？你将如何通知客户？

防御勒索软件攻击需要做好多方面的准备，包括技术方面，例如对数据进行离线备份。本文不讨论这些技术措施，主要谈谈可以采取的实际操作措施，以便在事件发生之后进行有效地应对。你的应急计划是什么？你希望你的团队囊括哪些人才？你将如何沟通？

很少有人能够未卜先知，但是提前规划能够帮助人们更加轻松地应对灾难。当涉及勒索软件时，提前规划也是很重要的。今年5月，WannaCry勒索攻击爆发，在头几天就感染了大约30万台计算机。之后，联邦调查局网络司司长称勒索软件是一种“普遍的、日益增长的威胁”，并指出未来很可能会出现更多的勒索软件攻击。其他一些报告也预测勒索软件攻击会增加。

为了应对勒索攻击，我们可以采取以下7个措施。其中一些措施可以广泛应用于其他重大事件，而另一些则专门针对勒索软件攻击。

1. 制定响应预案。你的团队成员可能不习惯处理紧急情况，所以要确保他们知道该怎么做。这包括他们将会聚集在哪里讨论问题，媒体问询应该在哪里举行，以及该告诉客户和员工什么内容。大多数时候，这意味着规划“谁、什么、何时、如何做”的问题。一旦制定了计划，请提前与你的团队分享。

2. 将响应计划存储在多个位置。如果您的事件响应计划存储在PC上但PC被锁定了，那么您将无法开始恢复过程。勒索软件可能会影响你的台式机或服务器，或两者都影响。将计划副本存储在多个位置，包括至少三个独立的云服务，并设置日历提醒以便定期更新。

3. 选择团队成员。事件发生后，你想要谁参加讨论？除了首席执行官和首席信息官之外，您可能想要公关、法律、人力资源和其他部门负责人参加响应讨论。现在您需要制定一个清单，并确保清单上的每个人都知道这回事。此外，获得他们下班后的联系方式，并与其他团队成员分享。

4. 制定沟通计划。您可能会发现首选的沟通方式被锁定了，因此您需要了解还有哪些沟通渠道可供使用。电子邮件可能已经无法使用，所以请准备其他沟通手段。如果你的智能手机正常运行，那么可以在团队内部使用通信应用程序——只要确保每个人都安装了这个应用程序就行。但是勒索软件也可能会攻击移动设备，所以请准备好备用方案。将电话号码和个人电子邮件地址存储在多个地点是个不错的办法。

5. 确定负责人。攻击发生后还有很多事情要做，包括指挥员工，联系执法部门、客户和合作伙伴。需要有人监督和管理恢复工作，准备好随时回答问题。负责人可能是首席信息官、首席运营官、安全主管等，但是最好明确这个人的权限。提前确定这个负责人，避免出现措手不及的情况。

6. 讨论一下你将如何进行响应。你决定支付赎金与否取决于事件的严重程度和性质，但是提前讨论这个话题比临时抱佛脚要强。联邦调查局表示，它不鼓励支付赎金，因为这会激励未来的攻击，但也指出每个企业都需要自己做决定。您应该提早讨论这个问题，至少要让你的团队熟悉这种权衡。

7. 了解你的风承受能力。你无法计划所有的事情，所以要弄清楚你可以承受多大的风险，以及你可以应付的潜在伤害，然后做一个权衡。例如，有些公司每个月都会做一次灾难恢复演习，以确保他们随时做好准备，这算是比较频繁的，有的公司则每季度做一次。这完全取决于你想要在系统中建立多少“保险”。这是些艰难的决定，需要事先确定。

如果幸运的话，你永远不会遭遇勒索软件攻击，但是运营一个公司不能靠运气。您的技术团队将会投入大量的工作来防范攻击并减轻损害。但是响应、告知客户并保持公司的运营是需要进行管理的。通常很难想象从来没有遇到过的情况，但是试着想象一下，一天早上你的手机响了，得知公司遭到了勒索攻击。那个时候，你会希望做了哪些准备呢，现在就着手做这些准备吧。

《When Ransomware Strikes: 7 Steps You Can Take Now to Prepare》

https://www.darkreading.com/endpoint/when-ransomware-strikes-7-steps-you-can-take-now-to-prepare-/a/d-id/1330313?

11/6/2017
03:30 PM

Patrick Hill

Ransomware is still on the rise. These operational tips can help lessen the blow if you're hit.

If you walked into work tomorrow to find your company had been hit by ransomware, would you know what to do? Who would you call? How would you find their phone numbers if your computer was locked up? How would you notify customers?

There are many aspects to preparing for ransomware, including technical tips such as maintaining a current, offline backup of your data. This article isn't about those technical steps. It's about the practical, operational measures you can take now to prepare yourself and your company for the moments after an incident occurs. What's your emergency plan? Who would you want on your team? How would you communicate?

Few of us are good at preparing for the unexpected, but planning ahead will make life a lot easier if disaster strikes. And when it comes to ransomware, there's a good possibility it will. After the WannaCry attack in May, which infected some 300,000 computers in the first few days, the head of the FBI's Cyber Division called ransomware "a prevalent, increasing threat," and said attacks are likely to rise in future. Other reports also predict an increase.

With that in mind, here are seven steps you can take now to prepare yourself and your company for the moments after ransomware strikes. Some of these can be applied broadly to other critical incidents, while some are ransomware-specific.

1.  Plan your initial response. Your team members may not be used to dealing with stressful situations, so make sure they know what to do. This includes where they'll gather to discuss the problem, where press inquiries should be directed, and what to tell customers and staff. Most of the time, this means planning the who, what, when, and how. Once you have this plan, share it with your team ahead of time, and...

2.  Store your response plan in multiple locations. If your plan for incident response is stored on your PC and you're locked out, you can't even get started on your recovery. Ransomware can affect your desktop, your servers, or both. Store copies of your plan in multiple locations, including at least three separate cloud services. And set a calendar alert to remind yourself to update them periodically.

3.  Pick your team now. Who needs to be in the room in the moments after an incident occurs? Your CEO and CIO are a given, but you may also want your heads of PR, legal, HR, and other department chiefs. Draw up a list now and make sure everyone knows they're on it. Also, get their contact details for off-work hours, and share them with the rest of your team.

4.  Have a communications plan in place. You may find yourself locked out of your primary, preferred method of communication, so know which channels you'll fall back on. Email might not be an option, so prepare to use other means. If your smartphones are still working, collaboration apps can be a good way to communicate as a group — just make sure everyone has the app installed. But ransomware can also strike mobile devices, so as with all aspects of preparedness, have a backup. Storing phone numbers and personal email addresses in multiple locations is a good place to start.

5.  Decide now who'll take charge. There's a lot to do in the moments after an attack, including directing employees and contacting law enforcement, customers, and partners. Someone will need to oversee and manage the recovery effort and be ready to answer questions as they arise. It could be your CIO, COO, head of security, or someone else — but it's best to have a clear, single owner. Decide now who that will be, so the responsibility doesn't suddenly get dropped in their lap that morning.

6.  Have a discussion now about how you'll respond. Whether you decide to pay the ransom will likely depend on the severity and nature of the incident, but it's better to begin this conversation now than in the heat of the moment. The FBI has said it doesn't condone payment because it wants to discourage future attacks, but it also recognizes that every business will need to make its own decision. It can't hurt to start talking about this now, so your team is at least familiar with the trade-offs when a decision has to be made.

7.  Know your appetite for risk. You can't plan for everything, so figure out how much you risk you can tolerate — and how much potential harm you can deal with — and then make a trade-off. For example, some companies will do a disaster recovery exercise every month, to be sure they're always prepared. But that's a big time commitment, and others will opt for once a quarter. It all depends how much "insurance" you want built into the system. These are tough calls, but they need to be made deliberately and in advance.

If you're lucky, you'll never have to face a ransomware incident, but luck isn't how you run a business. Your technical teams will have put in a lot of work guarding against attacks and mitigating damage. But responding operationally, informing customers, and keeping the company moving forward falls to management. It's often hard to imagine a situation you've never been in, but try to picture that morning when your phone rings and you learn your company has been hit. Think about all the things you'll wish you'd have done — and start doing them now.

  附件：

《When Ransomware Strikes - 7 Steps You Can Take Now to Prepare》--原文.pdf

《When Ransomware Strikes - 7 Steps You Can Take Now to Prepare》--译文.pdf