Ransomware Response Playbook for Singapore SMEs: Before, During, and After an Attack

Why Singapore SMEs Are a Primary Target

Ransomware operators increasingly target mid-market businesses in Asia-Pacific. Singapore's high internet penetration, dense business services sector, and reliance on legacy systems in F&B, hospitality, and professional services make it an attractive geography. The Cyber Security Agency of Singapore (CSA) reported a 49% increase in ransomware cases between 2022 and 2023, with manufacturing, retail, and hospitality the most affected sectors.

Unlike large enterprises, SMEs typically lack dedicated security operations, making detection slower and recovery harder. This playbook gives your team a practical framework across three phases.

Phase 1: Before — Building Ransomware Resistance

Backups (The Only Real Recovery Option)

• Follow the 3-2-1-1 rule: 3 copies, on 2 different media, 1 offsite, 1 air-gapped or immutable
• Test restores monthly — a backup you have never restored from is not a backup
• Ensure backup credentials are separate from domain admin credentials
• Use immutable cloud storage (AWS S3 Object Lock, Azure Immutable Blob) to prevent ransomware from encrypting your backup repository

Network Segmentation

• Separate user VLANs from server VLANs with inter-VLAN firewall rules
• Isolate critical systems (file servers, domain controllers, finance systems) behind explicit allow-list rules
• Segment POS, BMS, and IoT devices on dedicated VLANs with no path to core servers

Endpoint Protection

• Deploy EDR — traditional antivirus does not detect modern ransomware before execution
• Enable Tamper Protection so ransomware cannot disable your security agent
• Block Office macro execution by default for non-technical users

Identity Hygiene

• Enable MFA on all remote access: VPN, RDP, Microsoft 365, cloud consoles
• Remove local admin rights from standard user accounts
• Disable RDP on servers that do not require it; put necessary RDP behind a VPN or Zero Trust gateway
• Audit service accounts — many attacks pivot using over-privileged service account credentials

Phase 2: During — The First 60 Minutes

Speed of containment determines recovery time. Every hour of delay allows encryption to spread to more systems.

1. Isolate immediately — disconnect affected devices from the network. Do not shut down servers until you understand the blast radius.
2. Do not pay immediately — payment does not guarantee decryption, and many operators re-target paying victims.
3. Preserve evidence — before wiping systems, capture forensic images. SPF and CSA may require evidence for investigation.
4. Identify patient zero — find the initial infection vector (phishing email, compromised credential, unpatched VPN) to prevent reinfection during recovery.
5. Call your MSP or IR firm — if you have a managed services retainer, engage them immediately. Response quality degrades significantly without specialist help in the first hour.

Signs of Active Ransomware in Your Environment

• Files appearing with unfamiliar extensions (.locked, .encrypted, random strings)
• README or DECRYPT_INSTRUCTIONS files appearing on file shares
• Unusual domain controller activity or mass account lockouts
• EDR alerts for tools like Mimikatz, Cobalt Strike, or mass file enumeration
• Backup jobs failing or backup agents going offline unexpectedly
• Antivirus or EDR being disabled across multiple endpoints simultaneously

Phase 3: After — Recovery and Reporting

Recovery Sequence

1. Rebuild from clean backups on isolated network segments
2. Reset all credentials — assume every credential in the environment is compromised
3. Patch the exploited vulnerability before bringing systems back online
4. Restore in priority order: domain infrastructure → critical business systems → user workstations

Reporting Obligations in Singapore

• CSA: Incidents affecting Critical Information Infrastructure must be reported within 2 hours of discovery
• PDPC: If personal data was accessed or exfiltrated, notify within 3 business days
• MAS: Financial institutions must notify MAS of material cyber incidents as soon as practicable
• CSA Hotline: 1800-323-0112

Post-Incident Review

Within 30 days of recovery, conduct a blameless post-incident review covering: timeline, root cause, detection gap, containment effectiveness, and remediation actions with owners and deadlines. Document this — regulators and cyber insurance underwriters will ask for it.

AGR Networks provides incident response support and post-incident security uplift for Singapore businesses. Contact our team to assess your current ransomware readiness before an incident occurs.