We are facing a ransomware crisis that has already impacted our society and continues to cause havoc and devastation. Ransom attacks, banking on stolen information, are also on the rise and will soon surpass ransomware attacks due to the simplicity of the crimes.
In the recent ISACA Ransomware Pulse Poll, 21% of respondents reported that they have already experienced a ransomware attack, and 46% consider ransomware to be the cyberthreat most likely to impact their organization within the next 12 months.
In this article, I am setting the goal of addressing key aspects of dealing with ransomware that many fail to consider ahead of time. When faced with an imminent decision, pressure and lack of full information, you may be led to make a bad choice or action.
Let’s start with the basics…
To pay, or not to pay?
For some of us, it is an easy decision not to yield to criminals. Keep in mind that this decision will likely be made at the boardroom level. However, in certain situations, the companies that said they would never give in to extortion were forced to change their minds under extraordinary circumstances. To be prepared and avoid being forced to make hard decisions, you should go through many common scenarios, especially with ransom attacks. Your legal and C-suite teams should make decisions ahead of time on common worst-case scenarios.
Do you know where your cyber liability insurance policy is?
Your policy may be simple, or it may be complex. You should be familiar with the procedures ahead of time. Too often, I watch a frantic reading of the policy in the moment of crisis. Hence, you need to be ahead of the game. Know who to call and what to ask for. In most cases, you should ask your insurance carrier to have the incident responders go through their processes and procedures to ensure they are consistent with your internal policies.
Know your partners
Cyber liability insurance does not provide you with everything. You may need additional resources accessible on-demand or on a retainer to help you with the crisis. These responders, too, should be familiar with your policies and procedures, so they are not coming in clueless about your company and procedures. Additionally, check in with your partners once in a while to make sure they are still available.
Test your ransom and ransomware readiness
When you scan your network for vulnerabilities, you let pen testers check for holes. Why should you not test if it is possible to detect common vectors of attack within your network, too? Why should you not test your ability to detect data exfiltration? Test for these things. Learn. Improve.
Table-top exercises
When you are ready, bring your team together for testing your response: not only security, not only IT. Do a realistic test of the impact and have representatives from all the groups that will be dealing with the crisis—C-suite, Legal, HR, PR, business, etc. Do not forget to invite your external partners when handling ransomware incidents. They should learn about your environment, and you may learn something from their experience.
Your supply chain incidents
Your defenses may be flawless, but we are seeing a trend of ransomware attacks impacting the entire supply chain. Talk to your supply chain about their ransomware policies and procedures. Make sure that you have a good understanding of how some of your major partners will handle an attack.
Your incident may affect your supply chain
We often see that when a breach happens within the vendor space, some key customers may demand handling the incident privately and quietly. You have to account for the needs and wishes of your key customers and partners. If there are decisions and compromises to be made, they are better made before the incident occurs.
Be ready to detect the attack
In a number of cases, overzealous staff members go out of their way to destroy all ransom demands and notifications. However, the bad guys are often relentless, and they will continue expanding their attempts to contact your company, your investors, partners and customers—all just to get your attention. Hence, there must be a procedure to capture, isolate and report immediately any criminal demands or threats.
Fix your public financial data
Ransomware threat actors often rely on third-party resources to assess your company’s financial capabilities. Sites like ZoomInfo may display assumptions about the state of your finances, which the bad guys may use against you. Depending on the position of your company, you may want to set correct information on major Internet resources about your company’s financial state.
When ransom or ransomware strikes…
Make a firm decision
When dealing with a crisis, you may have a bit of time to make a decision. Get as much information as possible. Involve all necessary parties, including your partners, customers and any others your company may need. There should be no reason to negate your final decision.
Most ransomware groups are pros and have set processes
Most ransomware gangs have their rules, but nearly all are money-oriented. In order to get paid, they will provide you with all the information that you may need to assess the impact. Any resistance to share certain common information with you may indicate impostors, incomplete information or other caveats. Watch what “triggers” the criminals and investigate all claims.
Avoid careless actions or do-it-yourself ransomware handling approaches
If you need to get a decryptor for certain ransomware variants, it is possible to find them. However, most non-trustworthy sources for some of the decryptors may contain additional malware. Investigate with caution and always test in separate environments.
Your negotiators—your path to the best outcome
If you are using a partner security company or your insurance provides a negotiator, you need to understand certain negotiation components and flows. Is the negotiator experienced with this particular gang? Does the negotiator understand your business and impacted data? You do not want to be treated as a faceless client or a part of a bulk deal. To get the best results, your negotiator must be fully vested in your specific situation.
Closely monitor the negotiations
There have been bribery attempts against the negotiators. I believe it is reasonable to ask for full visibility into negotiations for integrity and best results.
Be mindful of time
Some negotiations may take days or weeks. Some may break over stalling tactics. Make sure that you have a plan and that you are punctual.
Do not give in to fear and stand strong against threats
We usually start negotiations with a strong position statement. For example, “We are negotiating for privacy; any publicity will permanently end negotiations.” You must be polite but persistent. The bad guys need to understand that you have a right to set certain reasonable expectations.
You are still dealing with criminals
I personally consider ransom and ransomware groups to be based on terror. They can be cruel, ruthless and abusive to get their point across. The fiscal demands do not have to be reasonable. Appealing to their humanity may not work either.
Beware of impostors
If the news about your crisis with ransom or ransomware becomes public, expect a number of con artists to start pursuing you, offering you data decryption or the safe destruction of stolen data. Unlike the actual bad guys, they will not be able to provide any insights into what was taken from you. But expect big promises that will quickly turn into threats. Prepare your organization for this eventuality.
The list of advice and considerations is as endless as the number of predicaments your organization may end up in with the current threat landscape.
My final advice is about your state of preparedness. You have no excuse not to be prepared. We have seen enough warnings. Preparation is a tough road—make sure that you seek good partners and advice for what lies ahead.
By Alex Holden