Any organization can be targeted by ransomware attackers, regardless of their size, location or industry, meaning preparedness and resilience is critical.
The nature of the modern ransomware ecosystem, which involves a multitude of actors and business like practices, means attackers will follow the path of least resistance when choosing their targets.
Against this backdrop, Infosecurity joined a Secureworks ransomware simulation event in London to find out more about how businesses can ensure they have a suitable ransomware plan.
The event set out a double-extortion ransomware scenario, in which participants were tasked with spearheading the victim organization’s response and strategy as the incident unfolded.
Here are five tips we learned from the ransomware simulation that organizations should use when they have been hit by a ransomware incident.
Five Tips for Building a Bulletproof Ransomware Response Plan
Make Careful Decisions
In the event of a ransomware attack panic and confusion can set in, with business leaders keen for a fast resolution. It is critical that those involved do not let this interfere with decision making.
In the ransomware incident scenario set out in the simulation, attackers shut down most of the organization’s servers after infiltrating the network and locked the IT team out of the system.
This meant the business could not function, including delivering critical services such as payroll.
During the simulation Infosecurity heard a recording of a real-life voice note of a ransomware demand sent to a CEO – this highlighted a typical ‘carrot and stick’ approach used by ransomware attackers, leveraging emotional manipulation techniques.
In the voice note, the attackers told the CEO that the attack was “nothing personal” and there was no desire to damage the business. They went on to say that the issue could be resolved “in a day” if a ransom was paid and would even offer a “backdoor defense” to prevent the organization ever being breached again.
The attackers then set out the consequences of not paying their demand, including the financial and reputational damage and threatened to publish 100GB of sensitive stolen data online.
They also warned the business would be fined under data protection laws for the data breach.
At this stage, the cybersecurity leaders should strongly advise the CEO not to rush into accepting the attackers demands and outline the risks of doing so.
The first reason is that the attackers should not be taken at their word and time is needed to ascertain the true nature of the damage. This includes understanding how sensitive the stolen data is and what backups are in place and whether systems can be restored in a timely manner.
Additionally, while the attackers are likely to provide a decryption key if payment is made, it will be down to the IT team to restore the organization’s systems – a process that could take weeks or even months.
It is also highly likely the attackers will retain the stolen data to sell on or even attempt a second extortion in the future, this is the typical double-extortion technique.
Security leaders should also highlight potential legal risks of paying a ransom to the threat actors, for example if the group or individuals involved have been sanctioned by the government.
Establish the True Nature of the Attack
It is vital to buy time to ascertain the veracity of the attackers’ claims.
In the voice note, the attackers did not set a specific price from the victim, but instead requested they enter negotiations via a file on a server that had been kept open.
This is a typical approach taken by modern ransomware attackers, according to Secureworks’ incident response specialists. In many cases the attackers will not know what type of businesses the victim is until negotiations begin, and require this knowledge work out a realistic figure for the ransom demand.
These negotiations provide an opportunity for the victim organization to gain more information on the type of data that has been accessed and to buy time for their own investigations and recovery work to take place.
"Organizations can try and apply pressure on attackers at this stage – demanding evidence is provided of the volume and type data they claim to have"
Organizations can try and apply pressure on attackers at this stage – demanding evidence is provided of the volume and type data they claim to have. If such evidence is not shared, it may be that the attacker does not hold particularly sensitive information.
Threat intelligence partners also have the opportunity investigate the ransomware to find out any previous attacks have they conducted, whether they are affiliated to a nation-state and what has happened when past victims have paid a ransom.
Keep Communications Regular, But Considered
For public-facing organizations it is advisable to communicate to external stakeholders openly about the incident as soon as possible and provide regular updates. Staying silent can often lead to media speculation.
Ensuring a consistent approach to internal and external communications can be challenging as there will be many internal departments with differing perspectives on how to communicate an incident.
Early internal communications are crucial in the event of a ransomware incident.
From a practical perspective, if employees are unable to access systems in the usual way they need to be told why and if there is an alternative.
Additionally, organizations must be mindful that an incident of this nature can cause significant anxiety and fear among employees, who may be concerned that their data may have been stolen and their jobs could be at risk. It is advisable provide as much reassurance as possible to staff.
It is also worthwhile organizations reinforce their social media policies for staff during such events in order to avoid employees engaging in damaging speculation and criticism of the organization online amid an ongoing cyber incident.
If this communication is managed well, the organization could come out of the incident in a positive light. For example, the British Library was widely praised for its transparency around the ransomware attack it suffered by providing frequent updates and a subsequent report detailing how the attack occurred, the library’s response and how it plans to enhance its cyber resiliency.
These messages need to be worded carefully, ensuring information is not given out that could prove incorrect later – such as the timelines of the incident. Insights into how the attack occurred can also be a positive move as it can help educate others about how to avoid falling victim.
Engage Outside Support
As soon as a ransomware incident has been confirmed, the victim organization should engage relevant third-party services to assist their response and recovery.
This includes external IT service providers, who can help the internal security team investigate the incident and how to recover.
Additionally, if the organization has a cyber insurance policy, it is advisable to notify the insurer immediately. Insurance providers can often provide expertise and services, such as ransomware negotiation experts. It is also important to ascertain early what the insurance policy will cover, including ransom payments.
If the victim organization does not have these external services in place, it should consider seeking third-party help, such as incident response specialists.
Even if the organization has a large internal incident response team, they are likely to be burned out in dealing with the immediate aftermath of the attack, and in need of extra support and resources.
Organizations should also consider engaging legal firms at an early stage, particularly regarding any breach of personal data, and public relations to help with internal and external company communications.
Law enforcement and relevant regulatory bodies should be notified as soon as possible, and in line with local legal requirements. Law enforcement can often provide useful assistance in investigating the incident and the subsequent response.
Practice Ransomware Incident Scenarios
Organizations should run regular tabletop exercises and ransomware simulations to ensure they are prepared as possible when an incident occurs.
Relevant departments and personnel should be aware of their roles and have a clear understanding of the business’ approach in order to avoid conflict and in-fighting.
The contact details of relevant third-party services, including legal firms and incident responders, should be readily available.
Secureworks also emphasized the need to continuously stress test basic security protocols, such as multi-factor authentication (MFA) and backups.
Additionally, organizations should enhance their resiliency by regular practicing how they operate when IT systems are down – for example, ensuring employees understand manual ways of working.
Conclusion
Ransomware attacks continue to increase and threat actors are indiscriminate in the types of organizations they target, from SMEs to public hospitals.
In this threat environment, organizations must be aware of the impact of a successful ransomware attack and the tactics used by threat actors to extort their victims.
Agreed and well-practised responses to ransomware attacks are essential and contingencies should be put in place to allow essential operations to continue. Such awareness and planning will provide the basis for a calm, collective response that hopefully limits the financial and reputational damage the business experiences.