Imagine – just like any ordinary workday, you log onto your computer, expecting to be greeted by your lock screen, but instead encounter a message that reads: “YOU’VE BEEN HACKED… EMAIL THIS ADDRESS TO START THE PAYMENT PROCESS FOR A DECRYPTION KEY AND THE SAFE RETURN OF YOUR DATA.”
Does this scenario sound unlikely? Unfortunately, ransomware attacks have ballooned into a multi-billion-dollar criminal industry in recent years, with new attacks occurring daily. In fact, ransomware attacks in Q1 and Q2 of this year increased 148% year over year, according to cybersecurity firm VMware Carbon Black. The financial cost associated with regaining control of systems can be exorbitant; ransomware was estimated to have cost US businesses $7.5 billion in 2019 alone.
Picking back up on our scenario, your IT and information security teams have begun to rebuild the network; and external forensic cyber investigators may have initiated an investigation. The company has chosen not to pay the ransom but may engage with the threat actor to buy time to develop a better understanding of the data or systems impacted. However, out of nowhere, a reporter contacts you, asking for comment on a press release that the cyber-criminals posted about the attack on your company.
Your first thought may be, “cyber-criminals posted a press release – and it was picked up by traditional media? This can’t be real.” The reality is that you now have a multi-faceted public relations crisis on your hands, in addition to the forensic investigation and cybersecurity infrastructure remediation efforts that are underway.
While this scenario may seem unusual, the convergence of ransomware-yielding cyber-criminals and public relations is a new phenomenon in the cyberspace. The practice of ‘naming and shaming’ is now a commonly-used tactic among ransomware gangs, as criminals will post a ‘press release’ of the attack accompanied by proof of the hack such as snippets of stolen data.
This creates a “double extortion”, as cyber=criminals are now holding stolen data while simultaneously publicizing notices of the breach and leaking stolen data, providing themselves with two layers of leverage during negotiations.
Ransomware gangs are no longer infiltrating a company’s network clandestinely. Maze, one of today’s preeminent ransomware groups, issued ‘press releases’ in the high profile breaches of Allied Universal and the City of Pensacola, Florida.
In addition to Maze, DopplePaymer, NetWalker, REvil, and Ragnar Locker have each integrated public relations capability into their playbooks.
Each press release has the potential to garner significant coverage on social media from cybersecurity and breach enthusiasts. In addition, trade and mainstream media often follow cyber enthusiasts to inform their reporting, leading to the potential of larger stories.
Controlling the Narrative and Mitigating Business Impact
Turning back to our scenario, when dealing with a volatile and sophisticated cyber threat actor that yields public relations capabilities, controlling the narrative to mitigate business impact is paramount. To do so, we recommend the following:
- Communicate clearly and promptly. Don’t deviate from the facts and avoid making assumptions or predictions about the outcome of the ever-evolving incident in any communications. Internally, get out in front of the media to avoid generating a stir among employees and to equip them with the facts before speculation arises.
- Work with legal and forensic advisors to stay apprised of the latest developments as the investigation unfolds, updating communications to account for various scenarios and outcomes.
- Identify who your spokespeople are from the onset – both for on-the-record interviews and for backgrounders—and media train them.
- Ensure that communications sensitive to the nature of the cyber incident are protected by attorney-client privilege or other doctrine, as litigation may arise after a cyber incident.
- Familiarize yourself with cyber trade media and plugged-in cyber enthusiasts who often troll the dark web and may discover the details of an incident before a victim does.
- Study the threat actor – what unique tactics do they employ to force an organization’s hand? At what point are they likely to release information?
- Understand local, state and federal government and regulatory disclosure requirements, and familiarize yourself with notification requirements in the event of a breach of personally identifiable information.
- Understand the issues Congress and regulators are tracking and thus may result in greater public scrutiny.
- Consider the nuances associated with your decision to either pay or not pay the ransom. Your stakeholders, particularly regulators and the media, will have different reactions in each scenario.
- Lastly, avoid antagonizing the threat actor – directly or via external communications. A provocation may prompt them to reach out to media to continue to force the victim’s hand. If you are in active negotiations with the threat actor, be clear and direct, but avoid hostile behavior.
The breadth of cybersecurity threats – and the tactics deployed by the threat actors themselves – continues to evolve at a rapid pace. Understanding the landscape and the scope of recent attacks as you engage in your ongoing cyber preparedness planning and drills may one day save your company’s reputation and bottom line.
Have a plan in place that outlines how you will handle a ransomware incident. Think through answers to some of the most important questions – who will lead negotiations with the threat actor, will you choose to pay or not pay the ransom, and how will you communicate your decision making. If these questions aren’t answered now, it’s likely you won’t have a coordinated response when the first ransomware note hits your inbox.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.