Ransomware: Remove Response Paralysis with a Comprehensive Incident Response Plan
Ransomware attacks are becoming more frequent, severe, and sophisticated. For affected organisations, it’s not uncommon to be caught off guard and experience a “paralysis” that lessens response effectiveness. In the past year, approximately 51% of organisations globally suffered a ransomware attack. The escalation in attacks —involving higher ransom payments and increased downtime—has significant financial and operational impacts.
Organisations should anticipate and prepare well in advance for the possibility of ransomware attacks. Below, we explore how organisations can avoid response paralysis and what they should consider before, during, and after an attack.
Know Your Options
- Recognise that as a victim of ransomware you will have three basic approaches to recovery:
- Restore from backup.
- Attempt to break the encryption.
- Pay the ransom and follow the threat actor’s instructions.
- Restore from backup.
- Note that insurance proceeds may be available to cover the costs associated with recovery. In such cases, follow specific policy requirements to maximise total recovery.
- Be aware that these approaches are labor and time intensive, and do not guarantee that you will recover your lost data.
Develop Internal Policies and Guidance
- Procedures for handling ransomware incidents should be incorporated into your cyber incident breach response plan. Unfortunately, many such plans do not incorporate ransomware procedures.
- Develop policy to guide decision making on the question of whether to pay a cryptocurrency ransom demand. The policy should specify the parameters to be considered, including the cost of the ransom vs. the estimated cost of restoration, the likelihood of successful restoration whether the ransom is paid or not, regulatory implications (see below), and the criticality of the data. Senior executives and the cyber incident response team should endorse the policy.
- While paying a ransom should be considered only under extreme circumstances, it is wise to develop a plan for how to pay a cryptocurrency ransom demand should it become necessary.
Understand Regulatory Implications and Potential Sanctions
Obtain a documented position or perspective from corporate counsel on the potential legal implications of paying a ransom demand to a cyber threat actor. For example, the following two legal frameworks related to international funds transfer may be relevant.
- Foreign Corrupt Practices Act (FCPA): FCPA prohibits US citizens from bribing foreign government officials to benefit their business interests. In most cases, paying a ransom would not violate FCPA, but individual circumstances may warrant close examination of potential FCPA liability.
- Department of Treasury Office of Foreign Assets Control (OFAC): On Oct. 1, 2020, OFAC published an advisory reiterating the prohibition against US businesses and persons conducting business or paying funds to any person on the “Specially Designated Nationals and Blocked Persons” (SDN) list. OFAC regulations are relevant in a ransomware event because the attacker demanding the ransom may be on the SDN list. US companies can be sanctioned for violation of OFAC’s rule even if they do not personally execute a transaction or know that a payment is being made to a prohibited organisation or person.
Secure Approval from the Board
Obtain approval from the board of directors on policy documents. Recognise that policies are likely to be discoverable if legal action is taken against the company due to its handling of a ransomware event.
Examine Impact on Insurance
Understand any cyber insurance coverage that you may have as it pertains to paying ransoms, as well as other resulting losses from a ransomware incident.
Consider the following factors to enhance the likelihood of recovery under the policy:
- It is critical to report the incident per the insurance policy’s claims and loss reporting guidelines. This is in addition to any reporting you make to authorities. According to the terms of the insurance policy, not filing notice could jeopardise coverage.
- Obtain from the insurer approval that allows third-party vendors to respond to the incident. This is particularly important if the third-party firm is not one of the insurer’s pre-approved vendors. Insurable vendor expenses may include costs related to the following services: data breach coach/privacy counsel, IT forensic investigations, call center and credit monitoring/identity theft monitoring, crisis management and public relations, and ransom demand negotiation.
- Cooperation with the insurer throughout the incident response and any resulting claim is critical.
Seek Legal Counsel
If you are not already doing so, you should consider working with a law firm that specialises in cybersecurity and data protection to serve as your cyber incident response coach. Ensure the firm is experienced in handling ransomware events. If not, consider selecting a different firm. The law firm should:
- Coordinate response activities with your insurance broker and underwriter if you have cyber insurance.
- Provide guidance on legal and regulatory considerations related to ransomware such as cryptocurrency, FCPA, and OFAC.
- Help you identify a cyber forensics provider with documented expertise in ransomware incidents.
- Support interactions with law enforcement and other external entities as necessary.
- Secure functional specialists as needed, including crisis communications professionals and call center support.
- Assist in managing other aspects of the incident that are not specific to ransomware, such as notifications and insurance claims.
- Ensure that the entire response falls under attorney-client privilege.
Engage Outside Expertise
- Survey the market for cyber forensic service providers and understand the range of capabilities they offer for dealing with ransomware incidents. Focus on companies that have strong credentials, experience, and a superior reputation for cyber forensics. Your insurer and your cyber incident response coach can help to identify providers.
- Learn about tools that may be available to decrypt different strains of known ransomware. Document learnings as a possible incident response resource. For instance, the No More Ransom Project is a good source of free tools for decrypting certain ransomware varieties. Other resources are also available, and should be investigated as part of pre-incident preparedness. Engage your cyber forensic service provider for support.
Create a Cryptocurrency Account
Understand the basics of cryptocurrency. Consider establishing an account with a cryptocurrency exchange to enable a smooth, quick transaction, if needed. Consider creating an institutional account and making some trial payments to become familiar with the process and demystify cryptocurrency operations. For large transactions, funds wired into an institutional account in US dollars can then be exchanged for the desired cryptocurrency.
- As Bitcoin and other cryptocurrencies can be highly volatile assets, maintaining large balances of cryptocurrency as a contingency for a possible ransomware payment is not recommended.
- Recognize that cryptocurrency exchanges typically charge fees for purchases and transactions, and that it may be possible to engage a service provider to help with such transactions if necessary.
During the Incident
Minimise Exposure and Maximise Backup
- Isolate the ransomware infection by turning off servers and computers throughout the enterprise and disabling their LAN and WiFi connections or blocking network traffic to them. Ransomware moves quickly and can substantially disable an entire enterprise in minutes. Speed of response is critical as infection spreads quickly.
- Eradicate the malware executable code from networks and systems. Be aware that there are likely to be many copies of the malware throughout your IT environment. Additionally, be mindful that hackers sometimes hide malware in unexpected places (such as connected network devices like printers) that can reactivate and execute the original attack.
- Do not delete related files such as key files, text files, or ransomware notes as they may be helpful for understanding the threat actor’s tactics or needed for recovery. Secure the most recent good backup in offline storage.
- Recognise that regardless of the data restoration approach, full restoration of the affected data will require considerable hands-on work and can take many days.
Tap into Insurance Expertise
- If you have cyber insurance, engage your organisation’s risk manager and your cyber insurance broker to review relevant requirements of the insurance program, the expectations of the insurer, and any ransomware-specific services that the carrier may offer (such as cryptocurrency payments support).
- If you decide to pay the ransom, confirm with your carrier before making the payment. Many carriers require that they pre-approve in advance of a client making a ransom payment.
Follow Your Internal and External Guidance
- Follow the organisation’s cyber incident breach response plan, including pre-established procedures related to ransomware, such as those outlined above.
- If your company has a pre-existing contract with a cyber forensics provider, consider separate contract arrangements if that provider is to support the ransomware incident. Consult with your counsel. Payment to the providers through a distinct budget and management structure may preserve attorney-client privilege.
Execute on the Ransom Payment – Or Don’t!
- The final decision on whether to pay should be made through careful internal deliberation after sufficient legal advice and cyber forensic technical analysis.
- If the decision is made to pay the ransom, follow the instructions provided, consistent with the guidance of the cyber forensic team.
- If the decision is to not pay the ransom, then:
- Identify impacted systems. Wipe and rebuild them in accordance with pre-defined IT procedures and priorities to ensure they have no remaining ransomware/malware. Do a complete wipe and reformat of all storage devices, and restore the data from known sound sources.
- Once all systems are cleaned—and operating systems, applications, and data are restored—then the network can be re-established and declared operational.
Update Internal Guidance
- Document what you learned: how the infection occurred and what measures to put in place to prevent it from happening again.
- Review and revise the ransomware policy as needed.
- Update IT disaster recovery plans.
- Review and revise the ransomware policy as needed.
Bring In External Expertise
Engage a cyber defense service provider to perform an “indicators of compromise” assessment of the entire network. Find and eliminate any remaining malware or associated files or artifacts. Consider using a provider other than the forensics company that supported the response. While discovery and eradication of indicators of compromise is part of the response effort, an independent and comprehensive post-incident assessment will provide additional confidence that ransomware has been eliminated.
- Address network and system vulnerabilities or gaps identified during the forensic analysis to prevent a repeat attack.
- Conduct an after action review and lessons learned (AAR-LL) session with all who were involved in the incident. Capture information on what went well and what did not go well, and identify corrective actions to improve the response process for future ransomware events.
- For each gap or weakness, identify a senior manager or executive to be accountable for the completion of corrective actions.
Review Backup Strategy
- Review and refresh the data backup strategy, incorporating accepted best practices and lessons learned in the ransomware event. This may require re-architecting the data backup system if it falls short of data security needs. The data backup strategy should articulate:
- What data is to be backed up.
- Where the data is hosted: on premises, remote, cloud, or offline.
- How frequently different types of backup occur.
- Who is responsible for performing backups.
- Who is accountable for ensuring backups are successfully performed.
- Exercise and test data backup systems and processes regularly.
Remember: the effects of a ransomware attack can be anticipated. With solid planning, your organisation will be well positioned to handle a potential attack.