What should a company do when cyber criminals attack its systems and demand a ransom? Unfortunately, the increase in ransomware incidents forces a growing number of businesses to answer that question.
How organizations handle the minutes, hours, and days following a ransomware attack determines how much it hurts their finances, reputation, and standing with customers and regulators. A poor response could lead to a heavy financial hit, while an excellent one could reduce the incident to an inconvenience.
Response actions and plans vary based on the scope of an attack, the size of the organization, and the organization’s resources. But there are some key steps to take to mitigate losses in any attack on any size company. (While we call these recommendations “steps,” many of them will coincide.)
Ideally, the response to a ransomware attack should follow a well-prepared and rehearsed playbook. Individuals at each level of the organization should know their specific roles and responsibilities, says Tim Rawlins, senior advisor at security consulting firm NCC Group.
The gold/silver/bronze model standard in many business continuity plans is a good starting point, Rawlins says. The executive or gold team focuses on setting the organization’s strategy and managing the response to stakeholders. The silver team of departmental heads focuses on ensuring the right tactics are used and that resources are available to the various operational (bronze) teams that deliver the response.
“This process is predicated on using the individual’s expertise to do what they do best and not interfering,” Rawlins says. “Leave the technical response to the bronze teams of security and IT, with support and guidance from the silver team, based on the strategy set by the gold team.”
As a member of the gold team, the chief financial officer will be responsible for gauging the incident’s impact on the company’s finances and its long-term stability, Rawlins says. “The CFO will likely have personal stakeholder relationships that they manage, so they will probably be the point person to talk to the banks, major shareholders, and investors.”
Assuming the organization has an IRP in place — which it should — response teams need to follow the plan as closely as possible following a ransomware incident.
The IRP “provides a defined set of step-by-step instructions to help staff detect, respond to, and recover from network security incidents,” says Jeffrey Wells, co-chair of the cybersecurity, data protection, and privacy team at law firm Clark Hill PLC.
A good IRP includes a roster of IT team members and trusted outside technology experts as well as a cross-functional incident response team poised to respond when security is breached, Well says.
This group is “charged with determining as quickly as possible what systems and hardware are affected by the ransomware attack,” Well says. A company with multiple locations should have each site conduct a similar triage. The team should determine whether backups still exist and are usable, and ascertain whether the attackers sent a ransom note.
Pay particular attention to the variant of ransomware involved. “Sometimes the ransom note will identify this, or the file extension used on encrypted files may provide information,” Wells says.
Immediately following a ransomware incident, the IT or cybersecurity team must identify the root cause and then contain the attack.
That includes figuring out the method of attack, says Bruce Young, leader of cybersecurity operations and control management at Harrisburg University of Science and Technology. “Was it by a clicked link in a phishing email, a drive-by pop-up for a user to update their Adobe software, or a bad actor exploiting a vulnerability providing access to internal resources?” Young says.
Containment includes ensuring that the malware doesn’t spread. “Ransomware must be contained before eradication and recovery, or there is a risk of having restored information contaminated,” Young says.
The company needs to eradicate or remediate whatever vulnerabilities allowed the exploit to be successful as soon as possible. “Otherwise, the bad actor can use the same method to re-attack the organization,” Young explains.
Once the root cause is contained and eradicated, the organization can begin the recovery process. According to Young, compromised or encrypted data must be restored and verified in an environment known to be free from ransomware. “Verification includes ensuring that the backup copies of the data are not contaminated,” he says.
At the same time, an organization that is dealing with an attack should be in contact with law enforcement, such as the FBI’s Internet Crime Complaint Center (IC3).
“While the FBI may not be able to assist you or your organization, they do have resources,” Wells says. The FBI will collect information from the organization to make it easier to assist the next victim of the particular ransomware variant.
Not only can law enforcement officials help assess the breach’s magnitude, but they can guide the organization in how to proceed. “Law enforcement can assist with communications with attackers,” Young says. Also, a law enforcement investigation provides evidence to help determine the identity and location of the bad actors.
Companies should also contact internal legal representatives and engage external legal counsel that specializes in cybersecurity and incident response in the event the attack results in litigation, says Meredith Griffanti, co-head of the cybersecurity & data privacy communications practice at global business advisory firm FTI Consulting.
They can help assess the situation and onboard additional vendors such as crisis communications providers and ransom negotiators under attorney-client privilege. They can also perform the proper compliance checks and other due diligence if a potential payment is made, Griffanti says.
In some cases, the target has to inform regulatory bodies within 72 hours of learning of the incident. (See #6, “Meet regulatory compliance obligations.”)
The biggest question that arises in the wake of a ransomware attack is whether to pay the ransom, and the answer is by no means easy.
“Whether the ransom should be paid depends on the organization’s ability to recover from the impact of a ransomware attack,” says Harrisburg University’s Young.
The cybersecurity team should consult executive management regarding the incident status and the organization’s ability to respond and recover in a reasonable amount of time. “Ultimately, the executive management team, including the CFO, may determine the risk is high that systems and information cannot be recovered in an appropriate timeframe. Therefore they may decide to pay the ransom,” Young says.
But he says that if an organization has planned and implemented the necessary security measures to detect, prevent, and recover from ransomware attacks, paying the ransom should be avoided.
The CFO has a central role in assessing any business impact a ransom may have on an organization’s finances and the ability to fund day-to-day operations, Griffanti says.
“However, ultimate decision-making should rest with the CEO, given the range of considerations that need to be evaluated — financial, legal, operational, reputational, and otherwise,” Griffanti says.
A company’s board of directors will at the very least need to be informed of the decision about payment, and a company’s general counsel or equivalent — in partnership with external legal counsel — should advise the CFO and CEO on what level of board engagement is prudent, says Griffanti.
Victims of ransomware attacks are obligated to inform a number of interested parties and stakeholders. These include employees, customers, business partners, insurance companies, corporate legal representatives, members of the media, and the public.
“Communication … should be consistent and timely across the board,” Griffanti says. The most critical communications objective is that the organization’s stakeholders learn of the incident or notable developments from the company — not second-hand from threat actors or the media.
In addition, communications should be done in lockstep with the legal strategy throughout the incident response process, Griffanti says. That ensures the information conveyed is rooted in fact and does not get ahead of any forensic investigations.
“We typically recommend that clients start with developing key messages around what happened, what containment and remediation measures are in place, how the organization plans to communicate [amid] operational disruption, and when stakeholders can expect to receive updates, as appropriate,” Griffanti says. “From there, all communications materials can be tailored to individual audiences but should reflect consistent facts.”
Senior management is usually responsible for communicating news of a significant cybersecurity breach, Young says. For example, the CEO, chief information security officer, or chief information officer should share the news with employees. Most likely, this will have to be done early on because once IT discovers an attack, it will have to disable Internet connectivity and shut down some or all systems. Keep this in mind when formulating the communications strategy.
A public relations spokesperson or senior executive should be the pipeline to the media. The messages to the public must be transparent and accurate, Young stresses. “Misinformation, especially early on, can seriously damage the reputation of the organization and lose customers.”
All organizations, especially those in financial services and health care sectors, have to follow regulatory guidelines around cybersecurity incidents and data theft.
“An experienced lawyer can help navigate not just the technical or even the compliance obligations, but can foresee potential legal, regulatory, and compliance risks,” Clark Hill’s Wells says.
Data or information stolen in the attack may trigger compliance obligations on an expedited timeline, Well says. Often, the company has time to investigate before compliance deadlines are triggered, Wells says. “However, there are circumstances [when] the company has to provide notice before completing an investigation.”
This includes attacks that involve data or information subject to Defense Federal Acquisition Regulation Supplement (DFARS) regulations, New York State Department of Financial Services (NYDFS) regulations, or the European Union’s General Data Protection Regulation (GDPR).
Companies may also have a contractual obligation to notify specific customers, partners, or vendors within a specified period.
To learn from the experience, review the detection and prevention security controls that failed to protect the organization in the first place, Young says. He recommends meeting with the relevant vendors to determine possible causes. For example, was it a misconfiguration, a flaw in product functionality or design, a failed detection mechanism?
The review should also include evaluating the IRP — or creating one if it doesn’t already exist.
Finally, it’s important to hire an IT forensic investigator, Wells says, instead of relying on the internal IT group. “[The internal IT group] can be a valuable resource in the response, but ultimately you want a neutral third party — and one with experience handling ransomware events — to assist the company in the investigation and to help ward off potential claims of [investigatory bias].”
Not only will an excellent independent forensic investigative team get to the bottom of what occurred and help improve the security of the company’s IT infrastructure, “but it will be familiar with collecting and preserving evidence for future use in possible litigation,” says Wells.
Bob Violino is a freelance writer based in Massapequa, N.Y.