IT decision-makers often find themselves stuck between a rock and a hard place when it comes to dealing with ransomware attacks. Do they pay a large sum of money to cybercriminals in the hopes of regaining access to their systems and data at the risk of putting the business in a dangerous financial position? Or do they hope that their backups are good enough and that hackers won’t leak their information online? Some might be looking for a third option, which is where ransomware negotiation comes in.
It might seem logical to try to negotiate the ransom demand down to an amount that isn’t going to break the bank but would still be enough to satiate cybercriminals’ thirst for cash. Unfortunately, this isn’t a good idea, because negotiations can backfire and even cause ransomware gangs to increase their ransom demands.
This recently happened to Acer when they attempted to negotiate a $50 million ransomware demand down to $10 million. As retaliation, the REvil gang threatened to double the ransom if they didn’t receive the $50 million.
Another example is the Egregor ransomware gang, which often threatens to publish their victims’ data online if they negotiate or fail to deliver on ransom payments. If you’re not looking to add your company’s name to the list of failed negotiations, keep reading to find out some do’s and don’ts of planning for ransomware incidents.
DO: Create a plan before crisis strikes
A ransomware attack affecting your business in today’s digital economy is a matter of “when,” not “if.” Cybersecurity is an arms race, and as technological innovation grows, cybercriminals are also constantly innovating to develop new and more damaging attack methods. That’s why it’s essential to prepare for an attack as if it were as sure as the fact that the sky is blue – hopefully enabling you to avoid any negotiations altogether.
DO: Prepare your employees with relevant training
There’s no one-size-fits-all ransomware preparedness plan, but general best practice includes getting your employees involved from the get-go. Cyber hygiene training is critical. Employees should know the steps to take if they suspect a ransomware attack has occurred (e.g., disconnecting their laptops from the network and notifying network administrators straight away).
On the flip side, IT leaders should also have a dedicated ransomware crisis team that includes members from all aspects of the business, all the way up to the C-suite. That way, employees know who to turn to when an attack happens, and the team will be ready to act.
DO: Follow BCDR best practices
A solid plan also includes business continuity and disaster recovery best practices. To avoid getting trapped in a negotiation over unlocking encrypted data, consider securing backups both offsite and in the cloud. Considering that some ransomware strains encrypt backup files alongside primary data if they’re connected to your network, be sure to store backups separately.
Keeping in mind the 3-2-1 rule of storing three copies of data, in two separate locations, with one being offsite or in the cloud, can help. That way, you can recover from a “known good” state before the attack without needing to pay a dime.
DON’T: Wait to activate your crisis comms team
Activating your crisis communications team is an essential first step, as it helps get the news in front of the right people as soon as possible. Providing both employees and customers with visibility into the event by communicating what happened and the steps of your plan can reassure affected parties that you’re doing everything in your power to keep their data safe.
Keeping people calm is critical – an angry horde of customers taking to Twitter to express their frustration might push IT decision-makers to negotiate and pay the ransom before exhausting other avenues.
DON’T: Avoid notifying affected parties
It’s always important to report an attack to the relevant authorities, particularly if customer information has been compromised. The last thing anyone needs when dealing with an attack is to have a privacy crisis on their hands, so determining the extent of a breach by working closely with authorities can help mitigate any data privacy violations before they get out of hand. For example, under the CCPA, organizations can face fines if data isn’t recovered within a specific time frame, so it’s essential to move quickly to avoid noncompliance.
DON’T: Negotiate or pay up!
Despite all the ransomware attack mitigation plans in the world, it’s inevitable that at some point, an attack will slip through the cracks. But don’t rush into a ransom negotiation just yet – paying a ransom should always be a last resort.
By developing a proactive plan for when an attack does inevitably strike, which considers employee and customer preparedness and communication as well as backup and disaster recovery best practices, many companies can avoid the problematic payment question altogether. Ransomware isn’t going away anytime soon, but it doesn’t always have to mean a massive hit to your financial bottom line – you just need to be prepared.