Detection, isolation, and negotiation: Improving your ransomware preparedness and response
The risks presented by ransomware and cyber extortion events have likely found a place in your own security team’s discussions, and rightfully so. Ransomware attacks have proliferated in the last decade. The numbers are staggering if not overwhelming, and make it abundantly clear that ransomware attacks are not a threat that any organization, however big or small and across industries, can afford to ignore.
It follows, then, that proactively protecting company assets and mitigating cyber risk is an essential investment of any business today. Without a threat readiness and response plan in place, the damage of a ransomware or cyber extortion event could reverberate across your organizations, resulting in data loss, service inaccessibility, operational interruptions, loss of trust and competitive market advantage, and other costly and lasting repercussions.
Improving threat readiness
When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.
While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.
Ransomware readiness can be divided into three major components: preparation, detection and isolation.
Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.
The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.
- Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
- Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
- Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.
Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:
- Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
- Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
- Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.
To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:
- Limiting any individual employee’s access to only the files and data they must have to do their jobs.
- Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
- Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.
Responding to an ransomware attack
Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.
A good response plan is well-rehearsed, easily accessible in the event it’s needed, and based upon the resources available to the organization at the time it is written. It has several parts, including the designation of the parties that handle each step; the contact info of all parties who will communicate and negotiate directly with the ransomers; and up-to-date protocols related to legal compliance for dealing with ransom payment. But among these, one of the most crucial pieces to address in your plan is the handling of the negotiation.
Negotiation encompasses all engagement with the threat actor, and is required to reach any form of resolution, whether payment is involved or not. It is always advisable to use a professional who is familiar with threat actor engagement, ransomware attacks, and the legal obligations of ransomware victims; knowledge of current cyber extortion trends, threat actor TTPs, and threat actor groups is also important. Utilizing a negotiator who is transparent throughout the process and is receptive to the objectives of their client organization greatly facilitates a smooth discussion that is more likely to resolve in a way the organization is comfortable with.
There is no one-size-fits-all method to proceeding with negotiation. However, there are some general things you must be prepared for if your organization finds itself in this worst-case scenario.
- Keep all chats and communication with the ransomware actors private, and limit internal access to communication records with the threat actor. It may be advisable to switch to non-network-based communications if you are not sure if the threat actor has access to your email communications.
- Be prepared for professional negotiators. Further emphasizing the importance of having a professional negotiator of your own to leverage in this situation, it is important to note that many ransomware attackers have been observed to use professionals with careers in negotiations behind them in order to make organizations comply with ransom demands.
- Involving law enforcement early on in a ransomware attack is highly recommended. Not only does this help your organization ensure it is handling the attack within the bounds of the law, but law enforcement can also sometimes provide insight into specific threat actors or their TTPs, helping you with your negotiations and improving the outlook of your situation.
There are other means threat actors use to add pressure to negotiations outside of the ransomware attack itself, including:
- Implementing DDoS attacks
- Emailing employees directly about the attack
- Claiming to have data they have not actually exfiltrated to make the situation seem more dire
- Contacting executives or clients of the victims to make them aware of the attack
- Posting sensitive PII on public-facing forums or social media
- Leaving backdoors that make it possible for the ransomware attackers to carry out a second attack against the same organization
Being the victim of a cyber extortion attack is stressful and challenging. In order to mitigate its impact on your business and clients, it is imperative that you prepare for any and all of these potential additional factors that can increase the aggressiveness of a ransomware attack and do long-standing harm to the reputation and bottom line of your organization.