The success of ransomware is largely dependent on the readiness of an organization to respond to such an attack. Lack of a proper plan to respond to ransomware can be ruinously expensive, and these costs continue to rise as cybercriminals seek to extort more money from organizations using increasingly sophisticated attack tools and techniques. Palo Alto reported that the average ransomware payment rose by 71% during the first half of 2022 to $925,162.
Knowing how costly a ransomware attack can be, how should your organization respond in the event of a suspected ransomware attack?
Establishing a Ransomware Incident Response Plan
There are several essential steps to prepare your organization for a ransomware attack, including assessing the risk, containing the threat, and post-incident evaluation. Here are the seven most important things to do in anticipation of a ransomware attack.
1. Risk assessment
An effective ransomware response plan should incorporate a well-defined preparation stage to ensure your organization is aware of its risks and vulnerabilities. A thorough assessment should be carried out to expose these weak points. It should:
- Use the right software solutions to eliminate vulnerabilities and carry out updates and patches when required.
- Outline the team responsible for ransomware response and document their roles and responsibilities.
- Ensure employees are cyber-aware by training them using competent cyber-awareness techniques. This step is critical, as phishing is one of the leading causes of ransomware infection.
- Prepare and/or update the cybersecurity processes and policies of your organization, such as comprehensive steps for incident response and disaster recovery, cyber insurance and access controls. It can also contain your organization’s policy on approaching ransom negotiations.
- Verify incident response system capabilities by carrying out exercises such as penetration tests.
In the event of a potential ransomware attack, it is crucial to obtain confirmation as to whether the occurrence is indeed an attack. You can utilize advanced detection tools as well as monitoring solutions to expose anomalies and possible breaches.
If the attack is validated as a ransomware attack, you should alert the correct stakeholders immediately, so they can step into their previously outlined roles to respond to the breach. These include management, IT staff, legal and public relations (PR) teams, and any other team your organization considers as part of the ransomware response team.
The next step should be an examination of the scope of the incident. This includes taking note of which systems, applications, networks, and devices are affected and figuring out how the malware is spreading. The detection approaches and steps should be carefully documented for post-attack reporting, which will help locate, understand, and patch up any vulnerabilities in your infrastructure.
Containment involves mitigating ransomware damage by isolating and quarantining malware. To do so, you will have to preserve all evidence, physical and digital, for forensic analysis. This means the impacted systems will need to be contained in a controlled manner to facilitate additional analysis. After an initial assessment of the impact, the policies outlined in the preparations stage come into play when disseminating information about the attack to affected parties.
The major steps in this phase include:
- Identify the infected systems to understand the extent of the ransomware infection. This involves determining all infected assets and the extent of lateral sprawl. If your team lacks the technical skills or resources to carry out this step, contact a third-party incident response provider for assistance.
- Isolate the affected hosts after they have successfully been identified. It is critical to disconnect the infected systems from the network as rapidly as possible to prevent spreading the infection to other devices.
- Make sure backups are secure and free from infection. Determine and carefully evaluate the most recent viable restore point.
- Document evidence from sources such as log files, system images, ransomware notifications, and encrypted files. It’s worth noting that this evidence may be volatile and should be checked and documented regularly as the attack is in progress. Such evidence may contain an encryption key that can be recovered in the case of attack—as long as it’s caught before the key is deleted. In some cases, if the attack is discovered fast enough, it may be possible to halt the encryption process and mitigate some of the damage.
A thorough investigation needs to be conducted after containment to identify the ransom strain in use, possible risks, and options for recovery. Sometimes the ransomware strains in use employ weak encryption with publicly available decryption mechanisms.
Additionally, initiatives such as No More Ransom represent a collaboration between IT security companies and law enforcement agencies to enable the recovery of ransomware victims where possible.
The steps you can follow in the investigation stage are as follows:
- Utilize the preserved evidence to establish a chain of custody before investigation. If your organization lacks the technical expertise, it is advisable to consult a digital forensics and incident response expert.
- Identify the ransomware strain. Ransomware often displays its name, version, or strain. If you have trouble with this process, third-party incident response teams can assist. In addition to No More Ransom, ID Ransomware by MalwareHunterTeam is a free resource that can help with the identification of ransomware.
- Establish how affected systems were compromised to prevent reinfection.
- Contact the relevant legal authorities. Law enforcement, legal teams, and data protection offices fall under this category. Consulting law enforcement can help you deal with ransom demands based on their expertise and experience with ransomware. Third parties can also be hired to assist with ransom negotiations if necessary, and your organization would have to decide whether to involve a cyber insurance carrier depending on the level of infection.
This phase is all about wiping out every malicious artifact on your network through actions such as complete system scans, patching system vulnerabilities, and updating your cybersecurity tools. Indicators of compromise should also be shared with the pertinent parties, such as managed security service providers (MSSPs).
6. Recover and restore
This stage focuses on how your organization will recover from the ransomware attack and return to normal operation as soon as possible. It involves the recovery of systems and data from the secured backups you identified in Step 3 to restore uptime.
7. Post-incident activity
In this phase, you should:
- Make sure all applications, data, and systems have been restored and accounted for by verifying backups.
- Follow whatever regulatory and breach notification requirements are required for your organization.
- Learn from the attack to improve your security posture, and take action to avoid a repeat scenario.
Should Your Organization Have a Ransomware Response Plan?
Having a ransomware response plan can make a tremendous difference. An effective ransomware response plan may help an organization recover from a ransomware attack without having to pay a ransom, and in extreme cases can be the difference between inconvenience and bankruptcy.
In addition to the rising average ransomware payment, the increasingly popular ransomware-as-a-service models have significantly lowered the barrier to entry for potential cybercriminals. With such security breaches, it is key to maintain minimal downtime, so the financial impact remains at a minimum.
With no plan in place, paying the ransom becomes the only way out, placing all of the power in the hands of the attackers. Although it may not be illegal in most cases, paying hacker ransoms is not encouraged by law enforcement agencies, as it empowers the responsible parties—in addition to the financial strain it places on your organization.
Having a systematic response to anticipated ransomware incidents can not only save your organization money but also provide a head start on dealing with the damage. Beyond cost, service disruption as a result of a ransomware attack is likely to impact the reputation of the enterprise.
It can undermine customer confidence when an organization fumbles through responding to a ransomware attack, especially if it ultimately results in the organization paying the ransom. With a ransomware response plan, your organization is better poised to recover data before customers are affected by critical service disruptions—and demonstrates your trustworthiness as a product or partner.
If you seek to avoid clumsily responding to ransomware attacks and to put in place formal steps that will ensure these kinds of attacks are not recurrently executed successfully against your organization, then a ransomware response plan is a must-have.
Developing an Effective Ransomware Response Plan
It’s important to remember that a ransomware response plan will become ineffective if you do not learn from each ransomware incident. You should always investigate why an attack happened and determine the appropriate actions to be taken to shore up vulnerabilities and prevent future compromise. Plus, the lessons derived from each stage should continuously evolve your ransomware response plan going forward.
It’s possible that you’ll never have to use your ransomware response plan. (In fact, it’s ideal!) However, this possibility should not deter your organization from having one, since cybercriminals are constantly evolving, refining, and making their methods more accessible and intuitive to criminals and more devastating to their targets. In security, it’s always better to be overprepared than underprepared.