Plan Your Ransomware Attack Response Now

A food processing chain. A fuel pipeline system. A police department. A transportation authority. These are some of the larger targets hit with ransomware attacks in the U.S. so far in 2021. But for every ransomware story in the news, dozens of incidents go unmentioned, either because the company is too small for news outlets to care or because the organization wanted to handle the situation quietly on its own, probably by paying the ransom.

And ransomware pays good money. In 2020, the amounts victims paid to regain use of their data increased more than 300%. It’s not surprising then that the Washington Post claims that the frequency of attacks more than doubled from 2019 to 2020. It seems not a case of if a company will get hit, but when.

The growth of remote work in the last year created the perfect conditions for cyberattacks. Although mobile work—and mobile devices—have increased for almost a decade now, companies still don’t proactively communicate the urgency of hardening home-based information security the way they should. Billions of homeworkers provided multiple entry points through insecure home routers, possibly still running WPS instead of WPA2 or WPA3, and Wi-Fi networks without password protection.

Companies can shore up home-based offices. But they also need to change their attitude to ransomware attacks. Tactically, companies focus cybersecurity efforts on regulatory and framework compliance.

That’s important, but they need to build cybersecurity capabilities to withstand a determined adversary. Recently, a client of ours lost their database and their backups: the ransom group called their backup provider and persuaded them through a social engineering attack to erase their backups. Such initiative yielded the bad guys over $2 million.

Companies also don’t yet fully realize how disruptive a ransomware incident is. You may think that your backup—if you still have one—covers you. But, restoring an entire data center or multiple data centers is not just a 4- or 5-hour job. Depending on the extent of the breach, recovery could take days or even weeks of round-the-clock work.

Ransom attacks also present broader strategic and reputational implications. The problem now extends beyond a mere technical project of decrypting the system. Consider the loss of revenue. What’s the impact to employee morale? How long before customers trust you again?

So, what are company leaders to do?

1. Bolster your backup and recovery processes.

Employ a three-generation backup policy for all critical files: the grandparent is the oldest version, the parent is the second oldest version, and the child is the most recent version. Store at least one version entirely offline and offsite on tape or another movable media that you can quickly recover. In addition, use an immutable storage system so no one can overwrite or delete encrypted files. Finally, ensure that your off site provider uses two-factor authentication (2FA) to withstand a social engineering attack that could delete your backups.

2. Build a ransomware playbook.

Imagine your data incident response. Consider scenarios ahead of time to avoid a steep learning curve in the moment of crisis. Will the leadership and board pay the ransom or not? If they choose to pay, how will they do it?

Another significant consideration is, will management notify the FBI when they discover an attack? Actually, this is the right thing to do. Remember that making a payment in furtherance of criminal activities is a technical violation of U.S. anti-bribery laws. The Office of Foreign Asset Control (OFAC) at the U.S. State Department requires a company that pays to complete some paperwork, which is another good reason to involve the FBI: they can help with the recording process. In addition, anyone involved in paying a ransom may incur some criminal liability if the process isn’t done correctly. Consult your lawyers ahead of time. Again, you need to think about all this before your data gets locked up.

When you complete your robust ransomware response plan, practice it again and again. Make this more than just a technical exercise. Play the complete response from a reputation crisis management standpoint.

3. Take cybersecurity measures to meet an active and present threat.

Your cybersecurity program must do more than keep you in compliance with HIPAA, FISMA, or ISO/IEC 27001—valuable as all those standards are. Weave cybersecurity into the fabric of your company culture. You know the tools already; but you have to use them.

• Establish firewalls.
• Install reputable antivirus protection.
• Disable remote connections.
• Filter incoming email for the most common troublemakers, the macro-enabled executables, such as .docm and .pptm files.
• Reveal hidden extensions to show rogue .exe, .zip, and .rar files.
• Invest in SIEM, security information event management, which can detect anomalies within your network.
• Implement a safe listing protocol, particularly around sensitive information.
• Keep up-to-date with patches.

Those steps are the technology side of ransomware protection. Even more important is the people side. Staff are the weakest link but can be the first line of defense. Train all staff regularly on the dangers of malware and ransomware. Let them know how easily bad actors can infect their devices and the whole network. Reiterate what staff should and should not do:

• Use strong passwords that staff change regularly.
• Question the legitimacy of emails.
• Create a social media policy to limit what information spear phishers can gather about employees and executives.
• Don’t open email attachments from unknown sources.
• Don’t click links in emails from unknown sources.
• Don’t open emails in the spam folder from unknown sources.
• Conduct ethical social engineering tests frequently so everyone keeps their threat awareness sharp.

Usually, ransomware events appear in the news after the fact. But that doesn’t mean you can’t get a look around the corner at potential threats and deterrents. Consider subscribing to the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA), FBI, NIST, and other cyber intelligence bulletins to understand current thinking. Help your leadership decide now, before an attack, where they stand and what the plan is to manage and survive ransomware and other data incidents.

Can we help you?

Bryghtpath has built the data incident response plans for major healthcare companies, designed crisis management frameworks & plans, facilitated crisis and cybersecurity exercises, and helped organizations rapidly mature their business continuity capabilities. You can learn more about our approach to Crisis Management in our Ultimate Guide to Crisis Management.

Don’t hesitate to reach out to us today for a call to discuss your challenges and learn how we may be able to help you prepare for the ransomware threat.