Ransomware attacks continue to affect many companies worldwide. The rate is alarming and cybersecurity companies now caution that these cyber attacks bear a huge potential for devastating damage to businesses of all sizes. The cases have been rising sharply since 2018, and 2021 in particular recorded a shockingly high figure when 68.5 percent of companies were affected.
Several large companies have already been forced to pay ransom after falling victim to these attacks. In 2021, CNA Financial paid 40 million US dollars, Colonial Pipeline paid 4.4 million US dollars, and JBS Meats paid 11 million US dollars.
In the face of this, it would be a big risk if your company is not prepared to handle a ransomware attack.;
What is a ransomware attack?
Ransomware refers to malware or malicious software that restricts computer systems, networks, or files and demands payment for reversal of this restriction. Attackers use the «Triple Extortion» technique, which involves stealing sensitive data prior to launching the attack and threatening to disclose the data if a ransom payment is not made. Among the potential harms of ransomware attacks are the loss of critical data, loss of reputation, and the disruption of business operations.
How should a company handle a ransomware attack?
Preventing these attacks is not easy for any company. This has been made worse as by the fact that attackers have now discovered to their delight that it's often easy to trick unsuspecting companies. The attackers are always ahead of many companies' security preparedness to the extent that a sizable number of organizations are always playing catch up — never ahead of the criminals.
Though companies handle ransomware attacks differently, the below steps make for the best ransomware management strategy for a company of any size including small and medium businesses.
Step 1: Establish the extent of the attack
Assess all systems including devices. List all encrypted files and note which users accessed them before and during the attack. If you identify a user with a large number of open files, there is a chance that they could be «patient zero».
Patient zero refers to the source of the infection. Disable their account immediately to prevent further infection.
This assessment will inform the best course of action moving forward. If a limited number of systems have been infected, you may be able to clean them up and restore data from backups. If a large number of systems including your core backup have been impacted ,you may need to consider dealing with the attackers to get the data back.
Step 2: Inform authorities, legal teams, and cyber liability insurance company
Once you have identified and shut down patient zero, report the attack to relevant authorities such as the local FBI field office and relevant law enforcement authorities, such as the National Cyber Investigative Joint Task Force (NCIJTF). These authorities will register the incident, probably open investigations, and may actually help identify the perpetrators sooner than you could.
If the authorities identify the attackers, they may obtain the decryption key for you. Informing them may also assist them in determining which other companies are also a target and warn them in advance.
Your legal teams play an important role when handling such attacks, and indeed any other attack for that matter. They will guide you on the best immediate actions to take without exposing the company to costly legal challenges. They can also help you determine what information you need to share with law enforcement, employees and customers.
Your legal team can also advise you on the rights and options the company has if you decide to pay the ransom. And if you decide not to pay, they can help you start preparing for a possible lawsuit.
Failing to notify your legal team immediately after a ransomware attack can have some serious consequences.
For starters, you could be violating your state's data breach notification laws. This is something that your legal team can help with, by crafting a notification letter that meets all the legal requirements.
As for informing the insurance company, this depends on whether or not you already have this insurance policy. Cyber liability insurance is a policy that protects companies from expenses incurred after a data breach. These policies are categorized into four categories, depending on the cyber exposure risk:
- Network security coverage.
- Privacy liability coverage.
- Error and omissions (E&O) coverage.
- Business network interruption coverage.
The cyber liability insurance market is fast-growing and is expected to grow into a 20 billion US dollar industry by 2025. It's a relatively new policy that you need to start thinking about if you don't have it yet.
Further reading: What is cybersecurity insurance and why is it important?
Step 3: Assess your backup: has it also been affected?
The ideal incident response plan for most companies is to try and restore their backup to avoid paying the ransom. However, the attackers know this and will attempt to locate the backup and delete or encrypt it. This is why security experts often advise companies to use the segregated backup strategy.
If your backup has not been affected and you have access to it, move swiftly to secure it.
Also on backups: What are the various types of backup options?
Step 4: Isolate all affected devices
In most cases, the malicious ransomware code scans your network and identifies vulnerabilities. Once it identifies the weak points within the network, it will spread laterally. So you want to quickly separate all affected devices from the rest. Plus you might be lucky to find that it's only a few devices that have been compromised by the time you discover the attack.
Isolation can be done in a few ways. One is to physically disconnect the devices from the network. If that's not possible, you can disable the network adapters on the devices or place them in a virtual network that can be controlled independently. It's also important to change all passwords and account credentials on all devices.
Step 5: Backup the affected files/devices
This is where many companies get it wrong, and it costs them. For most companies, the intuitive incident response after a ransomware attack is to quickly format and restore a backup of the affected systems. However, such an action will erase all evidence and prevent you from determining the cause.
Before rushing to reformat and restore backup, create a backup of the infected files. You want to ensure you have all the evidence intact because you’ll need it to uncover the attack and use the insights to avoid similar attacks in future. The law enforcement bodies, lawyers and insurance companies will also need this evidence as a whole, so you don't want to mess it up.
In fact, it’s better to resist the urge to urgently return the affected systems back to operation. It’s normal to want to forget about the attack and move on as fast as possible, but this can only embolden the attackers.
However, if your assessment shows that the net effect of the attack is insignificant compared to the net effect of not restoring the affected operations soon enough, then you can proceed to quickly restore all affected areas with their clean backup. Please consult your legal team before making the final decision.
Step 6: Inform customers, users and other stakeholders
By now you may or may not have restored all affected operations. But all the same you have a clear way forward. This is the right time to inform both internal and external parties with interest in your company. These include all stakeholders including employees, customers, investors, suppliers and anyone that would be affected. However, there are several issues to consider before the public announcement.
You must understand under what circumstances you need to communicate the breach. You have a responsibility to inform people whose data you hold. Therefore, develop a communication plan but be clear that you are in control. If there is anything crucial that this communication should achieve, it’s confidence. People like to get the message that the company is in TOTAL control no matter the damage. Some might not be so keen on the extent of the attack, but the assurance that their interests are well taken care of is sufficient.
Take caution not to give the wrong impression that all is under control when things are actually bad. Be honest.
Step 7: Explore your options with the hackers
Hackers will normally send a ransom note telling the company that they have control of their data and that they should pay the ransom in return for decryption. Most organizations prefer to pay and move on. While the ultimate decision is for the company to make, law enforcement agencies advise against paying ransom as this empowers the criminals to carry out more attacks. There is also the possibility that they can refuse to surrender your data and demand more ransom, setting up the stage for a series of ransom payments that will finally drain your resources and kill your company.
You should engage experts and a legal team to explore other options. Various federal agencies, such as Cybersecurity and Infrastructure Security Agency (CISA), offer assistance and information on how you can handle a ransomware attack before resolving to pay ransom.
Step 8: Review and reinforce the security posture
Once you have handled the ransomware attack, you must review systems and safeguard the organization from future attacks. Here are a few strategies to use:
- Regular backups: Backups play a significant role in restoring data after an attack. Consider employing multiple backups in different locations.
- Network segmentation: This technique divides networks into smaller segments in several ways, including virtual LANs and firewalls. It might limit access and strengthen security.
- Regular security assessments: Assess the company’s security posture on a regular basis.
- Update the security policy: Use the outcomes of the attack to update the company's network security policy to include new techniques that employees can use to help protect against ransomware attacks. Create awareness among employees about the newly updated policy.
Should you pay the ransom?
If all options fail, the company might find itself in a situation that compels it to pay the ransom. However, paying is not a guarantee that the attackers will surrender and cease control of your systems. Sometimes they can even give the wrong key and disappear.
A ransomware business impact study showed that approximately 46 percent of the time, organizations don't get their whole data even after paying the ransom. Accepting to pay the ransom should be the last resort when everything else has failed.
One of the smartest ways to deal with ransomware criminals is to start by understanding their aim. We often assume that they are all after money. But some of them have been found to harbor motives beyond money. Maybe they just want to frustrate your operations for sometime and damage your reputation. Others might want to destroy your business completely, meaning no amount of payment and negotiations can persuade them to stop. So when you engage them, focus on gathering the kind of information that will expose their true aim. Once you understand their main purpose, you can formulate an action plan that will preserve your business. Think long term, act quickly.