For some, ransomware attacks might not be the leading data breach concern, but they are a ruinous threat to organizations large and small.  Besides the cost of the ransom itself, ransomware victims are left with the high costs of data loss, cleanup and remediation, and prolonged business interruption.

Unfortunately, there is a disturbing trend, increasingly supported by insurance carriers, to give in and pay the ransomware. Often this might not be the best practice.

In this article, we’ll examine the pros and cons of paying ransomware and, more importantly, give guidance on how to avoid a ransomware incident altogether.

We’re Locked Up! Now What?

Walking into your office Monday morning to have your IT staff tell you your data is inaccessible, and your employees can’t work is a gut-wrenching reality for organizations on a daily basis.

So now what?  What do you do and whom do you call?

Ideally, you will have an Incident Response (IR) plan and program in place that you can now activate in just this situation.  Your technical staff should already be executing pre-made playbooks designated for this exact circumstance.  Sadly, however, this is rarely the case.

If you are unfortunate enough to find yourself locked up by ransomware without a solid Incident Response plan, consider the following steps before paying:

1.    Call your General Counsel (GC) or outside legal counsel.

Everything should be run through your legal counsel. Your legal counsel will guide you on next steps.  Your best level of liability protection would be having outside breach counsel, especially if you engage an external IR firm to assist you.  This external IR provider should be engaged through outside legal counsel.

2.    Determine the extent of the damage.

At this point, it’s expected that you’ve pulled the proverbial network plug, to ensure the attackers can no longer access your environment^[1].  Instead, consider your options. What is the full extent of the infection? Could you consider isolating just the infected systems to keep your production environment running?

Questions you should be asking at this stage:

Is just part of your environment locked up, or is everything encrypted?

• If it’s a partial encryption, assess which environment(s) this exists in and start to assess the impact. You will also have to determine how to contain the damage based on a number of factors (environment segmentation, etc.)
• During your assessment of the damage, you begin to understand what level of visibility you have within your environment along with any gaps. Having the right tools, such as EDR and network monitoring, in place before a breach can help in speeding recovery and identifying the root cause.

Do you have backups for your most critical data and, if so, have you taken those offline?

• Take the backups offline so they cannot get encrypted and, if possible, create a copy of these backups that will remain offline and pristine, in case you have not successfully removed the attackers from your environment.
• If the backups are very large and located in a place where physical access is not possible (e.g., AWS Glacier) you will need to determine the fastest way to get access to these backups. This is another aspect of IR and DR that should be determined well before a breach.
• It’s worth noting that many flavors of ransomware intentionally delay execution. They may hide within backups and reinfect the environment when backups are used to restore. Therefore backups are not always the ideal solution.

Calling in Outside Help

If you have not prepared for a data breach, specifically a ransomware incident, you may already have contacted law enforcement or your insurance carrier before contacting your GC. Many insurance carriers encourage ransom payment to get your business up and running as quickly as possible.

At Cyber Defense Group, we strongly discourage paying ransom for numerous reasons:

1. Paying ransom enables cybercriminals to build out their “business” and guarantees more effective ransomware campaigns in the future.  When organizations pay, cybercriminals will continue to increase their staff, skills, and reach.   This may be more impactful if you replace “cybercriminals” with “your competition”; why give your competition money to become more effective against you?
2. Paying the ransom could get you back up and running, but it will not remediate the original vector. We may soon see criminals offer to remediate the vulnerabilities that allowed them access, but you will still need to do a thorough analysis of your environment and remediate. This remediation may cost as much as the ransom you paid.  Plus, you are open to other attacks while your environment remains in a vulnerable state. Worse still, it’s also possible the original attackers will maintain access for a future attack.
3. There is no guarantee your digital currency payment will get your data back. Remember you are dealing with “criminals” and therefore they have no legal obligation to fulfill their end of the bargain. These criminals have also been known to reinfect later and request a higher ransom

There may be honor among thieves, but not among cybercriminals.  Once breached, you must take action to completely vanquish any trace of them from your system and then set up security protocols and programs to protect your organization from a similar attack.

How to Dodge the Bullet

Hindsight is 20/20 and the only way to truly act quickly enough is by having the necessary tools in place before an attack. If you’re lucky enough to be reading this when ransomware or a breach is still a supposition, then you have an excellent opportunity. To avoid having to make the tough choice between paying a ransom or recovering from a lockup, you must do the following:

1.    Avoid a ransomware incident altogether by having an intuitive security program in place to catch a breach before it becomes an attack.

75% of past ransomware attacks happen up to 3 days after the initial breach and could have been prevented. Proper logging and monitoring, vulnerability management, and a strong governance structure go a long way towards defending against ransomware and breach threats.

2.    Have a well-planned out, regularly tested Incident Response plan and program in place.

This is your best protection in the event of a breach — catching it immediately and having an IR plan in place that can stop the threat early in the kill-chain, before it becomes a lockup or worse.

If there is a silver lining to our recent news headlines, it is the proof that “an ounce of prevention is worth a pound of cure”.   When you consider the high level of risk associated with a ransomware attack it is important to ensure you are well prepared. Consider the following when assessing your security posture

• If a ransomware attack occurred, how long would it take our organization to identify it? Are you dependent upon a notification from a user?
• Do you have a detailed plan of engagement? This includes a rapid response plan that can be practiced along with a contact list for outside help
• Do you have the necessary tools in place to observe your full environment and shut down the spread of such an attack?

^[1]  This approach is not always recommended. Removing access is usually done as a last-ditch effort when you see attackers taking aggressive actions with your data.

CDG was created in Los Angeles, California in 2016 to address the growing demand for high-quality incident response and cloud security consulting in the marketplace. CDG is the trusted security advisor to many leading organizations across the globe and we work with our clients to deliver a holistic approach to cybersecurity. CDG seeks to understand every layer of an organization’s current security posture and assist in creating a tailored information security strategy – one aligned to business objectives and regulatory requirements which affect the business.