Start defining how to handle major aspects of a cyber incident response plan.

The worst has happened – you discovered your machine, or even your entire network, has been infected with ransomware. Now what?

Everyone hopes their defenses will properly protect them, but you must also be ready to deal with a ransomware infection as part of your defense strategy. Much like a fire drill, you will want to have a cybersecurity incident response plan that all key stakeholders help develop and employees can easily put into action if an incident occurs.

It’s Decision Time
Ideally your organization has a formalized incident response plan. If not, you’ve likely thought through several ransomware scenarios at some point.

Determine what state your business is in at the time of ransomware detection.

If you have set terminology in place, you and your stakeholders need to decide the defined tier or level the current situation calls for. Having a classification that everyone understands helps quickly identify the problem’s priority level and sets you off on the path you’ve outlined for each scenario.

When creating the different levels, consider defining them based on what data was encrypted and how important it is to running the business (e.g., critical data, supporting data, etc.). Also consider how much data was encrypted (all or partial). You’ll also want to have pre-defined strategies for each level outlining the priorities for returning to business as usual.

Additional Tips
Use classification terminology that makes sense across your entire employee base. Certain terms could mean completely different things across industries, locations, etc. Regardless of the verbiage you use, communication is key. From top to bottom, your entire employee base needs to be trained on protocol if an incident occurs.

Decide if the business is down hard or if you can limp along using previously identified workarounds.

Based on the tier you selected in step one, you might already know how bad the situation really is.

“Business Down Hard” Situation
If the business is down hard, fundamental activity required to keep the business alive is not possible. Either the applications themselves aren’t available or the data processed by the applications is not available. In a worst-case scenario, both are down. A business in this situation needs to be able to rebuild through its backups. If the backups were not created using an offsite and/or offline strategy, there is a good chance the backups are unavailable as well.

Executive leadership needs to fully understand the magnitude of the situation and the options available to them. To avoid chaos and misinformation, only the designated communications point of contact should be providing updates, both internally and externally. This is where the value of an outside expert can make a huge difference – helping you understand what needs to happen, in what order, and within the appropriate time frame to quickly resolve the issue and get back up and running.

“Workaround” Situation
Your organization might be able to get by with the resources you still have access to or the workarounds you’ve established. You will need to triage your organization and determine the extent of the damage.

You will need to refer to your Business Impact Analysis (BIA) document, which explains in detail which applications are required and how long they can be down before the business is beyond restore. If you don’t have a BIA, you will want to create one before an incident occurs.

Next, assess the state of your backups. Any rebuild will require clean, functional backups that contain applications to rebuild contaminated systems or data to begin reprocessing. During the rebuild process, it’s imperative that a single individual or team is responsible for making the call that all is back to normal, not just one part of the business. Starting up too soon – before total repair is complete – can cause additional damage.

Additional Tips
It may benefit your organization to maintain binders of printed incident response plans, the important contact information if an incident occurs, and other important documents you’ll need to access as a way to stay afloat in both the “business down hard” and “workaround” situations. You’ll need to decide where those binders reside so you can access them when you need to (e.g., can you get a binder from your office if security badges no longer work during a cyber event?) and ensure safe from anyone with ill intent.

Discuss whether or not to pay the ransom

There are pros and cons to both options here. Paying the ransom doesn’t always guarantee that you’ll get your data back, but it is returned more often than not. Cyber attackers are in it to make money, so it’s in their best interest to return your data. Not paying the ransom might save money in the short-term, but the time and resources it takes to restore and recover your data might exceed the ransom cost.

Cybersecurity Insurance
If your organization has cybersecurity insurance, call your rep right away to see what is covered. Insurance companies are increasingly opting to pay the ransom in order to help get the business running more quickly than a bare minimum recovery. They also realize it’s likely more cost-effective to negotiate and pay the ransom than to reimburse a business for the myriad of costs that may be associated with recovery.

As a proactive step (before an incident), research cyber insurance options if you don’t have one in place or feel you need to update your policy. Familiarize yourself with your existing cyber insurance policy and know what it can and cannot do for you. This will help both when you develop your incident response plan and in the event a ransomware attack occurs.

Law Enforcement’s Position
Your priority is to get your business back up and running as quickly as possible and to re-establish your clients’ trust in you. Law enforcement is committed to stopping the crime and catching the criminals.

Law enforcement almost always recommends not paying. By paying, you could be telling the attackers that they’ve won, and their extortion worked. This might also indicate to other attackers that ransomware is a low-risk, effective way to make money. While you’ll want to make law enforcement aware of the attack as soon as you detect ransomware, understand that this is the position they’ll likely take.

Bitcoin Usage
Cyber experts are seeing a surge in requests for ransom payment via Bitcoin. It’s ideal for attackers because it’s untraceable, and the payment can’t be cancelled or retracted once sent. Your organization will want to consider having a Bitcoin wallet established and ready to fund as a proactive part of your incident response plan.

Additional Tips
Be sure you’ve built “contact cyber insurance rep” and “contact law enforcement” into your incident response plan. You may also want to add “contact bank” as well. The sooner you get in touch with these key resources, the sooner they can start working for you.

Cases for Proper Preparation

The city of Atlanta, Georgia, was the subject of a major ransomware attack in March 2018. The attack affected utility, parking, and court services. Instead of paying the $51,000 ransom, the city decided to hire contractors to help restore and recover. To date, approximately $2.7 million has been spent, and a later estimate predicted it will cost $9.5 million total. The perpetrators have been indicted by a grand jury.

In September 2020, a European hospital experienced a network outage due to a cyber-attack. The clinic was forced to reroute patients in need of emergency care to other facilities. A rerouted patient who required immediate care died of an aneurysm after being sent to a location farther away. It has been suggested that this might be the first recorded fatality linked to a ransomware attack.

Talk to a cybersecurity expert today to discuss your incident response plan. Or take the free cybersecurity benchmarking survey to better understand your overall cybersecurity posture first.