What to know about today’s ransomware attacks

October 29, 2020
The global reach of the initial WannaCry ransomware attack in 2017 was staggering. Today's columnist, Jerry Bessette of Booz Allen Hamilton, offers security teams a strategy for combating the latest ransomware threats. (Creative Commons CC BY-SA 3.0)
  • Deploy a multifaceted strategy. When dealing with a ransomware attack, it’s essential to understand how the actors initiating the attack may operate. Most actors allot a certain amount of time to make contact. Organizations should use this time to activate their response team to understand the situation, evaluate, and determine how to recover strategically. What are the business implications of possibly lost data, exposing sensitive information? Would the cost of paying the ransom outweigh the cost of restoration, damage to the brand, and business interruption? Because these questions are essential to an organization's negotiation strategy, answer them before a ransomware attack occurs.

    Preparing beforehand and understanding the potential impacts will identify areas to invest in, like data backup and cyber insurance, often used to pay the ransom. In addition to a strategy, organizations should have a ransomware team ready in advance: the incident commander, threat intelligence, risk management, legal and compliance, outside forensic and negotiation provider, and outside counsel.

    Once the company activates the team and roles are assigned, take steps to ensure the team can function remotely: install permissions and authorizations for remote access; set regular schedules for briefings and communications, since critical players are no longer able to walk down the hall to chat; and, install multiple forms of secure communication, such as  chats, voice, and video.
  • Know the attacker and environment. Ransomware attackers often “hide below the noise floor” before an attack by gathering information, communicating on the company’s network, and leaving malware. Understanding how attackers operate serves as the best defense. Consider the following when developing an internal and external and a proactive hunt program: What are the common tactics and technologies used by ransomware attackers in the industry the company operates in? Is there any unusual activity on the corporate network, for example, atypical activity tickets or unfamiliar devices? What are the environment’s vulnerabilities? Don't assume that everything is safe and business as usual on your network.
  • Have a plan. A written response plan ensures the right information gets disseminated to the appropriate parties—from incident command to front-line response, across legal, to leadership, and to the public if required. Most importantly, it increases the odds of making strategic and well-informed decisions throughout the event. This plan should also address negotiations. Conventional wisdom says never to pay a ransom to bad actors, but it’s an individual business decision unique to each victim company based upon multiple variables. Questions to consider include the following: Has the company prepared for this type of attack? How quickly can it recover? How much money does the organization stand to lose from a shutdown of business operations? Would paying the ransom violate any laws or regulations? And, does the company have a robust data backup plan, and how quickly can it restore from those backups?
prestitial ad