Deploy a multifaceted strategy. When dealing with a ransomware attack, it’s essential to understand how the actors initiating the attack may operate. Most actors allot a certain amount of time to make contact. Organizations should use this time to activate their response team to understand the situation, evaluate, and determine how to recover strategically. What are the business implications of possibly lost data, exposing sensitive information? Would the cost of paying the ransom outweigh the cost of restoration, damage to the brand, and business interruption? Because these questions are essential to an organization's negotiation strategy, answer them before a ransomware attack occurs.
Preparing beforehand and understanding the potential impacts will identify areas to invest in, like data backup and cyber insurance, often used to pay the ransom. In addition to a strategy, organizations should have a ransomware team ready in advance: the incident commander, threat intelligence, risk management, legal and compliance, outside forensic and negotiation provider, and outside counsel.
Once the company activates the team and roles are assigned, take steps to ensure the team can function remotely: install permissions and authorizations for remote access; set regular schedules for briefings and communications, since critical players are no longer able to walk down the hall to chat; and, install multiple forms of secure communication, such as chats, voice, and video.
Know the attacker and environment. Ransomware attackers often “hide below the noise floor” before an attack by gathering information, communicating on the company’s network, and leaving malware. Understanding how attackers operate serves as the best defense. Consider the following when developing an internal and external and a proactive hunt program: What are the common tactics and technologies used by ransomware attackers in the industry the company operates in? Is there any unusual activity on the corporate network, for example, atypical activity tickets or unfamiliar devices? What are the environment’s vulnerabilities? Don't assume that everything is safe and business as usual on your network.
Have a plan. A written response plan ensures the right information gets disseminated to the appropriate parties—from incident command to front-line response, across legal, to leadership, and to the public if required. Most importantly, it increases the odds of making strategic and well-informed decisions throughout the event. This plan should also address negotiations. Conventional wisdom says never to pay a ransom to bad actors, but it’s an individual business decision unique to each victim company based upon multiple variables. Questions to consider include the following: Has the company prepared for this type of attack? How quickly can it recover? How much money does the organization stand to lose from a shutdown of business operations? Would paying the ransom violate any laws or regulations? And, does the company have a robust data backup plan, and how quickly can it restore from those backups?
The CIO of Artesia General Hospital in rural Southeast New Mexico shares the ongoing staffing and resource challenges he faces on a daily basis, and how his IT team tackles risk and workforce training.
The Federal Energy Regulatory Commission is asking input on information collection regulations for how energy companies secure bulk electric systems while its CIO speculated earlier this month that regulated energy utilities will likely need to follow recent government actions around implementing zero trust architectures.