Ransomware has rapidly evolved from a nuisance to a commoditized ecosystem of organized crime. A ransomware attack has the power to decimate an organization but paying a criminal does not have to be a foregone conclusion, provided that the victim company has taken the measures necessary to reject the extortion.
It is as important to prepare for a ransomware attack as it is for any natural disaster or crisis. The key to being able to reject a ransomware demand and minimize business interruption is a ransomware-specific resiliency plan that allows for a business-driven response rather than a response propelled by the pressures applied by the attackers.
Decisions to pay a ransom are difficult and can be complicated by legal constraints or public scrutiny. A victim company may become front-page news or may face uncertainty around the legality of payments as states propose legislation to restrict or ban payments, and ransomware actors are found to be linked to sanctioned entities and nation-states. Understanding and preparing for the risk gives the victim company not only presence of mind but offers operational contingencies and confidence to reject a ransom. Below are some tips on how to alleviate immediate pressures created by ransomware attacks.
Ransomware Is Duress by Design
Many companies assume that having viable backups is a panacea in preventing a ransom payment. However, attackers leverage more than just encrypted files to induce payment. An attacker may leak information to the media, pressure supply chain partners, and/or levy personal threats on employees and executives to extract the largest possible ransom.
Companies with the means to recover from an encryption event may choose to make a payment to suppress an attacker from publicly posting the sensitive exfiltrated information, or to thwart a threat to create division between the company and its clients by leveraging the exploitation of client sensitive data. The pressure tactics are endured under a countdown clock that acts as a timed ultimatum: If payment is not made within a few days, the attacker threatens to make good on the threats.
Ransomware Resilience Turns the Odds Against the Extortionists
Ransomware resilience requires a combination of crisis management planning, business continuity/resiliency program build, and disaster recovery planning. The solution counters each point of leverage an attacker can impose with an objective to recover with speed and efficiency, without contributing to the extortion cycle.
When attackers threaten to expose stolen information as leverage on top of the encryption event, a crisis management plan alleviates the resulting pressure points. It provides modeling for the access and exfiltration of information so that there is an understanding of appropriate communications with partners, clients, employees, and regulators.
Establishing a repeatable approach to internal and external communications allows a victim company to withstand high-pressure tactics such as doxing, attacker press releases, or email threats to a company’s executive team. It also provides a framework for identifying and responding to attackers that may be restricted or prohibited from payment.
Attackers understand that the greater impact the ransomware event has on the victim company’s ability to operate, the more likely they are to get paid. A business continuity plan (BCP) is an offensive step to keep the operations running while under attack, so that a company no longer must weigh the revenue lost during rebuild versus the cost of a decryptor. Attackers will intentionally create an environment where it appears that paying for a decryptor is the only viable option in restoring critical systems and applications needed to run the business. A BCP will help the victim company through that analysis, as it finds alternative ways to manage critical processes during an attack.
A BCP will first provide a baseline assessment of the network and then build the ability to continue operations during a ransomware event. This will include a full accounting of assets and network data mapping. It will also include a business impact analysis so a company can understand and apply variables that may trigger costs in an attack. The program may recommend building a digital twin of the network in the cloud so that operations can resume in another network while the rebuild is underway. Identifying and implementing measures to protect backups from attackers—particularly privileged administrator access—is crucial for ransomware resilience. The continuity plan allows a victimized company to operate and organize during the extortion event.
When implementing a BCP a company should simultaneously implement its disaster recovery plan. A disaster recovery plan will provide well-defined, step-by-step actions that ensure containment and eradication while driving network restoration efforts. For example, the plan will specify who must execute designated duties, in what order, and at what time. A plan will also prioritize critical assets so that the most valuable parts of the network come back online first, thereby limiting interruption and the effects of the attack.
Unlike other systems outages, a ransomware-specific disaster recovery plan will address the encryption of business-critical systems and data. With a practiced plan established, a prepared company can confidently communicate to its stakeholders and shareholders that there are alternative methods to resolving an attack. Preparation allows the victim to communicate with confidence and from a position of strength.
Preparation Can Mean Reducing the Overall Loss to a Company
Look at other facets of your organization. The ones that are truly prepared are the ones that effectively weather disruptions. Engagement at the board level regarding ransomware readiness has never been higher, often applying the same demands to business resiliency as they do to financial solvency.
Companies that adequately prepare for and, in turn, confidently respond to ransomware events in the future are those who have made network resiliency a priority. Cyber resilience should be an integral part of business strategy woven into every step of the product, service, or mission journey. Leadership is critical to driving that integration and ensuring that effective network resiliency and crisis response strategies become an integral part of the corporate culture.
There is a good possibility that most organizations will face the pressure of a ransomware demand at some point during their continued operations. Having an integrated business continuity plan that is continuously stress-tested and updated can help reduce or even eliminate the pressures ransomware attacks create.
To learn more or to get started building your BCP, reach out to our ransomware experts.