By YURI KOGAN and ZEV COHEN of Ergo Oriens Crisis Management
In the ‘All Connected World’ ransomware attacks gain traction. Criminals constantly improve at monetizing their access to your network & data. They target an organization, lock up the data, and then demand money hundreds of thousands of dollars or more – in exchange for releasing it to be paid in untraceable crypto- currency. Sometimes, restoration of data from backups is possible. Bypassing the encryption is also an option, but in many cases the bad guys find and destroy backups and use state-of-the-art encryption. The attackers often create backdoors to allow future infiltrations easier, so this may not be the last time you hear from them.
What can be done? What should be done? Should you pay? And what happens when the ransom is paid? What are the guarantees the perpetrators intend to hold up their end of the deal? And how do you know that whoever just propelled your business into the stone age can actually bring it back?
Ransomware attacks are automated but certainly NOT automatic. Humans stand behind these attacks, and as this is the issue professional crisis managers and negotiators, together with an experienced technological incident response team (IRT) can minimize loss and expedite the safe return of the organization to normal operations.
Ransomware negotiations are similar to business negotiations. Similar but not the same. Timing is crucial and simply playing for time may mean the attacker will stop responding and turn to the next, more responsive, victim, leaving you with your system beyond reach. Having said that doesn’t mean the victim should rush forward and immediately pay the ransom. Time is of the essence and should be skillfully used to explore possible ways to communicate with the perpetrator. In parallel the IRT carefully assesses the situation from a technological point of view, bringing into account possibilities of overcoming the attack and resuming operations by using technological means alone.
A professional multi-disciplinary ransomware management team will navigate to the most suitable alternative, gain knowledge on the perpetrators and bring you back to safety while minimizing your losses. Using tested and proven after-action-
debriefing techniques the team will significantly improve the victim’s defenses and heighten the odds this will not happen to you again.
Are there preset protocols to follow? A list of Do’s and Don’ts? Well, ransomware attacks differ, but there are some rules of the thumb to follow.
The first and foremost advise would be – BE PREPARED. This means businesses should follow best practice protocols to defend and preserve their IT environment. Backing up data, constantly monitoring the system and the threat environment either by in-house (less likely to be done by small and medium businesses) or outsourced experts, conducting drills, penetration tests and generally educating the employees to the cyber-threat and the ways to mitigate it. Purchasing a cyber- incident insurance plan is a prudent step to take.
As all hell breaks loose, an internal assessment of the situation and checking for existing backup files and their integrity should be the first thing to do. Unfortunately, many businesses do not follow best practice methods and therefore are more vulnerable to increased damage. The possibility of the attack being internally motivated should also be looked into, but this should not be the focus of the victim’s attention. Some of these processes could be performed by an internal IT team, but the best option would be to contact an experienced cyber-incident response team (IRT). For most businesses running an internal IRT team is an expensive and mostly unnecessary function. It is worth mentioning that the internal IT team will usually specialize in the routine maintenance and operation of the IT environment while a seasoned IRT continuously monitors, researches and deals with ransomware attacks.
The next point would be to establish a communications route to the attackers. Often the attackers give an anonymized communication line to the victims over which to guide them in the process of ransom payment, as this requires crypto- currency knowledge, that most people do not routinely have.
Once communications are established, the ransom negotiator will try to verify the attacker’s ability to make the highjacked data available again. This is crucial, as experience shows that some attacks are initiated by inexperienced attackers using questionable tools and scripts capable of hijacking the data but not of bringing it back.
Next, the negotiator will initiate a communications exchange with the attacker, aiming to reduce the ransom price. This should be done in sync with the IRT experts, using the time to explore every alley, street and avenue to restoring system functionality without actually paying the ransom.
The decision of whether to pay the ransom or not should be made by top level management, taking into account not only the ability to independently restore the IT environment but also the time it would take, as for most businesses having their IT systems inoperable means financial bleeding that should be minimized. Not least of all, senior management can consider the impact of ransom payment on the financial soundness of the company. This would be also be the place to mention that in some jurisdictions paying ransom to stop a ransomware attack could be considered illegal, or at the least regulated by the authorities. An experienced legal counsel should be consulted about navigating this issue.
When the victim’s IT environment is brought back to a functional state and the incident declared closed, it would be high time to conduct an after-action-review. When conducted by experienced professionals as a transparent process aimed at minimizing the chance of future attacks and improving robustness. Rather than punishing stake holders for past mistakes, the review highlights organizational strengths to preserve, and vulnerabilities to mend, resulting in improved means and processes that protect against, and when necessary, minimize future losses to cyber incidents.