The response to an encryption attack can be very difficult. Encrypted critical data usually places a business in a crisis with no ability – or an extremely limited ability – to conduct basic operations. Too few organizations have developed incident response plans providing for contingent or out-of-band communications. Often, before consulting any incident response experts, the victim business has communicated with the attacker and revealed information that the attacker is able to leverage in negotiations. There is also often a strong organizational desire to avoid any sort of extortionate payment that, when coupled with corrupted backups and an inadequate data recovery plan, can lead to additional hours, or days, of delay. These circumstances often result in substantial down time and revenue loss – but there are ways to prevent these results.
One of the first questions an incident response expert will ask is whether there are any available backups of the critical data – in any form – that may assist in getting the business operational. Even when the answer is "yes," a two-track approach to recovery may be recommended. One track may involve the outside counsel ("breach response counsel" or legal counsel with expertise in incident response) negotiating with the attacker as the single point of contact in an attempt to reduce the ransom to something less than what it will cost to independently recover encrypted data or rebuild a network. The second track will involve urgent work by information technology personnel, assisted by digital forensics personnel, to determine whether backups can be verified and systems restored.
The negotiation can often take three days or more, factoring in the proof of the efficacy of the decryption tool and the difference in time zones between the attacker and the victim. If the restoration of data fails during this time, the decryption tool can still be purchased. Breach response counsel must be sure that all stakeholders are fully briefed, and the appropriate contingencies have been addressed so operational downtime is mitigated. Breach response counsel must also address the necessity and substance of customer communications and media holding statements all while coordinating the negotiations with the forensic response team. This is particularly true with medium to large organizations facing BitPaymer or Ryuk encryptions where the negotiations can closely resemble high-stakes commercial litigation.
The good news, if there is any, is that encryption attacks rarely involve the exfiltration of protected data sets. Assisted by skilled forensics teams, breach response counsel is often able to conclude that the ransomware attack does not trigger legal notification obligations.
Before the Storm
- The files on all of your servers and workstations are renamed something like ".pwn3d";
- Your email server has become a paperweight;
- You have no ability to track accounts receivable, issue invoices, and pay bills and employees;
- Everything you plug into any USB port on your laptop gets encrypted;
- Some employees are asking you if their W-2 information has been stolen;
- Some employees are telling customers that the North Korean cyber army is launching World War III, starting with your computers;
- Still other employees have contacted their aunts and uncles in law enforcement, and they are feeding you "good advice";
- Customers are asking why you have not responded to their urgent emails; and,
- You calculate that one day of total shutdown costs the company tens of thousands of dollars in real costs, not to mention the harm to your brand and the missed opportunities.
That is how bad Hour One of a ransomware attack can get. Some employees' personal devices are also being encrypted because they are using them for work purposes.
When a business experiences a ransomware attack, even one that leaves some vital systems operational, it will naturally experience a great deal of chaos and frustration. The best way to respond is to trigger a well-crafted response plan. If you already have a data security team (internal or external) in place, a written Incident Response Plan (IRP) for them to follow, and have already tested it by conducting a few tabletop exercises, then you can skip to the next section of this article. If not, here is a rough check list of preparation steps that you can take:
- Identify the response team leader(s). Your response team leader(s) will coordinate all of the components of your response including informing the various decision makers, notifying your cyber insurance carrier, engaging legal counsel, triggering the response team actions, scoping the situation, working with a digital forensics team, and keeping everyone updated.
- Create an out-of-band communications channel. Make sure that you have a way to contact decision makers, employees, and external entities such as vendors and customers, if your email and phones are down.
- Know the resources your cyber insurance carrier has available for you. This includes how to give notice of the event to your carrier. Do not be afraid of your carrier! Events like ransomware attacks are why you paid the premiums in the first place! Many carriers provide the assistance of skilled legal counsel and forensics teams who can lead you step-by-step through the whole process even if you do no planning at all (not recommended).
- Deploy a system for creating backups, checking backups, and restoring backups. This includes backups of all vital applications and data. Consider how licensed software will be restored or recreated. Consider not only frequency of regular backup creation and validation, but also air gapped backups. It is also important to consider how you will answer this question: how long until we are operational again? Remember, every hour that your company is down will be an hour of frustration, anxiety, upset customers, and lost revenue.
- Deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring in addition to the traditional anti-virus suite which only looks at known malware signatures, to a comprehensive information security program mapped to National Institute of Standards and Technology (NIST) family of controls or the ISO 27002 standard.
- Educate your personnel. Good password hygiene, how to spot phishing, and basic physical access controls are not just the stuff of tech blogs; they are entirely essential to modern life.
There is much more that can be done to prevent a ransomware attack, but these steps should help to give direction to the chaos, if nothing else.
Aaaaaand, you're encrypted.
Maybe it started with a successful detection and eradication of Emotet or some other credential-stealing malware. Maybe you woke up to find all of your servers are unresponsive and the files now all have the extension ".crab." Or maybe you're having the blood-chilling experience of actually watching the encryption take place in real time before your eyes... Take a breath and GO UNPLUG EVERYTHING FROM YOUR NETWORK NOW! But do not unplug your servers or workstations (laptops/desktops) from their power supplies! That could cause irreparable data loss, depending on the ransomware variant (type).
Here is the checklist for what not to do next:
- Do not contact the attacker. It is okay if you read the ransom note, but it is not okay to start communications with the attacker. Anything you say can, and will, be used against you if you end up negotiating for a decryption tool.
- Do not turn off any encrypted systems, and especially systems that are in the process of encrypting. You could lose data. You could also lose valuable forensic evidence that can help in the investigation.
- Do not communicate with anyone else – except your cyber insurance carrier and breach response counsel. You must carefully consider all communication. Want to find out if you have an unscrupulous vendor, customer, or competitor? Tell a well-intentioned employee that they cannot get to their email because you are experiencing a ransomware attack. Being accused of a lack of transparency is better than poor communication, and much, much better than erroneous communication.
Here is another rough checklist for what you should do next:
- Seal off the outside world. Disconnect everything from your network without shutting anything down. You need to prevent the spread of the malware.
- Contact your cyber insurance carrier's 24/7 incident response center. The breach response counsel and forensics team will respond immediately and guide you through the entire process, including how to close the vulnerability that started this situation in the first place. The breach response counsel also adds the benefit of protecting communications and certain records associated with the response with confidentiality.
- Assess the situation. One of the first things the breach response counsel and the forensics team will ask of you is, "what is your operational status?" Inventory the encrypted systems versus the non-encrypted systems, determine the status of vital systems (email and accounting are common vital systems), and put together a timeline of the incident. Assess the viability of restoring from backups including how long it will take.
- Inform the decision makers. These will be the people who control finances, communications/customer relations, and risk management.
- Restore systems starting with operationally vital systems. This is actually three steps taken simultaneously with the guidance of the forensics team: (1) collect forensic data to determine how the attacker got in and what the attack did while in your environment; (2) begin restoring from backups, if possible; and, (3) negotiate with the attacker for the decryption tool. Even if your backups appear to be intact, you only have a short window of time to engage the attacker and you do not want that window to close only to find out that your backups failed at 92 percent.
- Craft your messaging. While Step 5 is underway, work with breach response counsel to craft internal and external messaging that communicates in a neutral tone that you are experiencing technical issues and identifies the means to communicate with your personnel. There are many considerations present in this aspect of crisis management that could fill an entire article on their own.
- Notify law enforcement. Breach response counsel will assist you with this step. By reporting the incident through the FBI's Internet Crime Complaint Center (IC3.gov), you are assisting with the eventual arrest and prosecution of criminals, often gaining the assistance of experienced FBI cyber agents, and you are providing some peace of mind to your personnel and customers through your cooperation with law enforcement.
- Complete the forensic investigation. The forensic response team will not only help you to assure that your systems are clean and the vulnerability is secured, they will also tell you whether or not the attacker compromised any protected data sets (SSNs, financial account information, etc.) or trade secrets.
- Comply with legal obligations. There are laws that require notification of consumers whose protected data is compromised. Many of these laws carry a stiff penalty for non-compliance, not to mention the possibility of third-party lawsuits. Your company may also have contracts with customers or vendors that require you to inform them of data security incidents. Your breach response counsel will assist you with this step.
There is a reason that ransomware attacks often fall into the "kidnap and ransom" coverage of an insurance program. Although they involve computers instead of people, they are crisis events with a similar pattern and similar pitfalls. With some preparation and a level-headed response, they do not have to end in tragedy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.