Managing Director at cyber incident response company Arete IR, Marc Bleicher discusses the best ways to approach a ransomware attack.
For the CIO or CISO, falling victim to a ransomware attack has become almost inevitable, but that doesn’t mean it needs to be a catastrophe.
Ransomware happens because the basic security measures are ignored and there is a failure on the organization part with improper preparation. By avoiding these common mistakes, it’s possible to make the nightmare a little more bearable.
By far the most common mistake we see is a failure to have the basic security measures in place, or what I refer to as “baseline security failures”. Baseline security failures means not having the minimum security controls in place that protect the low hanging fruit.
Threat actors are trying to get into your organisation; it’s happening. No amount of sheer denial is going to prevent that from happening. Are you a CEO who thinks your organisation is too small to be a target? Do you think your industry is immune from hackers? Are you hoping a simple, legacy AV tool is going to keep you safe? Think again.
How to Fight a Ransomware Attack
You need to be prepared in two ways. First, from a preventative standpoint, which means ensuring basic security controls are in place and configured properly. This will typically involve robust endpoint protection like an EDR that uses machine learning. Traditional precautions like signature based AV, multi-factor authentication, network segregation, locking down RDP ports that are exposed to the internet or applying the latest OS and applications are essential but will not be enough to cover you fully.
The second way to be prepared as an organisation is to assume that the worst-case scenario will happen; the attacker will get past your defenses and gain access to the network. In this worst-case scenario, being prepared to recover from ransomware is vital and that starts with having regular offline backups. That way if you do fall victim to ransomware you’re reducing the overall impact on the business by ensuring that you will not be down for an undetermined amount of time.
Write an Incident Response Plan
For more mature organisations, who may already have these things in place, being prepared may be as simple as having an Incident Response plan. One that addresses the who and what at a minimum.
The “who” in your plan should define your key stakeholders who need to be involved when an incident is declared. This is usually your IT staff, like the System or Network Administrator or someone who is intimately familiar with your IT infrastructure.
Ideally your security team should be appointed as “first responders” in the event of an incident. This part of your plan should also include executive level or c-suite employees like a CISO or CIO, as well as general counsel. Have a list of who needs to be contacted and in what order, and have internal and external communication plans ready to roll out.
The “what” defines the steps that need to be taken and may also include a list of tools or technology that you will need to respond. Hopefully, you won’t need to ever use the plans. Hopefully, you’ll be one of the lucky ones. But in the event that an incident happens, you’ll want all of these ready to go.
Of course, having a brilliant offline backup strategy in place is the best way to prepare yourself for worst-case. Organisations with sound backups can and do survive a ransomware attack relatively unscathed. They will only lose an hour or so of data, leaving them space to focus on the containment and restoration of operations. This best-case scenario, however, is unfortunately more often the exception rather than the rule.
There are large organisations out there with well-resourced IT and security teams, who assume they have everything, yet they’re still in a constant battle with threat actors. Threat actors who long ago learnt to go after and destroy backups as a first step in their attack.
As my good friend Morgan Wright, security advisor at SentinelOne, often says, “no battle plan survives contact with the enemy.” Sometimes, no matter how well prepared, the threat actors will find a way in. More and more, we’re seeing that these groups are meticulously well organised and are able to invest the proceeds of their crimes into further research and development, always staying one step ahead.
As soon as an incident is detected, the clock starts. The first 48 to 72 hours are a good indicator in helping determine if the nightmare is going to be short-lived, or a recurring horror that drags on for weeks, if not months. We recently concluded a case with a large multi-national company that suffered a ransomware attack, where the containment and investigation took nearly 3 months to complete. The reason being was the client assumed the technology and security controls they had in place were all they needed, and the initial steps they took entailed wiping 90% of the systems that were impacted before we were even engaged.
In parallel, the client also started rebuilding their infrastructure in the cloud which hindered response efforts as it failed to address the first key step when responding to any incident; the containment and preservation of the impacted environment. Without understanding the underlying problems that led to the ransomware and then performing a root cause analysis to fix what needs fixing, you’re just setting yourself up for another disaster.
For organisations that have never been through a ransomware event, wiping everything right away might seem like the best course of action. However, there is a strict protocol that needs to be followed and that protocol includes conducting forensic investigation to identify the full extent of the infiltration.
I can’t stress enough how important it is to have well-trained hands at the keyboard, responding to the attack in these first few hours. Very quickly you’re going to want to get 100% visibility over your endpoint environment and network infrastructure, even the parts you thought were immutable. You need to leverage the technology you already have in place, or work with a firm who can bring the tools and technology to deploy. This is what we refer to as gaining full visibility, so you can begin to identify the full scope of impact and contain the incident.
Another common mistake I see in some organisations, even when they have relatively robust incident response planning and the right technology in place, is neglecting the communications aspect of the incident. It is vital to keep internal stakeholders up to speed on the incident and, crucially, to make sure they’re aware of what information can be disclosed, and to whom. Working on a large-scale incident very recently, we got a few weeks into the investigation when details began to appear in the media. Information being leaked like this can be almost as detrimental as the attack itself, especially when it’s completely inaccurate.
One part of a ransomware attack the we don’t talk about as much is the ransom itself. Paying a ransom is always a last resort and that’s the first thing we tell clients who come to us after being hit with ransomware. Our goal is to work with the client to evaluate every option available to them for restoring operations. What I refer to as “Ransom Impact Analysis” entails my team working with the client to assess the impacted data, their backups, cost-benefit analysis of rebuilding versus paying a ransom.
What we’re trying to do is help our client assess if the impacted data is critical to the survival of the business. Sometimes, despite all best efforts, the only solution to getting an organisation back on its feet is to pay the ransom, but this is a last resort. Unlike heist movies, this doesn’t mean gym bags full of cash in abandoned car parks. This means a careful and rational negotiation with the threat actor.
From time to time, we engage with clients who have already contacted the threat actors and started negotiating themselves. This rarely ends well. As the victim of the attack, you’re going to be stressed, emotional and desperate. If you go into a negotiation before you have a full picture, you have no leverage and can end up paying more for decryption keys, or even paying for keys to systems you really don’t need back. You even risk the threat actor going dark and losing any chance at recovery altogether.
My overarching piece of advice for the CIO in the unenviable position of a security incident, is to keep calm. Be as prepared as possible. Take advice from experts and act on that advice, and remember, don’t have nightmares.