How to communicate during a ransomware attack

Your organization’s been hit by a ransomware attack—who do you call first?

It can be difficult to know who to contact when your organization’s data is held for ransom, to the point where even experts disagree. Should the stakeholders know first? What about law enforcement, or threat-response professionals?

Do you have cyber insurance? A victim’s first call or email depends on whether or not they have cybersecurity insurance, according to Paul Caiazzo, Quorum Cyber’s chief threat officer. If they do, calling a broker is the first step.

Mike Hamilton, former field CISO for cybersecurity solution provider Lumifi and current chief technology officer for PISCES international, previously told IT Brew that organizations should immediately call their cyber insurance provider, as the latter typically has a response team on contract to deploy.

As part of its strategy, insurance companies will typically make a decision on whether or not to pay the ransom to the threat actors. The ultimate goal is to get the organization out of the ransom situation as soon as possible, Hamilton said.

Law enforcement must be notified at some point about the crime. If an organization uses a cybersecurity firm that deals with ransomware or other threats, Caiazzo said, that firm will take on the task of reaching out to the police.

Talking to the enemy. In ransomware situations, Caiazzo said victims should not be required to negotiate with cybercriminals, even if they’re presented with the opportunity to converse via a link.

“By going to the threat actor’s page, they’re going to be able to learn some things about you, and there’s a potential for additional risk to come to you as a result of that,” Caiazzo said. “If you say the wrong thing in those negotiations, you can really just derail the entire thing very quickly, you’ve got to be delicate with it.”

He said that the threat actor will most likely apply pressure on the victim. Threat responders are trained to help counter that pressure.

Once attackers reach out, organizational heads with the necessary authority to negotiate should do so—but only after communicating with your legal department and cyber insurance provider. Incident response can take many forms, including using third-party companies to conduct negotiations.

Mike Puglia, GM of cybersecurity labs at Kaseya, told IT Brew that outside help can do a lot to project confidence and help to manage the complexity of the cyberattack.

“It is worth bringing them on and into your incident response, because that’s what they do all day—they know the different groups,” Puglia said. “They have a history of how to do it, and what to handle.”

Telling tales. When should a company tell stakeholders and the public about an attack? Should it be as soon as your organization detects an anomaly? Rishika Desai, a threat researcher and technical writer for BforeAI, believes so.

“There can be different phases to that. For example, in some companies, what I have seen is they set up a dedicated page and they give their timely updates,” Desai said. “You can give [stakeholders] timely updates as and when it’s necessary. At least it gives a confidence to the stakeholder that there is some momentum going on in mitigating the damage that has been caused.”

Alex Rose, the global head of government partnerships and the counter threat unit team at Sophos, disagreed (kinda) and told IT Brew that communicating with those outside of the organization depends on the company.

For example, a healthcare provider may communicate differently than a legal office when experiencing a ransomware attack. Additionally, publicly traded companies or organizations that operate certain utilities may have legal obligations for public communication.

“You’re really thinking through, what are your legal obligations, your regulatory obligations, your duty to serve the constituency that you might support,” Rose said. “To be honest, some of those people need to be communicated to before others, because you don’t want to add more chaos to a situation—you don’t want to really freak people out.”

TL;DR: If an organization does have cybersecurity insurance, industry leaders believe that the first call during a ransomware attack should be to the cyber broker. Experts agree that organizations should communicate to whomever will help them during a ransomware attack, such as their cybersecurity vendor, as well as those with a vested interest in resolving a ransomware crisis, including the corporate IT team.