What they’re saying: How to handle a ransomware attack

According to some experts, ransomware is one of the biggest cybersecurity threats facing the private sector today. It’s crucial that organizations understand the risk of being attacked and how to handle the event if it happens—including an emergency plan.

How much risk am I at? Ransomware affects “everybody left, right, and center,” according to Rishika Desai, a threat researcher and technical writer at BforeAI.

Experts like Paul Caiazzo, the chief threat officer at Quorum Cyber, agree with that assessment. He said that ransomware is “the most salient, pressing threat” for many organizations.

“There’s not a bigger, more disruptive cybersecurity threat that your average organization is going to face,” Caiazzo said. “There are some organizations that may be more concerned about espionage-related adversaries or attacks, but the ransomware scourge is so prolific that [it] doesn’t matter what size organization you are, whether or not you think you’re a target—you are a target, even opportunistically.”

Many ransomware attacks are identified and stopped before the actual ransom attempt, which makes it difficult to ascertain the attackers’ ultimate plans. However, according to Sophos Principal Threat Researcher Keith Jarvis, ransomware is “probably the largest slice” of the cybercrime pie.

Plans, plans, plans. It’s important for organizations to plan how to best deal with data held for ransom, and spend time with stakeholders to discuss a strategy to counter an attack.

Jarvis said, in an additional interview, that implementing strategies like end-point detection response and other tertiary response monitoring solutions can be helpful to know when a bad actor has slipped through a crack.

While preventing a ransomware attack isn’t always possible, early detection is a significant way to prevent bad actors from accessing a more important system or dataset after they have found access, Jarvis noted.

“The key there is to have monitoring of systems, which is where [endpoint detect and response] comes in, of what’s actually happening on a critical asset like a server or an appliance that’s out on the internet,” Jarvis said. “Maybe the threat actor can successfully exploit that and land on that system and start to do the reconnaissance and post-intrusion type activity that we expect, but a lot of that stuff is going to then raise flags.”

Additionally, having back-ups on hand through methods like 3-2-1 (the practice in which an organization is equipped with three copies of data, two types of storage, and one copy off-site), can keep data in a protected physical location or at a facility to ensure that there’s multiple records of data without worrying about additional tampering.

Caiazzo said the best-prepared enterprises spend time doing the “homework in advance, usually months in advance” through things like incident response planning, tabletop exercises, and more.

“They’ll have realized, if they’re doing…tabletop exercises, that they need to ensure that, first off, technical controls like backups have been implemented robustly and are available for recovery, should they need them in the event [of] ransom impact,” Caiazzo said.

He continued: “Maybe even more importantly, the group of executive stakeholders that always is involved in a ransomware situation has gotten together and talked through the scenario so they know who’s got what responsibility.”

Too many cooks. In the case of a ransomware attack, employees may want to be helpful where they can, even if they’re not included in the defense plan. This can quickly become an issue.

“We always talk to organizations about having an incident response plan, but also exercising that plan,” Alex Rose from Sophos said. “I think it’s really important that people know their roles and responsibilities and that you communicate. Because…[when] you don’t communicate, people fill that vacuum with whatever they’re thinking and try to do that both internally and externally.”

Rose said that employees reflexively trying to help can add chaos to an already tumultuous situation. That makes it important to clearly delineate everyone’s roles in defense.

Communication. During a ransomware attack, it’s critical for stakeholders to stay in touch with different parts of the organization. Rose said that third-party incident response organizations may provide communication infrastructure, since the threat actors may attempt to compromise communication systems.

If a company doesn’t hire an outside incident response team, Rose said certain employees should be selected to notify people during an event.

“Different levels of people, or different roles and responsibilities are going to require different types of notification,” Rose said. “The big concern we have is, even if you can use some of your comm systems, it’s understanding what’s compromised…because you also don’t want to be coordinating your plan on a system that they’re able to monitor.”

TL;DR: Experts want professionals to have a plan and stick to it in the case of a ransomware attack—which means having clear responsibilities for those in the company to either help or continue on operations in a different way.