From the headline-making incident in May that impacted Colonial Pipeline to this month's hit on Kaseya, ransomware attacks have been nothing short of a plague on businesses in recent months. While they aren't new, they are certainly capturing the public's attention and raising eyebrows among lawmakers.
To pay or not to pay the ransom is a hotly debated issue. While most security professionals oppose paying, in certain situations it might make the most sense.
"Everyone says 'no,' but it really depends on a case-by-case basis," says Steven Schwartz, director of security consulting at Eze Castle Integration. "At the end of the day, you need to get the business back up and running. Colonial paid nearly $5 million in ransom to decrypt its computers. That was a business decision – they needed to get their pipeline back up and running."
Payment is just one of many issues to contend with while under the duress of a ransomware attack. Following are some of the common mistakes organizations make when it comes to ransomware response.
Mistake 1: Failing to Contain the Malware
Many organizations start focusing on how to recoup the encrypted data before taking the essential step of ensuring the malware does not spread further.
"The first thing [organizations] do wrong is not making sure they completely eradicated the original attack vector and getting that root cause analysis of how it started and confirming it's not expanding," says Eze Castle Integration's Schwartz. "You must make sure to clear your environment to eliminate the risk of falling victim to the same attack twice and paying a double ransom."
Mistake 2: Lacking a Solid Response Plan
An incident-response plan should be created well in advance of an attack and cover the steps a security team should take immediately after discovery. It should also call out necessary stakeholders who should be contacted.
"Lack of formal incident response processes leads to a lot of knee-jerk decisions being made, which makes matters worse," says Tim Bandos, CISO and VP of managed security services at Digital Guardian. "There is no organization that is immune to ransomware attacks, so preparing for one is critical."
Mistake 3: Having Poorly Placed Backups
Ransomware gangs are increasingly moving about networks to find backups and destroy them before they deploy the malware. If backups aren’t stored properly, you may find yourself with no backups at all.
"Organizations assume that restoring from backup will allow them to recover all data without having to pay the ransom," says Digital Guardian's Bandos. "Unfortunately, this isn't always going to be the case considering the backups need to be stored off-site and not connected to the network, free from infection. It can also take a lot of time depending on how many systems have been hit to restore each and every individual device."
Mistake 4: Making Missteps on Negotiation
Like paying the ransom, whether or not to negotiate the cost of the ransom is another controversial point.
"If an organization decides to pay, then they absolutely should negotiate the price," says Sushila Nair, vice president of security services at NTT Data Services. "[Intelligence firm] Intel471 observed a negotiation with Darkside with an earlier victim where the price dropped from $30 million to $14 million."
Digital Guardian's Bandos, however, doesn't advocate negotiating.
"We've seen historically that attempting to negotiate on payment price for a decryption key backfires," he says. "This results in the ransomware operators increasing their price by double the initial amount even. I'd recommend avoiding a negotiation or at least hiring an outside firm that specializes in dealing with these types of scenarios."
Mistake 5: Going at It Alone
As Digital Guardian's Baldos notes, it's always best to get help. While some organizations may be equipped to deal with attacks independently, many should have a third-party incident response provider on retainer to bring in when needed.
"Unless you have very mature processes and a large security team, [dealing with an attack is] probably going to be very hard," adds Mike McLellan, director of intelligence at Secureworks. "We always recommend engaging with an experienced IR provider if you suffer one of these attacks, because those providers will have dealt with dozens or hundreds of these kinds of incidents."
Ernesto Zaldivar, a computer science professor at Brown University and deputy director of Brown's cybersecurity master's program, says ransomware attacks require specialized assistance – especially to prevent future attacks.
"Your attacker might return with different ransomware and a higher ransom price as a penalty for trying to circumvent them," he says. "Access to your data is only part of the puzzle. Remediation of your system and increased defenses are part of successfully overcoming a ransomware attack in the long term."
Mistake 6: Leaving Out Law Enforcement
In addition to bringing in a dedicated incident response provider, organizations should enlist the help of law enforcement and the local FBI office.
"Not only can these investigative personnel assist with imaging compromised machines, but they may have access to decryption tools, necessary cryptocurrency to facilitate payment, or other techniques and resources to recover encrypted information," says Adam Darrah, director of intelligence at Vigilante. "By working with law enforcement, organizations may be able to help them track down the operators in the future."
Mistake 7: Waiting Too Long to Call the Insurer
Getting your insurer involved at the outset should be one of the first calls you make.
"If you have cyber insurance and don't call them but later try to collect, you can expect that you've just violated your policy and you won't see a cent," says Aiven CISO James Arlen. "Your insurance provider probably has a preference for who will handle it and how it will be handled, and you're going to be following their lead at that point."
Mistake 8: Giving In to Fear and Panic
While it is of course going to be an adrenaline-filled period dealing with a ransomware attack aftermath, keeping calm will help.
"Probably the most common mistake we see when organizations respond to ransomware attacks is giving in to emotion instead of sticking to planned incident response when an event occurs," says Wayne Johnson, an advisory senior manager in Deloitte Risk & Financial Advisory's cyber incident response team. "Following your organization's prepared incident-response plan and limiting ad-hoc reactions helps organizations respond more effectively and, in turn, return to normal business operations."
Mistake 9: Spending Precious Time Looking for Decryption Keys
Many of the experts we spoke with think looking online for decryption keys is a complete waste of time. Others, however, thought there was some slight chance of finding useful information.
"There are decryption tools available online such as the 'No More Ransomware Project.' These will work on known ransomware where the key is available," says Wayne Pruitt, a cyber range technical trainer with Cyberbit. "Most ransomware attacks are using asymmetric encryption with public or private keys. These keys are usually target-specific and the decryption key for one organization is different from another. The chances of finding the decryption key your organization needs are slim to none. If you try a decryption tool using the wrong key, you risk damaging the files beyond recovery."
Mistake 10: Not Learning From the Experience for the Future
Once you've been through an attack, it's critical to look back to figure out where your security gaps lie. Did you have a response plan in place? If not, learn from your experience and create one, says Eze Castle Integration's Schwartz.
"This helps the executives as well as IT to vet out responses and be prepared for these types of events," he says. "We've seen improvements in organizations from conducting these simulations. You must train and practice so when the unthinkable happens, you are prepared."
Neglecting to determine the root cause or entrance vector of the attack will continue to provide a backdoor to the attackers in the future, adds Digital Guardian's Baldos.
"It's very important to determine if you have a vulnerable remote desktop server or if privileged account credentials are compromised," he says. "These items need to be a part of your remediation plan if you want to neutralize the attacker's presence in the network."