Question: What are some of the must-have steps in a ransomware response plan?
Liam O’Murchu, director, Symantec Security Technology and Response Group: Unfortunately, it's still necessary to emphasize that people need to have a plan, and that the plan needs to be an organization-wide plan – not just a security team plan. Often the business recovery plan does not take this type of incident into account. We also see that all companies have data backup plans, but not all have tested those backups. An active ransomware attack is not the time to discover a flaw in your backup strategy.
Recent examples have shown that although companies had an accurate and available backup of their data, it would take weeks to restore the data, forcing companies to pay the ransom to expedite business recovery. The response plan should specify what teams need to be involved and what their responsibilities are. It is important that teams have practiced their roles in advance so that execution can happen quickly when needed. The plan should emphasize immediate action to limit the spread and damage of an attack, frequent and clear communication on current status and actions, and the commencement of an analysis of the intrusion. Recovery will be hampered if the attacker can return during that period. In many cases, machines need to be turn off or isolated, credentials need to be changed, patches need to be applied, and analysis needs to be completed before even considering restoring data.
A common step we see missed is not having tested and practiced the response plan. Speed is of the essence when a ransomware attack is in progress, and teams need to clearly know what their role is and their key contacts in the organization so they can execute efficiently and access the resources they need.
The plan should, of course, start before an incident escalates to a widespread problem. Now that ransomware gangs are decreasing their dwell time, some moving from intrusion to encryption in just a few hours, there needs to be an increased focus on protection rather than detection. Ransomware gangs have also started to respond quickly to vulnerability announcements and are rapidly using exploits shortly after patches for the vulnerabilities are released. We have seen many cases where organizations were on the path to patching but the attackers exploited the system first. Many organizations are not aware of this increase in speed from ransomware gangs. The huge ransom payments we have seen recently, reportedly up to $40M, have incentivized ransomware gangs to move ever faster with their attacks. Many organizations have not factored that into their response planning.