Handling a ransomware data extortion attack

Security commentators, such as Kevin Beaumont¹, are calling ransomware an existential crisis. If not handled properly it will cripple your business. See it as the business equivalent of a heart attack.

There’s a significant chance you will experience an attack over the next five years, and when you do you will need to respond immediately to reduce the damage, and co-ordinate a team of experts to help you to survive. The more you prepare for an attack up front the better your chances are of survival.

An attack paralyses an organisation in the short term and can take months to recover, diverting resources and incurring unforeseen costs, not to mention the reputational repercussions if not managed swiftly and effectively. Furthermore, the problem is spreading and it’s continually adapting to find new ways to defeat us. The attacker has probably already read your playbook, your cyber insurance policy and your prevention plan and found a way around it.

The “new normal” means attacks are increasing daily - both in scale and sophistication. The latest attack (“Kesaya”) is abusing the trust we placed in our supply chain and demonstrates that no-one is safe.²

So what can be done?  Here are our recommendations on how to best prepare for and respond to a ransomware attack.

Before:

1. Make yourself into a “hard target.” Get independent assurance through scanning, vulnerability management, threat intelligence, penetration testing and continuous refinement (“Red Team”). Don’t be satisfied with “good enough.” Optimise your backup recovery and business continuity management processes and ensure they work reliably.

2. Close the window of vulnerability. Rebuild your network, systems, authorisation, and authentication, based on “Zero Trust Architecture.” This is a large and complex undertaking - but is highly effective. See the NIST guide which provides several use cases. ³ 

3. Implement technical and organisational measures to reduce the chances of a data breach and limit the potential damage. Your IT people will know what to do (e.g. Multi-Factor Authentication, Password Manager), but may lack the resources to implement them. This needs to be a priority; invest in the resources they need for the job.

4. Improve identity and privilege management systems. Identify and track your data assets and make labels and data classification mandatory. Focus on doing “the basics” as best you can. Make people responsible and hold them accountable .  The Board must ensure you have the resources you need: people, technology and time.

5. Don’t make the mistake of limiting planning to technology stakeholders. Get everyone involved, from legal to comms and business colleagues at all levels. Plan carefully and prepare for the incident by running workshops, simulations, and audits. Prepare detailed incident response plans and playbooks. Practice regularly.

6. Build a human firewall by training, drilling, and nudging your employees, and others with privileged access, which is less technology than behavioural psychology. Strengthen resilience by creating an effective counter-influence campaign, and make it business as usual. Most ransomware attacks start as phishing, so don’t end up as bait. This may require a substantial cultural change within your organisation, so make sure an experienced Change Manager is on the team.

7. Audit your supply chain and require them to audit their suppliers too. Learn what “good” looks like.

8. Work with your insurance company to follow their guidance, then go beyond. 

After:

1. Avoid paying ransoms at all costs. It just encourages your attacker to do better next time. Reduce the financial incentive and the criminals will go after a softer target.

2. Have network forensics experts available 24x7. You need to learn the baseline of what’s normal in your network. With appropriate technical solutions, you should be able to start tracking an attack in real time and deploy counter measures (shutting down networks and systems to prevent the spread or lateral movement of attackers.) 

3. Fine-tune your processes for rapid reaction. Use tools that monitor network traffic and host-based agents and correlate events using AI/ML⁴ for fast response to serious incidents. 

4. After the incident is over, deep dive into “lessons learned” and retool and retrain as appropriate. Eliminate any traces of the attacker and ensure that all the holes in your defences are plugged.

5. Drive collaboration and accountability with new and incumbent IT suppliers as it’s their software and systems that you need to help fend off future attacks.

Ransomware is the new, disruptive IT unicorn business.  It also happens to be illegal. Work with your industry leaders and elected representatives to tackle the problem at a political and business level, since technology has failed the moment the ransomware strikes. 

This is a global problem and requires a highly-coordinated global response.  The attackers (whether you call them hackers, actors or antagonists) are criminals, and should be treated as such.

Paul Gillingwater and Alex Williamson are part of Chaucer’s Data and AI centre of excellence where they lead on a number of key client issues and concerns including responsible data, privacy and data security.