Ransomware Readiness and Response from NetDiligence on Vimeo.

Ransomware remains one of the most widespread and damaging cyber attack methods. With more than 55% of small and medium-sized businesses forced to pay hackers in 2019, it’s with good reason that ransomware is the number one concern of many organizations around the world.

Despite that ransomware disproportionately affects small and medium enterprises (SMEs), many remain underprepared and lack an effective ransomware response and recovery strategy.

To get a better idea of how a ransomware attack typically unfolds and the best response approach, we interviewed Devon Ackerman of Kroll, a leading provider of cyber risk solutions and computer forensic incident response.

How a Ransomware Attack Unfolds

In a ransomware attack, a cyber criminal uses malicious code to encrypt valuable files, folders, and hard-drives, or locks users out of systems entirely. Once the attacker has control of valuable digital property, they demand a payment in exchange for the decryption key needed to restore systems and data.

In our chat with Mr. Ackerman, he pointed out that savvy threat actors typically target systems on nights and weekends, when defenses are at their weakest. Even with 24-hour security systems running in the background, if no human staff are monitoring alerts, an attack may not be identified until employees are on the clock and notice something amiss.

Readily apparent indicators that a ransomware attack may be underway include:

• Appearance of new software programs
• Changed system security settings
• Inability to access files
• Inaccessible servers

After successfully taking control of a system and digital assets, an attack will typically identify themselves in a threat letter and explain the repercussions of not paying the demanded ransom. The attacker may demand a flat lump sum paid in cryptocurrency, or the ransom may be calculated based on the number of systems the victim wishes to decrypt.

The Potential Impacts of a Ransomware Attack

Having systems shut down and data encrypted can result in lost sales, damaged trust, and regulatory penalties. According to a study we conducted here at NetDiligence, the average ransomware event costs SMEs $150k, while the resulting lost-business income averages $261K.

Response and recovery expenses are far-reaching and can include:

• Restoring encrypted data from a backup data repository
• Paying out Bitcoin
• Hiring a Breach Coach^® lawyer
• Hiring a computer forensic investigation team
• Notifying clients
• Paying defense and legal costs
• Incurring regulatory punishment

As per Mr.Ackerman’s experience, in today’s ransomware attacks data exfiltration is becoming more common. In this scenario, criminals not only encrypt your data, but they also make a copy of it and threaten to publish it at a later time. This is used as a means to demand a higher ransom.

Even in the best of times, suffering from a ransomware attack can present serious business, financial, and reputational challenges. But in a business environment already stressed by the COVID-19 global health crisis, it’s all the more important to uphold cybersecurity and preserve business continuity.

Has Your Organization Prepared Its Ransomware Response?

While many organizations have a business continuity plan focused on physical world disruptions, they often lack a data breach incident response plan to deal with cyber events.

In the moments of panic following a cyber attack, the lack of a plan to guide the response can result in missteps and more severe fallout. An effective plan should structure a step-by-step process for ransomware response. Some key components of a ransomware incident response plan should detail:

• Roles and responsibilities of the internal response team
• Rules to coordinate an organization-wide response
• Contacts of third-party cyber experts
• Guidelines on whether or not to contact authorities, pay ransom, or contact affected users

But just having a plan isn’t enough. Mr. Ackerman reported that when not properly housed and maintained, even an existing incident response plan may be rendered ineffective during a ransomware attack. This can occur if the plan itself becomes encrypted and inaccessible, if the plan is out of date, or if plan execution has not been adequately rehearsed.

Especially for small and medium-sized enterprises, partnering with a third-party cybersecurity provider can be the best way to access the expertise and resources needed to build an effective ransomware response.

Why Partner With a Cybersecurity Provider?

Mr. Ackerman likened responding to a ransomware event to responding to a home burglary. If your front door is kicked in by a thief, the first thing you need to do is replace the door to prevent any additional theft of your belongings or threat to your safety. But at the same time, you need to preserve evidence of the crime to investigate what happened, what was taken, and how the criminal breached your security.

This creates numerous moving pieces and competing priorities to manage. A ransomware attack is no different—and third-party experts can bring a number of benefits to help you more effectively respond.

Prior to any breach, a cybersecurity provider can help you bolster defense, structure your response plan, and train your internal teams. These measures help to deny cybercriminals the opportunity for a break-in.

In the event of an attack, an external computer forensics team can help analyze the extent of the damage and set immediate response priorities. Especially in the vital first hour of the response, external experts can help ensure access to your plan, preserve forensic evidence, and close remaining vulnerability to stop the attack.

Ransomware threats are constantly evolving and are difficult to prevent. However, by improving cyber-readiness and maintaining an effective ransomware response strategy, your organization can manage the risk and protect business operations.

To learn more about ransomware response, contact NetDiligence today.