Ransomware is a type of malware designed to block access to a computer system until a sum of money is paid. Typically, a ransomware attack starts with an innocent-looking email with an infected link or fake document attached. In fact, the average company received a whopping 90% of their detected malware through email, according to Verizon’s 2019 Data Breach Investigations Report (DBIR). Unfortunately, phishing emails are getting more clever every day. For example, you might get a message that looks like it’s from a known delivery company, asking you to click to get the status of a package.
A lot of people will click because we all come across emails like this on a daily basis. But if it’s ransomware, clicking will cause the malware to execute/install and then spread throughout the network, encrypting all your devices and data and blocking you out. Once your system is completely encrypted, a message will appear on your screen with the extortion demand. It might go something like this: “Your network is now owned by us. You are locked out. In order to regain access, you must pay a certain amount of bitcoin and here are the instructions to do it.” There are many variations of this message and many include an exact deadline.
Bitcoin is a cryptocurrency of choice among threat actors because of the efficiency, reliability, and anonymity of the currency’s platform, as well as the perception that it’s more difficult to trace than regular money. The transaction is also verifiable by both parties because of blockchain technology. Unfortunately, most companies may not have timely access to the amount of bitcoin required by a threat actor, which is why you’ll want to have an experienced cybersecurity breach response expert to guide you. For many of our clients, it’s the first time they have ever experienced a ransomware attack.
Be Prepared With a Breach Response Plan
When you’re experiencing a malware attack for the first time, it’s easy to panic. All your business operations have been compromised and you don’t know what will happen next. So what is “best practice” during a ransomware attack?
1. Contact Your Breach Manager
Efficiency is everything when it comes to minimizing your losses from a malware attack. As soon as you become aware of the situation, you should contact your internal breach manager to activate an incident response plan. Ideally, your organization’s plan should be ‘actionable’ and accessible to all stakeholders, no matter the time of day. Your IR crisis plan should include step-by-step instructions on what to do in the event of a ransomware attack.
2. Follow Your Incident Response Plan
Typically, the first steps in ransomware removal will involve contacting the experts, such as a Breach Coach® lawyer or an external forensics provider. The person’s name and ‘hotline’ phone number should be listed in your incident response plan and they should be available 24/7 since these events seldom occur during work hours.
Once the incident response expert picks up the phone, they’ll give you immediate instructions on what to do. They might say for example, “unplug your computer so that it doesn’t continue to spread to the rest of the network.” What’s most important is to lean on external experts when you’re in the midst of an attack because they deal with these events on a daily basis.
Strategizing an Effective Response
You have a number of options when deciding on a course of action. Will you ignore the extortion message and restore the system from backup? Or will you attempt to negotiate with the threat actor? An expert can help you determine the best strategy to minimize loss for your business. Sometimes, it’s impossible to ignore the extortion demand because you don’t have a reliable backup system in place. Or, the threat actor may have already gained access to the backups before sending you the extortion demand. Some experts say that on average, the backups are already compromised upwards of 80% of ransomware attacks.
If bitcoin is required, then your expert can help you pay it with the funds they have available. After all, most organizations don’t keep sufficient bitcoin amounts on hand. Your Ransomware Coach can also help you negotiate with the threat actor. It is not advisable for policyholders to negotiate the extortion transaction without the guidance of an expert.
Some threat actors are fickle and, for example, may decide to arbitrarily double the amount they are requesting because the victim asked for a reduction. Some leading experts have good analytics and intel on ransomware variants and the threat actors behind them, so they will know how best to proceed if you choose to negotiate.
How to Prevent Ransomware Damages With NetDiligence
It’s clear that having a good response plan and timely access to experts is key to effectively managing a ransomware attack. NetDiligence’s Breach Plan Connect® is a cloud-based solution created to help companies address those two needs.
This online tool comes pre-loaded with a best-practices incident response plan that you can customize for your organization. It’s easy to add response team members, including third-party expert vendors that may have been suggested by your cyber insurer. It also comes with a mobile app, which offers instant access to your crisis plan and affords you the means to securely communicate with your internal management and external response team– even if company systems have been compromised.
Whether you are a business owner, DR/BC manager, IT Manager, CSO/CIO, insurance agent, lawyer, or other interested party, we invite you to contact us to learn more.