Security Experts:

Pitfalls to Avoid in Ransomware Incident Response Plans

Targeted ransomware attacks with larger ransom demands have persisted as a fixture of the news cycle and scourge for security practitioners and business leaders alike over the last two years. And because, unfortunately, these types of attacks show no signs of slowing down anytime soon, having an adequate incident response (IR) plan prepared is essential. Here are some common pitfalls to avoid when developing your ransomware IR plan:

1. Using a traditional incident response plan without tailoring it to ransomware

Traditional IR plans are no match for ransomware. Unlike with many other types of cyber incidents, restoring business continuity following a ransomware attack is about much more than simply re-imaging the infected machine, halting any lateral spreading of malware, and patching a vulnerability exploited in the attack. Even after you’ve eradicated all traces of the malware and persistence mechanisms, you’re still left with the damage. And this damage isn’t just a crashed server—it’s the potentially permanent inaccessibility of critical files and systems.

2. Assuming backups will eliminate the chance of having to pay a ransom to recover data

In most cases, the easiest and fastest way to recover from damage this severe starts with a secure, recently updated backup not connected to your network. But it’s also imperative to recognize that having such a backup doesn’t automatically guarantee you’ll be able to regain access to encrypted data without paying a ransom, if at all. Though it is unlikely, even the most secure backups can fail and aren’t always immune to ransomware. Many backups simply aren’t updated as frequently as they should be. Accounting for these situations within a ransomware IR plan is crucial, regardless of how or how often your organization backs up its data. 

3. Not being prepared to decide whether or how your organization would pay a ransom

In the event that your organization suffers a ransomware attack and restoring a backup isn’t possible, you will likely need to consider whether paying the ransom is a viable option. Since this decision is not one to take lightly and typically requires input and approval from the C-suite and potentially the board of directors, proactive planning is essential. 

Key stakeholders should convene in advance to establish your organization’s stance on ransom payment. If payment is not out of the question, stakeholders should then agree on the criteria and circumstances under which payment should and should not be considered. These might include the available evidence pertaining to the attack, the potential impact of non-payment, the ransom amount, and the estimated validity of the attacker’s claims, for example.

It’s also crucial to determine how a payment would be made. Who will be tasked with procuring cryptocurrency and through what means? Who will negotiate with the threat actor, if at all? These sorts of questions can be exceedingly difficult to answer amid an attack, which is why considering and accounting for them beforehand within your ransomware IR plan is imperative.

4. Not including the appropriate internal stakeholders and external parties

While key stakeholders from outside traditional security- and IT-related functions are integral to the success of any IR plan, they are often overlooked due to the siloed structure within which many organizations operate. Decision-makers from teams such as public relations and communications, for example, are crucial for handling matters related to disclosure, preserving brand reputation, and triaging press and customer inquiries during and following an attack. 

Additionally, decision-makers from an organization’s legal and compliance departments, as well as law enforcement liaisons or officials, are also essential. Not only can they help ensure your organization isn’t inadvertently breaking the law—anti-money laundering legislation can be of particular concern if you choose to pay a ransom, for example—but they can also help verify any cyber insurance claims you submit. And in many cases, law enforcement can also assist in investigating and attributing the attack, as well as help prevent similar campaigns from targeting you and others in the future.

Aside from law enforcement, other external parties to consider are vendors or consultants that specialize in ransomware response. Certain vendors can handle the more consequential tasks that arise due to an attack, including engaging and negotiating with threat actors, verifying the legitimacy of an attack, procuring cryptocurrency, and supporting decryption on your behalf. Establishing a relationship with such a vendor proactively—and then including the vendor’s contact information the details of your relationship within your ransomware IR plan—can help expedite and optimize your response and remediation efforts in the event of an attack.

5. Not testing your plan in a simulated environment

Many organizations don’t realize how unprepared they are for a ransomware attack until they experience one. The undoubted chaos and stress brought on by an attack can make it exceedingly difficult to understand, much less communicate and execute, an IR plan. 

Much like a fire drill or other public-safety exercise, conducting live-simulated tabletop exercises with key stakeholders is the best way to evaluate how your IR plan would hold up during a ransomware attack. Another significant benefit to tabletop exercises is that they can reveal how prepared and suitable stakeholders are for their respective roles in the IR plan. It’s obviously always better to identify any weaknesses proactively in a simulated environment rather than during a real attack.

In the end, it’s important to recognize that organizations with even the most robust security capabilities can still fall victim to ransomware attacks. No organization is fully immune, which is why preparing for the worst is critical. And in the event that you do face an attack, having a comprehensive and well-tested IR plan can make all the difference.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.