By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Over the years, we have highlighted several steps businesses and nonprofits can take to reduce the risk of a cyberattack. Most of these initiatives previously discussed are designed to prevent or significantly reduce the chance that your organization becomes a victim of a cyberattack.

However, no one can completely secure their network or reduce the risk of successful cyberattacks to zero. As such, businesses should also discuss how they would respond in the event they were impacted by an attack (either a ransomware attack that locks up your systems or a theft of data, or both). These considerations are known as Incident Response Plans. The purpose of incident response planning is to make as many decisions as possible while you are levelheaded and not responding during a stressful situation.

This article will be the first in a series of articles that examines the elements organizations should consider in developing their incident response plans. In this article, we will look at the initial questions that need to be answered to create your incident response plan to a ransomware attack.

The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

• Preparation
• Detection & Analysis
• Containment & Eradication
• Recovery
• Post-Incident Activity: Lessons Learned

Most organizations do not have the staff and experience to implement the entire framework into an incident response plan. All organizations are at risk, but small and medium-sized organizations are targeted more with ransomware because they are perceived to not be ready or have a plan in place. This is simply a guideline to follow when considering the development of that plan. First, let’s focus on preparation.

Ransomware Incident Response Plan – Preparation

The first question to answer after a widespread ransomware attack is: Are we going to pay the ransom or are we going to attempt to restore our systems from our backups? In this scenario, we will assume all systems (servers, PCs) have been locked.

Most organizations will indicate they plan on NOT paying the ransom and plan to restore their systems from backups. However, this simple decision raises a series of additional questions, including but not limited to:

• How long will it take to restore from backups and is that time an acceptable “downtime”?
• Are the backups restorable? Are we confident that the ransomware virus that infected and locked the primary systems has also not infected the backups? Are you simply re-installing the ransomware from your backups?
• Do we know how to restore from backups? Have we tested our ability to restore?
• If you are restoring from backups, have you prioritized which system needs to be restored before any others?
• Backups are based on a “point-in-time” of when the backups were taken, usually overnight. Are you able to lose potentially up to one day’s worth of data that did not get backed up before the ransomware attack?

For those that elect to pay the ransom because they want to get back in business immediately, there are several other questions that need to be asked, including but not limited to:

• How much are they asking for in ransom and is this amount less than what it would cost to recover from backups? This raises moral considerations and could affect the organization’s reputation with customers, investors, or donors if you give in to paying cybercriminals.
• Are you familiar with the bad actors requesting this ransomware? What is their reputation for honoring their ransom payments in terms of providing the keys to unlock your systems or are they going to continue to exploit you after the initial payment?
• The bad guys will expect to be paid in a cryptocurrency, such as Bitcoin. Do you know how to obtain Bitcoin or some other cryptocurrency? Do you know how to transmit the amount?

Most organizations, including even large for-profit organizations, do not have the experience to answer the last three questions. That’s why it’s important to engage your cyber insurance carrier immediately following a ransomware attack. They will connect you with the appropriate legal counsel and cyber forensic firm who have significant experience dealing with ransomware responses, including when the ransom is going to be paid.

These are the type of questions that can get you started on the development of your incident response plan. These questions should be answered proactively so the plan is well thought out and considers risk from multiple angles.

The next article in the series will discuss additional considerations for the preparation stage of your plan and begin examining the Detect and Analyze phase of the framework.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.