Decide & Do: 4.5 Ransomware Actions

August 5, 2021

Are you next? Will criminals target your organization with ransomware? No one can say for sure, so prepare now.

Here are four and a half critical decisions to make – and things to do – before a crisis hits.  

(What’s half a decision, you ask? What’s half an action, you may wonder. Read to end if you want to find out).

1. Do: Have a plan

This sounds so obvious, but I have seen major organizations in business and government scrambling to respond to a ransomware attack. Your plan should include at least these elements?

Communication 

Forget E-mail
Do not rely on electronic mail: it might be out of operation. In a recent attack on a major government agency, the response team sent an e-mail to all employees – telling them that e-mail was out of commission. Yes, that happened, and yes, they really did that.

Set Up Alternative Communication Channels
Texts, good old-fashioned phone trees, personal emails and social media are all possibilities if your e-mail goes out. (Some might hope fervently for such a day, but that’s another discussion!)

Create Templates
Who communicates what, when, and to whom? How often, and under what circumstances? Who decides the message to the employees, to management, to the public? With whom will they coordinate? Write templates for these communications to save time under stressful emergency circumstances.

Update Information
Have you updated and tested the emergency communication channels? Are phone numbers, personal e-mails, and social media groups up to date?  

Business Continuity

Systems
Clearly identify in advance your mission-critical systems. If possible, make sure to have automatic fail-over systems ready to go, tested, and updated. Do users need training on the use of the secondary system, or is it transparent?

Data
Do you have backups of critical data? Are the systems viable and tested? How long does it take to access data backups? If these are required, how much data, in terms of time could be lost – a day, a week, a month?  

Time frames
Do you know, and have stakeholders agreed, on the acceptable duration (if any) of each system? How and when will you tell stakeholders, including the general public, of system outages and estimated times to return them to operation?

Containment and Mitigation

Containment
Do your security staff and technical personnel know how to limit the spread of malware? Do they have the technical skills to identify which systems are affected and which are still safe? Do they have the business savvy to know which users and systems are the most important to your organization? 

Have they practiced and rehearsed these techniques recently?

Mitigation
Does your staff know how to minimize the effect of an attack, and fix problems in real-time?

2. Do: Rehearse the Plan and Make it Fun

Rehearsing for disaster, fun? Yes, it is possible. At one Federal site, we created a game – an actual physical board game – to simulate a system outage. We pitted two teams against one another to see which team could get back online first. The losing team wanted to do it again. (That’s like asking to do a second fire drill). 

3. Decide: Will your organization pay the ransom?

The overwhelming advice is not to pay. Paying rewards criminality and provides no guarantee that your critical data will be available, or systems will come back online. Still, some organizations make the regrettable decision to pay the ransom instead of remaining offline. 

No matter what your organization decides, the time to discuss this matter is before the attack, when heads are clear, and not during the attack, when stress reigns supreme.

4. Decide: Whether to go Public, and When

Transparency equals respect. It may be painful to expose your weakness, but in the long run it helps everyone, including your own organization. However, government agencies may not be at liberty to share technical details, and over-sharing can help the bad actors. Again, the time to decide this is before an attack occurs.

4.5 Do: Have a plan.

Yes, I said it already, but too many organizations lack a ransomware plan, so it needs repeating. (This is the “half” I promised earlier.)

Responding to ransomware is difficult, but not Mission Impossible. Even so, here is your assignment, should you choose to accept it:

  • Write or update your ransomware response plan. Review and test the plan to make sure it will work and remember to make it fun!
  • Comment on this post. Please let me know from your experience what works and what’s missing or incorrect.