Practice Innovations: How to survive a ransomware attack

In 2021, 37% of businesses were hit by ransomware — that’s almost 4 out of every 10 businesses.

Back in the early days of ransomware, an attack would just land on your computer systems, encrypt your data, and present a ransom demand. Today, however, ransomware attacks have evolved. Now a ransomware attack may first steal your data and before encrypting it. So, if you don’t pay the ransom, sensitive data is released to the public — and, even if you do pay the ransom, the hackers can make a second ransom demand in exchange for deleting the data they are holding (which they may or may not do). To make matters worse, recent ransomware attacks also attempted to search out and destroy the victims’ backup systems.

Ransomware is not just something that happens to large businesses or large law firms either. Indeed, ransomware attacks are shifting to smaller organizations in order to say under the radar of law enforcement, according to cybersecurity firm Coveware.

While there is a multitude of advice about how to prevent this from happening to your organization or law firm, it may be more useful to learn about what happens when you are attacked and how you can walk through your ransomware fire and come out the other side.

What do you do in a ransomware attack?

Given the likelihood of a ransomware attack, it is important to understand what to do when a ransomware attack occurs and how to better prepare your firm and its people.

There are different variations of ransomware attacks, but typically an attack will leave your systems operational, instead choosing to encrypt and rename your files. Initially you likely won’t know your data is being compromised by a ransomware attack until it is too late. Sometimes a ransom note is left in your files, or an email is sent to notify you.

Work your plan

Once you know you have been attacked, it is critical to already have a ransomware incident plan to follow. Ideally, your ransomware response should follow a well-prepared playbook. Everyone at each level of the organization or firm should know their roles and responsibilities. The easiest place to start is by modifying your business continuity plan or an incident response plan to include ransomware or other cyber-attacks.

Your plan should include enough detail and flexibility that helps your cyber-team identify and contain the attack. The plan should also include a communications component that outlines the parties that your organization is obligated to alert by law as well as a strategy for media communications. Review your plan with your management, your cybersecurity team and ransomware experts.

Having a defined set of step-by-step plans to detect, respond to, and recover from ransomware will be essential. Time will be critical, and many actions will need to be undertaken simultaneously, including:

• • • Identify and contain the attack — Your cybersecurity team should immediately start trying to determine what happened and containing the attack. Once the root cause is determined and contained, you need to eradicate or mitigate whatever caused the attack so it cannot recur. Then, recovery efforts can start when you are ready. Finding the root cause is critical as it is highly likely you will be subject to a second attack once the incident has been made public.
    • Engage your ransomware negotiator — A ransomware negotiator is an expert who can you help guide your organization through the vicissitudes of an attack. And as the numbers of ransomware incidents have grown, consultants with ransomware expertise have appeared to help with navigate an attack. Find a negotiator who understands threat actors, motivations, and strategies. These negotiators need to have experience working in crisis situations, but more importantly they need to work with your firm seamlessly without getting in the way.
    • Communicate, communicate, communicate — Now is not the time to shut down and shut up. As a victim of ransomware, you may be obligated to inform various interested parties including law enforcement, employees, customers, business partners, insurance companies, members of the media, and the public. Most critically, you need to inform the FBI’s Internet Crime Complaint Center, your insurance company, and your internal or external legal counsel (in case the attack precipitates litigation).
    • Pay the ransom? — The number one question during an attack is, should you pay the ransom or not? Typically, your ability to recover from a ransomware attack determines whether the ransom should be paid. Ultimately, firm management and your cybersecurity team need to determine whether data cannot be recovered in an appropriate timeframe. If that’s the case, it might be wise to pay the ransom. However, if the firm has implemented good security measures to detect, prevent, and recover from a ransomware attack, paying a ransom may be avoided.

Then, even if you have contained the attack or chosen not to pay the ransom, it’s important to remember that the ransomer may have collected your critical data before encrypting it. If you choose to not pay, the ransomer may further blackmail you by threatening to release the captured data to the public.

When it’s done, review your performance

Now it’s over, heave a big sigh of relief and start reviewing your performance. How did your organization respond? What could have be improved before, during, and after the attack? Document this analysis and make whatever changes are needed for the next time.

It also might be wise to hire a third party for this assessment. Your internal security group is a valuable part of your ransomware response, but getting an external opinion about what happened and what could be done better may be valuable.

What you should do right now — get ready!

Besides the earlier suggestions of creating a ransomware response plan and hiring a ransomware negotiator, there are other actions you can take to prepare now for any future attack, including:

• • • Make sure you have good backup — Make certain you have a long history of verified backups available and that some of the backups are stored off-line. Ensure that your backups are frequent enough to minimize the impact of a ransomware attack and are able to be used to do a complete re-build of your environment if negotiations fail.
    • Make sure you have good insurance — Solid insurance coverage can be used to mitigate some of the impact of a ransomware attack. Talk to your insurance company on a regular basis about what is covered and what is not.
    • Understand your obligations — Who must you involve in your attack response? It can be the government, clients, anyone who has lost data, law enforcement, and more. Work with experienced legal counsel and subject matter experts to discern and understand your obligations before you are under attack.
    • Test your firm — Simulating a ransomware attack is a good way to test your response and discover any potential problems in your incident response plan. Just as you should test your disaster recovery plan, you should test your ransomware response plan.
    • Monitor your online footprint — It is also critical to carefully and actively monitor any data publicly available regarding your company or firm. Ransomware actors may seek to discover as much as possible about your organization as they assess the profitability of an attack on your organization, so be conscious of what you are disclosing publicly.

Lastly, learn how other organizations handled their own ransomware attacks. The National Council of Information Sharing and Analysis Centers allows organizations to share information and experiences regarding information security concerns in a safe and discreet setting.

While there are no silver bullets, it’s not impossible to defend your firm or business against a ransomware attack if you plan and prepare for it.