Five things organizations don’t consider before a ransomware attack

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

Ransomware is generally considered to be one of the greatest threats facing organizations today. Following the release of the recent report on ransomware by the National Cyber Security Centre, the Rt Hon Tom Tugendhat, Minister of State, said ransomware attacks are evolving and that “the rollout of ransomware as a service means an advanced knowledge of computing is no longer needed to reap havoc; criminals are able to access software that will do much of the hard work for them.”

Despite heightened risks, awareness of the true risks posed by a ransomware attack remains low, with many organizations operating without incident response plans and rarely or never testing their cyber defenses. Many will be aware of some of the more high-profile ransomware attacks such as the MOVEit compromise, arguably the largest hack of the year, which impacted several large UK organizations, but are likely to assume that their size protects them from being targeted - particularly if they are smaller.

This isn’t the case: all organizations, large and small need to be aware and prepared.

When hit by ransomware, the victim has little breathing room to act, respond and mitigate. Preparedness goes beyond the direct incident response plan. Organizations also need to be asking questions like: Do we have a resource plan for an extended period of response and recovery? What if our CISO happens to be on holiday? What if the backups are compromised? Based on our experiences on the frontline, here are five common things organizations don’t think about before a ransomware attack.

Stuart McKenzie

Head of Mandiant Consulting for EMEA.

How do you keep the team motivated during an attack?

When a ransomware attack strikes, organizations run out of people before money or any other resource. Responding to a ransomware attack is more akin to a marathon than a sprint: organizations often underestimate the toll it takes on operations that are taken for granted.

Ransomware recovery can be a long haul operation and so it's essential to ensure those on the frontline responding to the threat are motivated, supported and equipped with the right tools, should an attack persist for a long period of time. Maintaining calm in the moment of crisis by ensuring the response team is well equipped and ready for the long haul is crucial when responding to a complex cyber attack.

How are you going to communicate with the network down?

Often organizations don’t consider that they only have limited means with which to communicate - should all of the usual systems go offline, or you are concerned an attacker may have control of them, not having emergency alternatives can be debilitating. One of the first areas a threat actor will target is an organizations' communications infrastructure. This is often an unexpected and frustrating side effect of having systems go offline that many don’t consider. In doing so, attackers can sow confusion and massively delay the incident response.

Our recent M-trends report found that perimeter devices that are accessible via the internet - including firewalls, virtualization solutions and virtual private network devices - remain a highly sought after target for attackers. By accessing virtualization platforms, ransomware attackers can rapidly encrypt many virtual machines without needing to directly login or deploy encryptors within each machine.

In any crisis scenario, communication is key but organizations often make the assumption that they will find a way - but if chat, email and other corporate communication channels are down, it can have a sizable impact on maintaining normal business operations, as well communicating with staff around the development of the incident and the response. Particularly in a world with increasingly more disparate workforces, ensuring the right messages get to the right people is critical. Organizations' contingency plans for a ransomware attack should always include information on the lines of communication for when systems are down - and make sure they’re not only stored on the network which has just been disabled by the attackers.

How accessible are your backups?

No matter how comprehensive a backup is, it is useless if access to it is denied through a ransomware attack. It seems obvious, but many, many organizations thought that they could rely on backups but had stored them too close to originals. Attackers often target backups to prolong an attack and exert the maximum amount of pressure on a victim. Organizations which operate entirely in the cloud are especially vulnerable to this. Implementing an ‘old-school’ approach is often the best answer to this: having a hybrid approach of physical copies of backups and versions on the cloud so your eggs aren’t all in one basket.

There are of course considerations to be made when organising these backups - it can be costly to locate and upload data at regular intervals, but ultimately it provides another line of defence. Creating effective offline backups can often mean that the impact of a ransomware attack can be mitigated swiftly and systems can be reinstalled before major damage to the organisation is incurred.

Are you willing to sacrifice a part of your network?

The unfortunate reality is that once an organization realizes that attackers are within its network, they have little chance of ‘beating’ them back completely. Typically, what will follow this is a mitigation strategy: what steps can be taken to make sure the level of damage is reduced in the most efficient way possible? Once the attacker is identified, often a ‘scorched earth’ approach is the most effective, in order to contain the attack to certain systems, with the goal of protecting the organization as whole.

Indecisiveness can be a killer in this moment and it's critical that leaders within an organization are empowered to make these decisions at speed - and are sufficiently equipped with the relevant knowledge to do so. Knowing this before an attack occurs is also essential: organizations need to know what they can afford to lose in the event the worst happens and act quickly and effectively.

Relying on insurance alone is risky business

Many organizations will assume that the act of taking out an insurance policy is enough to protect them from the financial fall out of a ransomware attack. Unfortunately, due to the sheer variety of ransomware attacks, insurance isn’t always as encompassing as organizations might think, due to exclusion clauses or liability requirements that must be fulfilled before the insurer pays out.

Ransomware attacks succeed by having some element which is capable of getting around existing defences - i.e. exploiting a vulnerability - most insurance policies aim to get a business back online as quickly as possible. This does not consider the impact of the attack or how the organisation was exploited. Organisations should look at insurance as the last line of defence and engage in activities which can prevent a ransomware attack occurring in the first place or prepare the organisation to respond quickly if their defences are breached. Undertaking best practices such as threat modelling, red teaming and regular reviews of cyber policy can be the difference between an insurer paying out or not.

Being ready for the inevitable

Unfortunately, ransomware attacks are continuing to impact organizations in the UK every day, and organizations need to be proactive when it comes to formulating a robust response plan. Thinking about the different scenarios and situations – even the less discussed details such as time zones and communications channels – all help to lessen the impact in the event of a ransomware attack. You can never be over prepared, so it’s important to begin asking these questions now to be ready for the inevitable.

We've featured the best online cybersecurity courses. 

Stuart McKenzie is Head of Mandiant Consulting for EMEA. McKenzie advises organizations, senior business leaders and board members on threat, response, remediation and recovery from cyberthreats.