Ransomware attacks can be devastating for individuals and businesses. If you find yourself victim to one of these cyberattacks, you may feel helpless and unsure where to turn. The good news is there are trained professionals who can provide assistance and support. In this comprehensive guide, we will explore who you can turn to for help with ransomware attacks, what services they provide, and how they can support you in responding to and recovering from an incident.
IT Security Firms
IT security firms that specialize in incident response are perhaps the most qualified to help with a ransomware attack. They have cybersecurity experts on staff with extensive experience dealing with malware, data breaches, and digital forensics. When under attack, your first call should be to engage an incident response firm. Here are some of the key ways they can help:
- Emergency incident response – They can quickly investigate the attack’s origin, determine the extent of encryption/damage, and work to contain the threat from spreading.
- Negotiating with attackers – Skilled firms may negotiate with ransomware criminals on behalf of victims, sometimes securing decryption keys or reduced ransom demands.
- Forensic analysis – They can perform detailed forensic analysis on encrypted files and systems to determine flaws in security and uncover additional evidence about the attack.
- Malware analysis – Security teams can analyze the ransomware payload to determine if vulnerabilities can be exploited to decrypt files.
- Data recovery – IT forensics may allow recovery of some encrypted data by exploiting flaws in the ransomware encryption.
- Security hardening – They will identify weaknesses in your defenses and implement new solutions and controls tailored to protect against future ransomware.
When under duress during an active attack, the experience and resources of an incident response team can be invaluable. They offer the best chance for containing damage and recovering lost data. Top cybersecurity vendors known for their ransomware response services include SecureWorks, Crowdstrike, FireEye Mandiant, and Coveware.
Advantages of IT security firms
- Experienced with ransomware response
- Offer 24/7 emergency assistance
- Can negotiate with attackers
- Recover encrypted files
- Identify security gaps
- Implement new defenses
For businesses or individuals victimized by a ransomware attack, contacting law enforcement should be a priority. Cyberattacks are federal crimes investigated by agencies like the FBI, Secret Service, and Homeland Security. Law enforcement brings unique investigative resources that can be invaluable in identifying perpetrators and bringing them to justice. Here are some key ways law enforcement can assist ransomware victims:
- Launch an official investigation – They can open a case file and dedicate resources towards hunting down the attackers.
- Identify perpetrators – Law enforcement has access to investigatory tools and international partnerships that may allow them to trace attacks back to specific cybercriminal groups or individuals.
- Prosecute offenders – When culprits are identified, they can be arrested and prosecuted for cybercrimes through the justice system.
- Seize illicit funds – Asset seizure and forfeiture laws allow law enforcement to seize bank accounts, cryptocurrency wallets, and other assets tied to ransomware criminals.
- Prevent future attacks – Arrests and prosecutions can disrupt cybercriminal networks responsible for ransomware campaigns and prevent future attacks.
In the United States, the FBI, Secret Service, and Homeland Security all field teams dedicated to investigating ransomware groups, particularly those targeting critical infrastructure like hospitals, schools, and government agencies. Victims should reach out to local field offices, which can escalate incidents to federal level if appropriate.
Advantages of law enforcement
- In-depth investigative resources
- Identify & prosecute attackers
- Seize illicit funds
- Disrupt cybercriminal networks
- Prevent future attacks
Data Recovery Firms
Specialized data recovery companies can provide technical services focused exclusively on retrieving encrypted or deleted files lost during a ransomware incident. While their capabilities may be limited against sophisticated encryption algorithms, they have the digital forensics expertise that enables the highest chance of recovering user data and files from affected systems. Here are some of their core competencies around ransomware:
- Forensic data recovery – Their technicians have specialized tools and techniques that can rescue deleted files or pull data from corrupted hard drives and devices.
- Decryption assistance – They reverse engineer ransomware to find flaws in encryption that may allow partial or full decryption of files without paying ransom.
- Negotiation support – Data recovery firms are experienced with the ransoming process and can potentially negotiate lower payments.
- Data protection advice – They advise businesses on ensuring proper data backups and protection policies are in place.
Prominent third-party data recovery firms include DriveSavers, Proven Data, Secure Data Recovery, WeRecoverData, and many others. These can offer ransomware victims an honest assessment of their chances for recovering files based on the specific malware variant.
Advantages of data recovery firms
- Forensic experts in data recovery
- Tools to decrypt files
- Negotiate with attackers
- Strengthen data protection
Managed Service Providers
Managed service providers (MSPs) who manage IT infrastructure and services for businesses can rapidly respond to and support clients impacted by ransomware events. MSPs have intimate knowledge of client networks, cloud environments, and security policies. This gives them unique advantages in responding to attacks, including:
- Faster threat detection – With their remote monitoring capabilities, MSPs can quickly identify ransomware activity and alert clients in real time.
- Accelerated response – MSPs have remote access and management capabilities that allow them to immediately start investigating, isolating infections, and enacting remediation measures.
- Restoring data – They can leverage backups and infrastructure they manage to begin restoring encrypted/deleted data much more quickly.
- Hardening weak points – MSPs know the ins and outs of client systems and can rapidly shore up vulnerabilities being actively exploited by ransomware groups.
Forward-thinking MSPs are also proactively taking steps to “ransomware proof” client networks by implementing cybersecurity best practices around vulnerability management, endpoint protection, access controls, patching, backups and more.
Advantages of managed service providers
- Visiblity into client systems
- Faster threat detection
- Accelerated response
- Leverage backups & infrastructure
- Shore up vulnerabilities
Cyber insurance represents a financial backstop that can provide critical support in the face of a ransomware incident. By providing coverage for damage/loss caused by cyberattacks, insurance can fund expenses associated with response, recovery, and rebuilding cyber defenses. Here are some of the key ways cyber insurance carriers assist ransomware victims:
- Connect victims with vetted incident response firms
- Provide expertise advising on cyber policies, coverage, and claiming process
- Reimburse costs of professional incident response services
- Cover business interruption losses from network downtime
- Potentially fund ransomware extortion payments*
- Pay replacement costs of hardware/equipment damaged by attack
*Note: Reputable cyber insurance providers do not recommend paying ransoms. But if the victim independently decides to pay, coverage may apply.
Leading cyber insurance providers include Coalition, Corvus, Cowbell Cyber, SentinelOne, and many underwriters providing tailored cyber risk coverage.
Advantages of cyber insurance
- Incident response connections
- Expertise on cyber policies
- Covers response costs
- Replaces damaged equipment
- May fund ransom payments
IT and Security Consultants
External IT and cybersecurity consulting firms can provide high-level guidance and expertise to ransomware victims throughout the response and recovery process. Their past experience supporting clients through ransomware and data breach scenarios makes them well suited to advise organizations. Services may include:
- Incident response consulting – Providing expertise to internal IT teams managing the technical ransomware investigation and remediation.
- Crisis management – Advising leadership on managing communications, legal obligations, public relations, customer trust after an attack.
- Compliance impact – Guidance on compliance with laws and regulations like HIPAA, GDPR related to data breaches.
- Security program assessment – Evaluation of existing cybersecurity policies and controls with recommendations to strengthen defenses.
- Staff augmentation – Can provide supplemental IT security staff if internal resources are overwhelmed or compromised.
Well known IT consulting firms like Deloitte, PwC, EY, and KPMG all have cybersecurity practices equipped to support ransomware response engagements.
Advantages of consultants
- Incident response expertise
- Crisis management advice
- Guidance on compliance
- Assess & strengthen security
- Staff augmentation
How To Make the Right Choices Following an Attack
When your organization suffers a ransomware attack, it’s crucial to quickly make the right choices in responding effectively. Here are best practices to follow:
- Document everything – Note your ransomware symptoms, messages, communications from attackers, and keep detailed response activity logs.
- Isolate the threat – Disconnect infected systems from networks and turn off WiFi/BT to prevent lateral spread.
- Notify authorities – Contact law enforcement, cyber insurance providers, managed IT services firms per your procedures.
- Engage incident response – Bring in qualified incident response experts to handle investigation, remediation, negotiation, and recovery.
- Communicate internally – Keep leadership informed with regular status reports throughout the response activities.
- Restore from backups – Leverage secure, isolated backups to begin restoring encrypted/deleted systems and data.
- Forensically analyze – Perform deep forensic analysis on how the attack occurred and what vulnerabilities were exploited.
- Manage public relations – Control communications to employees, customers and media to maintain trust and reputation.
Following established response and disaster recovery plans focused on quickly containing the incident, restoring operations and learning from the attack will lead to the most effective outcomes. Leaning on the experience of third-party specialists in incident response, forensics, and public relations is also key.
Most Critical Partners in Ransomware Response
While many parties can provide assistance to ransomware victims, some stand out as the most critical partners to engage in an incident response:
Incident Response Firms
Skilled incident response firms are the top priority to engage first. Their technical expertise in investigating, containing and remediating ransomware attacks offers the best chance of limiting damage and resuming operations quickly.
Promptly engaging law enforcement instigates the best chance of identifying, apprehending and prosecuting the attackers and prevents future attacks.
Managed Service Providers
MSPs have unique visibility and access to client systems that enables them to detect, respond, and restore operations faster than anyone.
Insurers provide critical financial resources and expertise in covering response costs and recovering from the business impact of attacks.
Here are the key high-level takeaways on who can support your ransomware response:
- Leverage technical experts focused on ransomware response like incident response firms and MSPs.
- Involve law enforcement early to instigate cybercriminal investigations and prevent future attacks.
- Cyber insurance is critical for covering costs/damages and providing financial resources.
- IT consultants provide broad strategy and expertise on recovering operations, communications and compliance issues.
- Specialized data recovery firms may retrieve encrypted files when other options are exhausted.
- Document everything and follow response plans to contain damage and restore operations.
Ransomware can be extremely disruptive and damaging for affected organizations. But by knowing who to call on for help and following the right response steps, you have the best chance of managing an attack effectively and getting operations restored quickly.