Ransomware attacks have been on the rise in recent years, inflicting significant damage and disruption to individuals, businesses, and government entities worldwide. When a ransomware infection strikes, it can be tremendously unsettling, leaving victims wondering what to do next and who to turn to for help. Having a response plan in place ahead of time, including knowing exactly who to contact, can help organizations minimize the impact of an attack and recover more swiftly.
Should you pay the ransom?
The first major decision to make when hit with ransomware is whether or not to pay the ransom demand. There are arguments on both sides of this issue:
- Paying the ransom provides the quickest way to regain access to encrypted files, resume business operations, and avoid having sensitive data leaked publicly. Many cybersecurity experts warn against paying ransoms since it encourages and funds cybercriminals to continue attacks.
- Refusing to pay the ransom runs the risk of permanent data loss if decryption is not possible through other means. However, paying the ransom also does not guarantee files will be recovered, as attackers may still delete data.
There are third-party decryption tools available that can sometimes recover files without paying the ransom. The No More Ransom initiative by Europol provides some free decryption tools. But decryption is not always possible depending on the sophistication of the malware, so this route involves some uncertainty.
The FBI advises ransomware victims not to pay ransoms. Ultimately, the decision depends on each organization’s unique situation, threat assessment, and recovery capabilities. Having cyber insurance can help provide coverage for damages and ransom payments in the event of an attack.
Contact law enforcement
Notifying law enforcement should be one of the first responses after discovering a ransomware attack, even if not planning to pay the ransom. The FBI and U.S. Secret Service both investigate major ransomware incidents. Local police may get involved for individual victims. Law enforcement can help in several ways:
- Assess the attack and identify the ransomware variant used, which aids response and recovery.
- Provide information on the attackers, such as if they are known cybercrime groups.
- Preserve evidence by securely collecting infected host data and malware samples.
- Trace ransom payments if made, in hopes of identification.
- Pursue and prosecute cybercriminals, when possible.
Also report attacks to the FBI’s Internet Crime Complaint Center at www.ic3.gov. The sooner an attack gets reported, the more help law enforcement can provide. They may also connect victims with other government agencies or private resources for assistance.
Contact managed IT services provider
Organizations using managed IT services should immediately reach out to their provider in the event of a ransomware attack or any suspected malware infection. A managed service provider (MSP) delivers 24/7 monitoring, management, and support for clients’ IT infrastructure and end-user systems. They will have experience in responding to ransomware and other cyber incidents.
Key ways an MSP can help with ransomware include:
- Rapidly investigate, confirm, and contain the infection to prevent further spread.
- Leverage premium malware detection and response tools already in place.
- Restore encrypted files from recent backups if available.
- Provide guidance on communicating with attackers and paying ransoms.
- Handle system wiping, reinstallation, hardening, and restoration.
- Supply temporary workarounds like cloud-based services.
- Assess security flaws that enabled the breach and recommend fixes.
This quick and experienced incident response minimizes downtime and data loss. MSPs can also liaise with law enforcement contacts on victims’ behalf. Organizations without managed IT services may need to hire an outside cybersecurity firm for assistance.
Engage cyber insurance provider
For entities with cyber insurance, promptly informing the insurance provider about a ransomware attack or other cybercrime is essential. Cyber insurance can cover a range of ransomware-related damages and expenses. Typical policies may include coverage for:
- Crisis management and investigation costs
- Business interruption and recovery expenses
- Data restoration and replacement
- Cyber extortion payments
- Public relations services
- Third-party liability claims
- Forensic analysis
- Legal costs
But cyber insurance policies differ in details and limits. Close coordination with the insurance provider is necessary to understand exactly what is covered following an attack and what steps they require or recommend. Prompt and detailed incident reporting is key to receiving payouts. Insurance firms also often provide policyholders with access to vetted networks of IT security firms and lawyers for response assistance.
Contact a cybersecurity attorney
Engaging outside legal counsel with expertise in data security can provide vital guidance in responding to a ransomware or other cyber attack appropriately and protecting the organization’s interests. An experienced cyber attorney can advise on issues like:
- Complying with breach notification laws and avoiding regulatory penalties
- Preserving attorney-client privilege and legal protections
- Law enforcement interactions, evidence collection, and criminal implications
- Litigation risks and third-party liability claims
- Insurance coverage and provider communications
- Legal duties around cybersecurity policies and controls
- Public relations messaging and restricting information
- Recovering from business partners and vendors
- Requirements of contracts or service agreements
In highly sensitive ransomware incidents involving extensive personal data theft, it may be prudent to hire external IT forensics specialists in addition to counsel. Forensic firms help carefully investigate attacks while maintaining evidence integrity.
Alert users and customers
Once the initial ransomware response is underway, organizations should promptly communicate about the attack to affected users and customers as applicable. For companies, notifying customers of service outages, disruptions, data loss, or exposure caused by ransomware or IT security incidents is important for trust and transparency. And alerting users internally can help identify other compromised systems.
However, notifications should be crafted carefully with legal counsel to avoid unintended liability admissions or risks. Data privacy laws like GDPR generally require notifications to impacted individuals within 72 hours. But specific notification demands may vary based on facts like data types stolen and jurisdiction. Communications should emphasize the steps being taken to investigate the incident, restore operations, and prevent future attacks.
Bring in public relations support
Reputation and public perception are major considerations when dealing with a ransomware attack. Even if systems and data are restored fully, unwanted media publicity about cyber incidents can still harm brand trust and competitive position. Companies especially may want to recruit experienced public relations professionals to help manage external communications and messaging around the attack.
PR experts help shape media statements, advise on responding to press inquiries, and proactively tell the company’s story. Positioning the organization as transparent, concerned about customers, and committed to learning from the incident is critical. Public relations guidance can also help reassure stakeholders like investors, partners, and regulators in addition to customers.
Increase cybersecurity staffing
The aftermath of a ransomware attack presents the ideal time to reevaluate cybersecurity staffing and controls. Ransomware often exposes gaps in defenses as well as security team readiness. Many organizations realize they lack specialized in-house malware and incident response expertise after an attack.
Expanding cybersecurity headcount or partnering with outside providers is generally prudent following major security incidents. Additional personnel allows 24/7 monitoring for emerging threats and faster response when incidents occur. Some key roles to consider:
- Incident response managers and analysts
- Malware specialists
- Data recovery experts
- Forensic investigators
- Internal auditors and compliance officers
Extra staff should have training in cutting-edge detection and containment tools too. But avoid overreacting and overspending before identifying capability gaps through careful post-incident analysis.
Bolster security controls and policies
The vulnerabilities that enabled a ransomware attack to succeed represent some of the most urgent issues to address for improving security. Investigate how the malware entered networks, spread internally, and bypassed defenses. Some common deficiencies include:
- Weak endpoint security with insufficient anti-malware tools
- Failure to patch known software vulnerabilities
- Limited network segmentation and access controls
- Poor backup systems and retention policies
- Weak password security and multi-factor authentication
- Minimal staff cybersecurity training and education
Pinpointing such specific deficiencies helps focus spending where it matters most. It also allows implementing security controls strategically based on greater risks. Cyber insurance providers often require certain controls as well.
Updating information security policies is also beneficial after a major incident. New malware techniques or regulatory changes may necessitate policy adjustments. Stricter cybersecurity rules for vendors, third-parties, and remote employees are common additions too.
Review and update incident response plan
Having a tested incident response plan is invaluable for navigating ransomware and other cyberattacks. But even the most robust plan often reveals gaps when implemented following real incidents. Review internal response performance, incorporating lessons learned and expertise gained by all parties involved.
Key improvements to incident response plans often include:
- More detailed procedures for malware analysis and containment
- Faster internal communications protocols and centralized decision-making
- Expanded backup and restoration capabilities
- Clearer cyber insurance and legal coordination steps
- Pre-approved public relations vendors and guidance
Update the response plan with any new contacts, resources, or timelines. Run exercises to verify enhancements and team preparedness. Keeping the plan current and achieving organizational proficiency makes all the difference in minimizing future attack harm.
Provide cybersecurity training
Ransomware and other cyber threats frequently succeed due to human errors and risky behaviors. Phishing emails tempt users to click malicious links, for instance. Weak passwords get cracked or stolen. Employees inadvertently download malware. Upgrading technical defenses is useless without addressing these common human factors.
Expanded cybersecurity awareness training following an incident helps engrain secure practices. Training should cover risks like phishing, password policies, social engineering, physical security, and incident reporting. Tailor content to different user groups and roles. Also implement exercises like simulated phishing attacks to gauge strengths and weaknesses. Ongoing training is essential for keeping security top of mind.
Conclusion
Ransomware attacks and other cyber incidents require careful yet rapid response from multiple parties to contain damages. Having strong relationships and coordination in place with key external resources like law enforcement, insurers, attorneys, PR firms, and IT providers amplifies incident response. Internally, the focus should be on restoring systems safely, learning security gaps that require fixing, and equipping users with improved skills and knowledge.
While costly and highly disruptive, ransomware also represents a chance to bolster long-term security and preparedness. With advanced planning and the right partnerships, organizations can emerge from an attack smarter and more resilient.
| Response Step | Who to Contact | How They Can Help |
|---|---|---|
| Report incident and seek guidance on paying ransom | Law enforcement (FBI, Secret Service, local police) | Investigate, provide information on attackers, preserve evidence, trace ransom payments, prosecute cybercriminals |
| Contain infection and restore systems | Managed IT services provider or cybersecurity firm | Rapid investigation, malware analysis, file recovery, provide temporary workarounds, assess flaws and recommend fixes |
| Understand cyber insurance coverage and requirements | Cyber insurance provider | Explain covered expenses and ransomware-related damages, assist with approved response vendors and steps |
| Protect legal interests and meet notification obligations | Cybersecurity attorney | Guide breach disclosure process, preserve evidence correctly, avoid unintended liability risks |
| Manage external communications and public response | Public relations firm | Shape media statements, advise on interacting with press, maintain reputation and trust |
| Obtain forensic investigation of attack | Digital forensics specialist | Conduct network and malware analysis, preserve evidence, identify vulnerabilities |
| Increase security staffing and controls | In-house cybersecurity team or outside partners | Bolster detection, monitoring, and response capabilities |
| Improve cybersecurity incident response plan | In-house cybersecurity team | Incorporate lessons learned into enhanced response procedures and training |
| Educate all users on risks | In-house cybersecurity team or outside provider | Conduct phishing simulations and expanded cybersecurity awareness training |