Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas).

Most organizations are aware of the risk of ransomware and the need to prepare for an event. But organizations that have not experienced a ransomware event are uncertain about what actually occurs, which hinders preparation. Building a ransomware playbook and conducting a tabletop exercise facilitated by a person experienced in responding to ransomware events are good preparation measures. To help with both, you can use the ransomware matter data from the DSIR and the list of considerations an organization facing a ransomware attack may have to address all at once on the first day of a ransomware matter.

The thing to prepare for in a playbook, and to test in a tabletop, is the one-two punch of business continuity impact and potential theft of data with a threat to release the data publicly if the ransom is not paid. You can then identify the key response actions, the internal team responsible for managing the response and the third parties you would bring in to help. There are some actions you can take ahead of time, such as identifying how you would assess revenue impact.

Day One Initial Considerations

  • Impact assessment – determine what is not operational, who will notice, and the likely consequences. Identify any potential “downstream” impacts to stakeholders, clients, or vendors.
  • Vendor engagement – identify the external legal counsel, forensics firm, negotiation and payment, workforce augmentation/restoration, forensic accountant to document expense and income loss, and communications firms to consider engaging.
  • Threat actor intelligence – find the ransom note and make preliminary attribution based on file extension and note content to start analysis of: (1) is this a threat actor known to only encrypt or steal/encrypt; and (2) is this a threat actor who may be on a sanctions list.
  • Ransom negotiation strategy – directly or through negotiation, make initial contact with the threat actor to obtain initial demand and then begin to develop negotiation strategy. Identify threat actor’s history of payment default, decryptor efficacy, and tor site data posting strategy. Consider payment logistics (e.g., timing of wiring funds to negotiation vendor before wire close/weekend).
  • Restoration planning – determine viability of backups and what alternate restoration options exist.
  • Containment – identify how access occurred and how ransomware was deployed, whether there are systems that should be taken offline to prevent further spread, and build plan for eliminating current access so you can restore to a secure environment (or build segmented VLAN to restore in until containment occurs).
  • Preservation – account for preservation needs before wiping and reimaging devices during restoration.
  • Communications – determine stakeholder communication needs and prepare drafts of reactive holding statement for media, associates, franchisees
  • “Response Plan” execution – align response to key response considerations based on incident, business continuity, and crisis response plans
  • Notice analysis – develop preliminary assessment of potential notification obligations.
  • Documentation – identify what insurance carrier(s) (e.g., cyber, kidnap/ransom) will require to give consent to ransom payment and to reimburse (e.g., “business case” for payment, OFAC clearance report).