From the book
From the book
From the book
From the book
Response
Responding to ransomware can be a painful and traumatic experience. There is typically little or no warning, and when ransomware hits, it can cause major damage. The DRAMA model of data breach management applies:
- DEVELOP your data breach response function.
- REALIZE that a potential data breach exists by recognizing the signs and escalating, investigating, and scoping the problem.
- ACT quickly, ethically, and empathetically to manage the crisis and perceptions.
- MAINTAIN data breach response efforts throughout the chronic phase and potentially long-term.
- ADAPT proactively and wisely in response to a potential data breach.
In ransomware cases, there are distinct issues that response teams should consider during the Develop, Realize, and Act phases. These include:
- Include ransomware in data breach planning. All too often, organizations plan for the operational impacts of ransomware but forget to consider that it may also legally qualify as a data breach. A common result of this oversight is that critical evidence is not preserved during the immediate response to ransomware, making it impossible to rule out a data breach later.
- Preserve evidence early on. Make sure that first responders are trained to recognize ransomware as a potential data breach. Preserve important evidence such as the malware sample whenever possible, so that if needed, forensic analysts can later analyze it to determine whether the malware is capable of exfiltrating data or is designed to simply deny access. If ransomware is widespread and it is not feasable to perform a full forensic acquisition of all affected computers, prioritize based on volume and sensitivity of the data stored on each system.
- Activate crisis communication plans quickly. Since ransomware can have a sudden and dramatic impact on an organization's operations, news of the infection can become widely known very quickly. This is especially true for organizations that suffer a widespread infection that impacts public-facing services (as in hospitals and local government agencies).
- Manage both the operational and data breach impacts of the crisis. It can be challenging to manage a potential data leak while also working to restore operations. Consider, in advance, how to divide up the work and ensure that both issues are addressed.
In the Act phase, ransomware-specific crisis management steps include:
- Assess the damage: Take an inventory of what data has been encrypted, and determine whether the organization can recover the data from backups, recreate missing data, or function without certain data sets.
- Recover from backups: If available, restore as much data as possible from backups (after preserving appropriate evidence, of course).
- Check for a decryptor: Technical experts can examine the encrypted systems to determine whether there is a known bypass—some way to unlock the files without paying to get the decryption key from the attackers.
- Negotiate and pay the ransom: If all else fails, then the organization may be stuck with a hard choice: pay to get the decryption key (which is not guaranteed to work) or fully rebuild, which in severe cases could threaten the viability of the organization. See the next section for a discussion of negotiation and payment in ransomware cases.
- Fully rebuild: Many organizations choose (or are forced) to start from scratch, rebuild affected systems, and recreate lost data. This can be a painful, time-consuming, and expensive process.