The Importance of a Ransomware Response Plan

Disruptions and losses due to Ransomware are enormous

Over the past three years, ransomware has come prominently into the limelight of the cyber threat scene, it is the fastest growing malware threat, and organizations have paid US$ 209 million in Q1 2016 through ransomware, FBI estimates US$ 1 billion losses in 2016 because of ransomware.

The disruptions due to Ransomware are enormous. Seventy-two percent of organizations targeted by ransomware could not access data for at least two days following the attack; thirty-two percent could not access their data for five days or more, eighty-six percent of incidences affected two or more employees, forty-seven percent occurrences impaired more than twenty employees. Fifty-six percent of organizations reported being the victim of a ransomware attack and forty-one percent of organizations mark ransom as the greatest cyber threat facing their organization all over the world.

The most famous Ransomware attack was on the Hollywood Presbyterian Medical Center. They had to pay $17,000 in 2016 to unlock their files and continue their operations; employees spent ten days relying on fax machines, and paper charts and the hospital lost $100,000 per day just because it could not do patient CT scans; their total losses could be a lot more. The loss per day for a hospital is around at $2 million per day. The average cost of downtime is more than $163,000 per hour. Black market evaluation of patient records is $50 per record if a hospital with over 10,000 patients lost medical records, losses could be over half a million dollars. According to the FBI, the costs of the ransom plus staff time in recovering the data averages about $330,000 per incident. All these costs add up to hundreds of thousands of dollars per attack. It is obvious that the ransom payment is only a fraction of the loss to the organization.

Even if an organization has the best anti-ransomware system/service deployed chances are there that a zero-day Ransomware can get through and encrypt its data.

Recovery should be quick after a Ransomware attack

An organization has to recover quickly from Ransomware to minimize losses. If it experiences a computer outage lasting more than ten days, it will never fully recover, financially and fifty percent of these organizations will be out of business within five years.

However, European information security professionals when questioned if their organizations could recover from a ransomware attack without losing critical data, only less than one-third of the respondents said they are “very confident” they could do so.

Ransomware attacks continue

Recently, the Los Angeles Community College District confirmed it paid $28,000 in bitcoins after Ransomware encrypted many computers, email, and voicemail systems. Four hospitals of NHS hospital trust in England had a Ransomware attack this year.

Ransomware Response Plan

Every organization should have prepared a comprehensive response plan for quick recovery after a Ransomware attack.

The existing Cybersecurity Incidence Response Plan (CSIRP) could be deficient considering that entirely different scenarios exist during a Ransomware attack as compared to other cybersecurity incidents. Also, quick, meticulous and crucial decisions are required. An inappropriate move could cost the organization all of its data with losses of millions of dollars. You can speed up the recovery of data considerably if you have a Ransomware Response Plan (RRP) in place thus saving hundreds and thousands of dollars per day. The RRP would be an addendum to the CSIRP.

Ransomware Response Committee

Who is going to monitor and ensure adherence to the response plan? Who will take decisions regarding data recovery? Who is going to decide on data restore from backup or the payment of ransom to get the decryption keys to decrypt the data?

A decision-making governance team, the Ransomware Response Committee (RRC) consists of members from executives, department heads, CIO, CISO, network/data/cybersecurity experts, head of incidence response team, legal counsel, operations, public relations, and finance. Also, it could include representatives from the internal audit, regulatory affairs, and HR departments (also students affairs, if an educational institution).

The RRC lead, Ransomware Response Manager (RRM) is in charge of overseeing the execution of the RRP, communicating with the incident response team, and directing members of the team as necessary. All communications are confidential while the investigation is in progress until the decision by the RRC on how to handle the attack.

The RRC should ensure that they have the knowledge, political capital, skills, and decision-making capability to accomplish what is necessary while at the same time remaining agile to move quickly and decisively as events unfold.

Ransomware Technical Committee

A sub-committee of the RRC, Ransomware Technical Committee (RTC) consists of the CISO, cybersecurity/ network/data managers/engineers/experts, head of the cyber incidence response team and other relevant technical personnel. The RTC is responsible for all technical evaluations and remediation procedures after the Ransomware attack. If expert technical assistance is required, they could get support from a reputable cybersecurity company.

Internal communication options

It is possible that email and telephony servers stop functioning after the attack because their data also gets encrypted. Alternate communications options like mobile phones, WhatsApp and web based mail, could be used and should be specified in the RRP. All members of the RRC, RTC, cyber incidence response team and other stakeholders should have alternate communication options readily available to be used anytime.

Keep hard copy of all relevant documentation

It is possible that the server/storage used to store the RRP and other related documentation also gets encrypted after the Ransomware attack so a printed copy should be available at a readily accessible but secure location.

Inventory

It is important to have an updated list of all the workstations, servers, storages and other devices that contain organizations’ data. A risk assessment should have to be done to identify and assign a value to all the organization’s critical assets.

What data do you have and where is it?

The first step in making an RRP is getting to know what kind of data the organization has and how much of that data is the most valuable. Employee and customer data, including point-of-sale credit card data, protected health information (PHI) all contain Personally Identifiable Information (PII) that could cause numerous legal and contractual problems if it got into wrong hands. Trade secrets, financial, and other competitively sensitive data are other categories that are crucial for the organization. Do you know what kind of data you have and where it is for each department, for instance, does your organization host it or does the third party have it for example in the cloud? This process will allow an accurate assessment of the extent of damage in case of Ransomware attack. These details should be there in the RRP.

Recovery Time Objective

The RRC should meticulously revisit and re-evaluate the recovery time; a revised accurate estimate of the RTO derived after discussions and brainstorming. Different RTOs can be there for various departments. In a hospital, Emergency Room (ER) RTO could be much less than other departments. The RTO for ER should include the recovery time for all essential data that is required to enable access to the ER data and applications. The RRP should contain the RTOs of the various departments and the outcome of the discussions.

Recovery Point Objective

It is necessary to fine tune the RPO also since this decides how much data the organization could lose if it had a Ransomware attack and had to recover from backup. RTC should review this and present it to RRC which should finally decide the RPO. The RRP gets updated with the revised RPO.

Services/support from Cybersecurity Company

The RTC should have a good relationship with a leading cybersecurity company (CSC) having experienced cybersecurity and forensics experts. Also, CSC should have access to the latest worldwide threat data and attack patterns. There should be a support/service contract with the CSC. Mechanisms should be put in place so that renewals of the contract get done much before expiry. The RRP should include the CSC profile and terms of support/service contract.

Determine type and variant of Ransomware

After the attack, the variant of ransomware needs to be quickly established to determine how the malware works and if it is decryptable. The RTC should do the initial technical assessment, and also forward a sample of the encrypted files to the CSC for a second opinion and get their feedback as soon as possible.

Some variants can get decrypted by using decryption tools available on the Internet, but with new Ransomware, the only option usually is, either pay the ransom to get the decryption keys or restore from backup. The malware has to be analyzed quickly to decide how to proceed.

Determine extent of the damage

The scope of the damage, the number of files and the type of data encrypted and the areas affected should be determined immediately. The RTC should quickly assess amount/type of data encrypted with a list of affected departments and submit a report to the RRC within a pre-specified time.

Determine the total ransom payable

The RTC should study all the ransom notes left by the hackers on each endpoint/server that was infected and calculate the total payment in digital currency and dollar equivalent. They should submit a report to the RRC within a pre-specified time.

Inform local/state law enforcement

The RRM should contact and inform relevant local government and state authorities like the FBI and share them the details of the Ransomware attack. It is best to seek guidance from them. An official from the government agency with prior experience of Ransomware attacks could also become a member of the RRC to get advice from time to time and contribute in the decision-making process.

Other reporting requirements

In the United States, most organizations have strict reporting requirements and must maintain regulatory compliance with the Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA). Also the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA) or the Family Educational Rights and Privacy Act (FERPA). Other countries may have similar reporting requirements. The RRM can instruct relevant department heads to prepare the reports and submit them as required.

External communications plan

After the Ransomware attack, the decision to go public depends on the amount of ransom, the extent of the damage and the time required to restore the data. The RRP should own this decision-making process and give the verdict. The RRM should be the focal person for this task and share the details of the attack with the press/media. Customers, suppliers, and other external stakeholders should also be informed.

RRM should decide to share this information with other similar organizations so they can get prepared for this particular type of Ransomware attack.

References

1. U.S. Department of Justice, “How to protect your Networks from Ransomware”.
2. David Fitzpatrick and Drew Griffin, CNN-Money, “Cyber-extortion losses skyrocket, says FBI”, April 15, 2016, http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security.
3. Intermedia’s “2016 Crypto-Ransomware Study”, February 16, 2016.
4. Radware’s “Global Application and Network Security Report 2016-2017”, January 2017,https://www.radware.com/ert-report-2016
5. Jack Danahy, Barkly, Venture Beat, “Next wave of ransomware could demand millions”, March 26, 2016. http://venturebeat.com/2016/03/26/next-wave-of-ransomware-could-demand-millions
6. Analyst Insight, Aberdeen Group “Downtime and Data Loss, How Much Can you Afford?”, August 2013, http://resources.idgenterprise.com/original/AST-0113606_Analyst_Insight_Downtime_and_Data_Loss_How_Much_Can_you_Afford.pdf
7. Robert Lowes, Medscape Medical News, “Stolen EHR Charts Sell for $50 Each on Black Market”, April 28, 2014, http://www.medscape.com/viewarticle/824192
8. Mimecast Blog, “It’s Not Just The Ransom You’re Losing: Quantifying the Real Cost of Malware Attacks”, October 2016, https://www.mimecast.com/blog/2016/10/its-not-just-the-ransom-youre-losing-quantifying-the-real-cost-of-malware-attacks
9. Danny Palmer, ZDNet, “$500 zero-day ransomware attack takes council offline for nearly a week”, February 2, 2016, http://www.zdnet.com/article/zero-day-ransomware-attack-takes-council-offline-for-a-nearly-week
10. Jon Toiga, “Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems,” (Yourdon Press, 1989).
11. Tripwire “Infosecurity Europe 2016 Survey – Ransomware”, http://www.tripwire.com/company/research/infosecurity-europe-2016-survey-ransomware
12. Trevor Mogg, Digital Trends “Ransomware attack: A college in Los Angeles just paid $28,000 to hackers”, January 11, 2017, http://www.digitaltrends.com/web/la-college-ransomware
13. Laura Donnelly, The Telegraph “Largest NHS trust hit by cyber attack,” 13 January 2017, http://www.telegraph.co.uk/news/2017/01/13/largest-nhs-trust-hit-cyber-attack
14. Single Loss Expectancy (Definition) http://www.riskythinking.com/glossary/single_loss_expectancy.php
15. Security Week News, ‘”Locky” Ransomware Encrypts Unmapped Network Shares’, February 18, 2016, http://www.securityweek.com/locky-ransomware-encrypts-unmapped-network-shares
16. Mary Chavez, Slait Consulting, “Ransomware: Why Backups Can’t Wait,” October 14, 2016, http://www.slaitconsulting.com/blog/ransomware-why-backups-cant-wait
17. Lawrence Abrams, Bleeping Computer “With the looming threat of Ransomware, should companies stockpile Bitcoins?”, August 11, 2016, https://www.bleepingcomputer.com/editorial/security/with-the-looming-threat-of-ransomware-should-companies-stockpile-bitcoins
18. Tom Simonite, MIT Technology Review, “Companies Are Stockpiling Bitcoin to Pay Off Cybercriminals,” June 7, 2016, https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals
19. James Cook, Business Insider UK, “Banks are stockpiling bitcoins in case they get hit with ransomware,” August 11, 2016, http://uk.businessinsider.com/interview-with-malwarebytes-ceo-marcin-kleczynski-about-ransomware-2016-8
20. Gertrude Chavez-Dreyfuss, Reuters “Cyber threat grows for bitcoin exchanges,” August 29, 2016, http://www.reuters.com/article/us-bitcoin-cyber-analysis-idUSKCN11411T
21. Andrew Dalton, Engadget, “Ransomware hackers get their money, then ask for more,” 24 May 2016, https://www.engadget.com/2016/05/24/ransomware-hackers-get-paid-ask-for-more
22. Dan Turkel , Business Insider “Hackers are now offering ‘customer support’ to the victims they extort money from”, Dan Turkel Jan. 9, 2016, http://www.businessinsider.com/ransomware-writers-offer-customer-support-to-victims-2016-1
23. Paul, The Security Ledger, “FBI’s Advice on Ransomware? Just Pay The Ransom.”, October 22, 2015, https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom
24. Tom Sullivan, Healthcare IT News “More than half of hospitals hit with ransomware in last 12 months”, April 7, 2016, http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months
25. Herb Weisbaum, NBC NEWS “Ransomware: Now a Billion Dollar a Year Crime and Growing”, January 9, 2017, http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646
26. Barracuda Solution Brief, “Recovering from Ransomware with Barracuda Backup”, 2016, https://www.barracuda.com/assets/docs/dms/Barracuda_Backup_SB_Recovering_from_Ransomware_US.pdf
27. Doug Pollack, IAPP, “Bitcoin’s strategic place in ransomware”, September 27, 2016, https://iapp.org/news/a/bitcoins-strategic-place-in-ransomware