Ransomware Crisis Planning- Preparing for Cyber Security's Gray Rhino-1

We can think of ransomware attacks as “Gray Rhinos”- a term coined by crisis management expert – Michele Wucker, in her award winning book “The Gray Rhino – How to recognise and act on the obvious dangers we ignore”.

In a  recent study by Comparitech, focussing on the correlation between stock prices and data breaches, two worrisome findings stood out –

Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fell 7.27% on average and underperformed the NASDAQ by - 4.18%

In the long term, breached companies underperformed the market. After 1 year, share price underperformed the NASDAQ by -6.49%, after 2 years, average share price underperformed the NASDAQ by -12.88% and after three years, average share price was up by 32.53% but down against the NASDAQ by -13.27%.

Markets can be really unforgiving and cold blooded
Another study revealed that an organization typically takes 16 days to restore networks and resume their operations, following a ransomware attack. This figure does not include the time spent in remediating and restoring all the systems; an effort that can easily span months, imposing 2nd order effects such as additional expenses in overtime, consulting fees expenses and lost productivity. Not to mention the steep fines and penalties levied by zealous data protection authorities.

So you have a situation where businesses are already grappling with demanding shareholders, a challenging economic and political environment, burgeoning and complex technology landscape and a stringent data privacy regulation. Throw in a ransomware attack and you have the perfect storm.

We can think of ransomware attacks as “Gray Rhinos”- a term coined by crisis management expert – Michele Wucker, in her award winning book “The Gray Rhino – How to recognise and act on the obvious dangers we ignore”.
Unlike Nassim Nicholas Taleb’s Black Swans - low probability high impact events that can-not be predicted, Gray Rhinos are highly probable, high impact yet neglected threats.

The first ransomware attack occurred in 1989 and targeted the health care industry (you can read all about this incident here). Over the years, ransomware has climbed to the top of the cyber-attack pyramid with rising ransomware demands, a rapidly developing ransomware as a service (RaaS) eco-system and business losses threatening to cross a trillion dollars.

Despite this imminent threat of ransomware, most businesses have struggled to come up with the right strategy for this Gray Rhino.

Arriving at the right answer will take some time, but we should definitely start by asking the right questions.
Here is a list of 50 top questions that we should be honestly asking ourselves to help us prepare better for facing an impending ransomware led crisis - 

1. Do our employees, contractors and consultants know how to detect and identify a ransomware attack when they see one? If not, can we train them?
2. Most ransomware attacks are reported to have occurred after business hours. The attack can manifest at any site without notice – in the control room of a plant site, within the corporate LAN, within the server segment of a data centre, at a store or a kiosk or ATM, at a customer branch, a back office, a customer call center or within a VM running on your public cloud. How quickly can our user at any location come to know of the attack?
3. Do all our users at various locations/ settings know what is expected of them within the first 3 minutes of identifying a ransomware incident?
4. What should our users not do, when faced with a ransomware incident?
5. Whom should they report to, when they encounter a ransomware attack?
6. How will they communicate and report the incident, if they are unable to login to their workstation or desktop because the Active Directory and the associated systems such as email and chat are affected?
7. Is there a formally designated crisis manager (and a crisis management committee) in the organization who should be notified when a ransomware attack happens and who will typically lead the charge, when a crisis occurs?
8. Who are the ideal candidates for this committee and why and how should they be chosen?
9. Are their contact details available readily to everyone within and (possibly outside) the organization?
10. What should the crisis management committee do as soon as they become aware of the incident?
11. What basic information is required for the crisis management team to get to work, where can they get this information from and how soon should they get this?
12. Is there a standardised set of questions that can be asked to the user who first reported the incident to understand more about the incident? This should be most likely in the format of a checklist that the reporting user should capture and share with the crisis management team.
13. Is there a standard playbook for the IT or Security team to follow in the event of a ransomware incident?
14. Does the IT/ security team have the required technologies available to capture and store and analyse the appropriate logs from systems and devices to enable initial analysis or assessment?
15. Which logs (OS, Email gateway, Proxy, Anti-virus, Network Firewall , IDS, IPS, PIM to name a few) will be required for them to make a reasonable assessment and aid upcoming investigation efforts?
16. How confident are they in being able to retrieve these logs in a timely manner?
17. Does our crisis management team have a documented playbook to assess impact of this breach on customers, suppliers, partners, production, operations, on employees?
18. How will our organization determine the extent or scope of the breach?
19. Can we accurately determine the number of endpoints likely infected or are at a risk of infection?
20. Do we have a ready reckoner to identify the specific businesses processes or departments that are likely to be affected due to the attack?
21. How do we determine what critical data is at risk? - Is it just our data or is third party data also at stake?
22. Should we halt all operations to prevent the risk of infection spreading, or accept the risk of allowing hitherto unaffected operations to run in business as usual mode?
23. Are any third parties, with whom we share network connectivity (Leased lines or IPSEC VPN) or remote access, at risk or likely to be affected because of our breach?
24. Based on the impact assessment, will our management be willing to pay or negotiate with the attackers?
25. Do ransomware payments explicitly violate our laws?
26. If our company has indeed identified ransomware payment as one of its strategic options, can it quickly establish protocols or contracts with trusted threat intelligence agencies or deep/dark web operatives who can negotiate or facilitate the ransomware payments to secure the decryption keys and the business / personal data?

If we have taken a principled stand of not engaging with the attackers, there will be a couple of choices to make –

Option1- Prioritising investigation - Get to the bottom of the incident by conducting a full-blown investigation to identify the root cause. This would involve conducting an enterprise wide compromise assessment to determine the full extent of the breach.

This will be a long-drawn exercise that would involve

• Forensic data acquisition
• Conducting extensive log and memory/file analysis on several hundred /thousands of endpoints and servers
• Applying threat intelligence and malware reverse engineering techniques to determine the specific malware, threat campaign and threat actor
• Tracing any backdoors or malicious artifacts, unauthorised access and expunging them from the systems and network
• Re-imaging systems and restoring data backups after security validation
• Restoring operations only after the investigation expert issues a green flag

27. Do we have in-house skills to handle a large scale / enterprise-wide investigation? If not, should we build one?

28. Can our existing IT or security vendors help us? If not, should we contract / onboard a security expert or an incident response service provider in advance, who can turn up at the affected site within 24 or 48 hours and work shoulder to shoulder with the company while it navigates the crisis and till the investigation concludes?
29. Typical incident response contracts include predefined hour packages (ranging from 1

Option 2 - Prioritizing recovery and operational continuity – Re-imaging affected systems, restoring data to the best extent possible from backups and restoring operations after a go-ahead from the IT/security team
Option 1 involves significant financial resources, management time and oversight, effort from skilled third- party experts and operational losses but is likely to provide a higher assurance of a risk-free operating environment. Option 2 is quick and dirty and promises a faster recovery to BAU, with the residual risk of a repeat ransomware attack within the next few months, hanging like a Damocles sword over the horizon.

30. What is our organization’s risk appetite?
31. Does our organization have the requisite financial appetite, patience, technology and expertise to sustain a prolonged breach investigation (Option 1) or will it prioritize operational continuity over investigation (Option 2)
32. What is our organization’s communication strategy going to be amid the breach?
33. Who should be authorised to communicate within and outside the organization?
34. Will there be scheduled scripted updates issued to the media by an official spokesperson
35. Will the highest levels of management of the company step forward to lead media communication?
36. When and who will notify law enforcement authorities, regulators, key business suppliers, insurance providers?
37. Will we use social media for managing the communication campaign?
38. Will the organization set-up a hotline or a website to push out updates to affected customers, concerned employees and partners?
39. What mechanisms should be enforced or implemented to ensure that rumours or unverified narrative by staff or contractors does not hijack or adversely affect the company’s response and recovery efforts?
    Norsk Hydro revealed its crisis communication strategy that helped it navigate successfully through the challenging LockerGoga Ransomware attack. You can watch it here.
40. In case our staff needs access to temporary computing resources while the investigation and recovery process is on, how can we quickly and cost-effectively provision such services for them?
41. Should we have disaster recovery agreements or contracts with vendors who can provide temporary laptops servers on demand?
42. How can we make sure that these laptops and servers comply with our security policies and baseline configurations? Should we create and store back-up copies of our pre-configured OS images in a secure cloud account, which can be quickly downloaded for installation?
43. Should we explore secure cloud-based VDI solutions as an operational continuity strategy?
44. How about having pre-configured VPN and Citrix based remote access for all our employees in the event that their network or branch has to be shut down?
45. Should we consider cloud-based email, office collaboration, secure messaging services for critical resources as part of our resumption strategy so that business can resume with minimal downtime?
46. Do we know what the total impact on our revenue and profitability if a ransomware attack were to disrupt and stop operations at our business for a week, a month?
47. Are we likely to violate any legal agreements with our customers or business partners/suppliers that could expose us to financial risks (SLA penalties, refunds, service credits, etc) due to the breach?
48. Are there any gaps or vulnerabilities in our security architecture, monitoring coverage and processes that currently increase our ransomware risk and should we engage with independent third-party security assessment consultants or service providers who can conduct a detailed security assessment of our current security infrastructure, prevention, detection and response controls, specifically against the prevailing ransomware threats seen in the industry?
49. Can our critical business operations production teams fall back on manual procedures in the event that all our computer systems have to be shut down for an extended period of time and which of our business procedures can not function manually anymore?
50. Do we need to invest in any security technology or resources that will help us mitigate or reduce the risk or impact of a ransomware attack or should we consider cyber insurance as a risk transfer strategy or maybe create an additional buffer in our contingency fund to account for such an event?

As we move through these questions, we will begin to realise that managing ransomware attacks will take an organization wide effort of which, IT security would be an important but small part and increasingly, what starts as a cyber security incident quickly morphs into a business continuity problem. An obvious need to have coherence between incident management, risk management, business continuity and disaster recovery and crisis management plans.

Creating a crisis management plan can be really daunting and can easily become a 6- month project, if it has to be done well. Nor can it be tested properly in a day-long tabletop exercise.

However, framing the right questions provides a good starting point and paves the way towards focusing on what is important and then helps us in reaching a better place.

That said, gray rhinos are fascinating but can be extremely dangerous creatures. Bryce Clemence, rhino guardian and anti-poaching team leader in Save Valley Conservancy, Zimbabwe shared some interesting facts and tips about rhinos. He offers a list of 16 life-saving tips when faced with a charging rhino. Wild-life enthusiasts can read it here.

“Stand and do nothing” clearly doesn’t appear anywhere in the list.

For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.

You may be interested in reading: How to Survive the COVID Time Cyber ​​Security Threats?