Old misconceptions of lone hackers sitting in dark basements are long gone and are replaced by the new wave of cybercrime-as-a-service models marking a new era. With operations like many other businesses, ransomware and other cybercrime gangs have a business structure, “customer” support, and an org chart. How can organizations communicate effectively with the threat actors that are attacking their systems with ransomware?
If your organization is facing a ransomware attack or wants to prepare for what many cybersecurity professionals think is inevitable, a ransomware response team is vital. Putting together your team might feel daunting, but the right group of people can minimize the damage to your organization. GroupSense’s ransomware experts put together a primer on who should be on your ransomware response bench.
Role: Tactical and Strategic
- Often the first to identify symptoms of a potential ransomware incident
- Usually IT, operations, or cybersecurity
- Executive(s) who can iterate and make decisions against desired outcomes—best/worst-case scenarios
- Authorize and coordinate financial transactions, especially if your organization will pay the ransom
- Document how your organization discovered the attack, which operational areas were impacted, and how
- Loop in required internal resources as appropriate (i.e., security office or CISO, CFO, communications or investor relations)
- Identify who can authorize necessary third-party support and who will lead from the organization
- Facilitate recovery efforts
Role: Tactical and Strategic
- Provides additional context to data provided by the IR team—ideally provide complementary insights to inform decision-making along the course of negotiation, remediation, and recovery
- Brings the ability to search dark web and TOR sites to see the extent of exposure
- Provides critical information about the threat actor or threat actor groups
- Informs your organization of who you are dealing with, how they operate, where they operate from, which tools and strategies are typically used, and how much they typically settle for
- May be monitoring underground international forums for stolen intellectual property or customer data
THREAT ACTOR ENGAGEMENT AKA RANSOMWARE NEGOTIATOR:
- Third-party cybersecurity experts have special skills in threat actor identification, profiling, negotiation, dark web monitoring
- Threat actor negotiation is not an incident response function
- Intermediary between you and the threat actor
- Determine who you’re really dealing with an early on—group vs. individual, geography, intelligence on means, methods, and motivations
- Communicate with executive stakeholders
- Plan and execute negotiations aligned with your specific objectives and outcomes (e.g., budget, timeline, assets)
- Advice on how to manage risk, individuals within the organization, and other related parties
- Facilitate secure financial transaction
- May be an internal security team or a third-party cybersecurity team
- Focused on forensics, identification and containment, and recovery
- Bring deep technical expertise in malware
- Determine point/method of entry
- Provide further insight into the scope of compromise—catalog system impacts, identify if data exfiltrated (stolen)
INSURER (IF YOU HAVE A CYBER POLICY):
- Administer and settle claims against your cyber insurance policy
- Represents insurance interests to minimize financial risks associated with the situation
- Observes proceedings and will advise as to their recommendations throughout
- The trend is to pay some ransom to reduce delay and costs associated with prolonged data recovery and PR efforts
Together, your ransomware response team should establish clear lines of communication with executives, employees, and customers when appropriate. Because so much is on the line, it’s natural for stakeholders’ emotions to run high, but emotionality and anger have no place in the ransomware negotiation process. Reframe these negotiations for what they are: business negotiations.
In the roles laid out above, your team should focus on accomplishing key objectives:
- More secure operations moving forward; don’t let this event paralyze your business.
- Get control back by knowing the extent of the compromise, verifying you have stopped the bleeding, and recovering your data without severe harm to your customers and company.
- Communicate frequently and honestly to build trust internally and externally.
- Set clear expectations and outcomes you want to achieve to close this event out; it’s not only about the payment, and you can minimize unplanned costs.
- If you decide to pay the ransom, determine how to pay without further harm; record what you learn and refine your ransomware response plan.