Ransomware Recovery: What to Do Next
- Discovering a ransomware infection can trigger panic.Screens flash warnings, servers are compromised, and data is potentially stolen.
- Andrew Carr, senior manager with Booz allen's Commercial Incident Response team, noted that most companies thay assist explore all avenues before settling with threat actors.
- The initial step involves examining infected machines to understand the attack's nature and identify security vulnerabilities.
Facing a ransomware attack? Don’t panic! Your first step is to assess the damage and potential security breaches. This article dives into critical steps, including evaluating whether to restore from backups, negotiate, or pay the ransom, and it discusses the risks involved with each choice.Discover the insights of an autonomous ransomware negotiator and understand why cyber insurance is often the first call. Whether you’re new to this landscape or just need a refresher, learn how to seek help discreetly and why robust cybersecurity is essential. Explore real-world examples, like the Colonial Pipeline and UnitedHealth attacks, to gain a clearer picture of these high-stakes scenarios. For up-to-the-minute news, News Directory 3 is on top of breaking stories in the industry. Discover what’s next…
Discovering a ransomware infection can trigger panic.Screens flash warnings, servers are compromised, and data is potentially stolen. While some organizations opt to handle the situation independently, a growing market of firms offers guidance to extortion victims.
Andrew Carr, senior manager with Booz allen’s Commercial Incident Response team, noted that most companies thay assist explore all avenues before settling with threat actors. Less than 25% of organizations choose to negotiate and settle independently.
The initial step involves examining infected machines to understand the attack’s nature and identify security vulnerabilities. An autonomous ransomware negotiator emphasized that cyber insurance providers often assign experts for this purpose, given the increasing payouts related to ransomware incidents.
Companies typically clean their systems and restore them from backups. This thorough wiping is crucial because attackers may leave behind additional malware for future exploitation. Even after paying a ransom and receiving a decryption key, systems must be considered at risk untill a comprehensive security check is performed.
When Payment Seems Necessary
Although most ransomware victims avoid payment,some feel compelled to pay due to lengthy restoration processes or inadequate backups. High-profile cases, such as the Colonial Pipeline and UnitedHealth attacks, illustrate situations where CEOs prioritized rapid service restoration.
The Colonial Pipeline attack led to panic buying and fuel shortages, prompting the decision to pay the ransom.Similarly, UnitedHealth paid $22 million in Bitcoin to the ALPHV/BlackCat gang after the Change Healthcare cyberattack disrupted pharmacies and prescription fulfillment. The ransomware negotiator noted that this case was a rare instance where the gang defrauded its affiliates.
Ransomware infections typically include attacker contact data. Knowing who you are dealing with is crucial for negotiation. Ransomware-as-a-service operators frequently enough let affiliates handle intrusions but maintain control over negotiations to protect their brand’s reputation. Trust is paramount, as a gang’s reputation for delivering solutions post-payment facilitates future extortion.
“Trust is a massive part of this,” the ransomware negotiator said. “If the gang has a reputation for delivering a solution onc victims have coughed up the fee, then it’s easier to extort money.”
Major ransomware gangs employ full-time staff for negotiations, malware growth, and service delivery. Initial demands often hover around 5% of annual revenue.Prolonged negotiations can lead to price reductions,as extortionists prioritize rapid payouts.
Though, exceptions exist. Some lockbit affiliates appear to be amateur teens using rent-a-ransomware kits, making them more likely to negotiate directly and potentially abscond with the money. A recent PowerSchool ransomware infection, originating from an attack on an unnamed telco, highlights this risk.Despite PowerSchool’s payment, the stolen data remained accessible, leading to further extortion attempts against customers.
Bitcoin remains the preferred payment method due to its convenience and perceived untraceability. While coin mixing technology is improving, it is indeed still possible to track Bitcoin transactions. Authorities recovered most of the Colonial Pipeline ransom, and a Dutch university profited from recovered ransom due to Bitcoin’s rising value.
Seeking Help Discreetly
Carr advises discretion when hiring professionals to assist with ransomware incidents. “We don’t go in and say I’m from X company, here on behalf of this victim organization. You pretend, typically, that you are a member of that organization… Some of the groups actually have animosity towards professional organizations that assist in these cases.”
Similarly, concealing cyber insurance coverage during negotiations is vital. Dutch police revealed that criminals actively seek insurance-related documents to inflate ransom demands. Though,most ransomware operators target vulnerable entities lacking basic endpoint protection.Larger companies should be capable of defending against most attackers.
Ultimately, paying ransoms funds further criminal activity, perpetuating future attacks. Carr stated that his involvement ends if a client decides to pay.
What’s next
organizations should prioritize robust cybersecurity measures,including regular security audits,employee training,and up-to-date endpoint protection,to minimize the risk of ransomware attacks and data breaches.