Building an effective ransomware plan

Ransomware is defined by the FBI as: “A type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.”

Ransomware is one of the ever-growing categories of cybercrime that now affect organisations of all kinds across the world. While organisations across the private and state sector are on high alert due to the security impact of the Ukraine conflict, ransomware is a very distinct form of cyber attack. It evolved out of the initial wave of cyber crime that included phishing, ID theft and distributed denial of service (DDoS) attacks. It’s a simple concept: criminals deploy malware to a target network to hold its information to ransom. The malware may cause a device to become locked or unusable, or allow criminals to steal, delete or encrypt data.

It may also involve taking control of your devices to attack other organisations, obtaining credentials that allow access to your organisation’s systems or services that you use and even mining cryptocurrency. The criminals will then demand a ransom in return for restoring access to the affected data.

So “ransomware” in fact covers a whole range of criminal activity. From locker ransomware, a type of malware that blocks basic computer functions, to crypto-ransomware that aims to encrypt a company’s important data, (such as documents, pictures and videos), ransomware essentially relies on companies allowing vulnerabilities to remain in their systems.

Ransomware’s big mainstream breakthrough came in 2017 with the enormous global impact of the WannaCry attack. In recent years, as with every aspect of criminal behaviour that relies on technology, the sophistication of ransomware attacks has increased enormously. With the development of “malware as a service”, even the least sophisticated cybercriminals can wield dangerously effective weapons with which to extort money from their victims. The fact that ransomware even has its own category for those cybercriminals looking to launch an attack demonstrates how widespread this technique has become.

This all leads to a set of urgent priorities for boards: they need to know what their crown jewels are; they need to know the exposures that they currently have; they need to understand what controls are in place to mitigate the risk and prevent attacks; and, in the event of an attack that does get through, they need to have a clear understanding of where accountability lies. Readiness to respond is the mark of a competent board.

The impacts of ransomware

The impacts of a ransomware attack vary in scale, scope and nature and can affect victims in a range of ways. That means there is no “one size fits all” mitigation solution; it also means that no organisation should be without a bespoke and resilient response to cope with the threat.

According to the most recent Sophos report, The State of Ransomware 2021, the impacts are growing. The report showed that:

• 37% of respondents’ organisations were hit by ransomware in the last year.
• 54% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
• 96% of those whose data was encrypted in the most significant ransomware attack got their data back.
• The average ransom paid by mid-sized organisations was US$170,404.
• On average, only 65% of the encrypted data was restored after the ransom was paid.
• The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.85m.

It is important to note, however, that the figure of 37% of organisations reporting a ransomware attack represents a fall on 2017 levels (when 51% reported being the victim of an attack). This would suggest that more firms are taking the threat seriously and putting effective defences in place.

But for those who are hit, the impacts can be immediate, significant and enormously damaging. First and most importantly, a serious ransomware attack can instantly disable critical business systems, blocking access to business data. Ransomware can also lead to a loss of business continuity as access to critical systems and data is denied, leading to business operations being disabled overnight.

Last, and by no means least, the reputational damage that a ransomware attack can inflict is almost impossible to quantify. For any business, the perception that it can’t adequately protect its own systems and data can be ruinous. Why would clients and customers entrust their sensitive data to an organisation that has demonstrated an inability to adequately protect its own?

An effective ransomware response plan

For board directors, the questions around this are significant. Is there clear ownership of this issue at C-suite level? Do directors understand their risk appetite, and what critical assets could be affected by any attack? Are they also aware of the levels of investment that are required to equip the organisation with the necessary defensive systems and processes? All of these pressing questions can be addressed by implementing an effective ransomware response plan.

Testing times
Central to designing an effective response is regularly testing existing systems to identify vulnerabilities and deal with them. This will typically take two forms: tabletop testing or a full attack simulation. A tabletop simulation would typically involve gathering team members in one place to explore and walk through various scenarios.

A tabletop simulation—in most cases—will be of most benefit to senior board directors. These usually take a day to complete and would be followed up with a report, to capture observations on the response. Were lines of responsibility clearly understood? Were decisions taken in the right way with the necessary clarity and speed? Were there adequate policies and guidance to rely on to demonstrate an effective response? Does our response plan work?

Alternatively, a Red Team simulation—focused on the technical teams and its response—would use the same techniques as a cybercriminal intent on penetrating a company’s system with ransomware in order to test the controls. Ethical hacking teams run malware and exfiltrate data and then produce a report outlining findings and recommendations.

Regular updates
It’s also vital to point out that an effective response to a ransomware threat isn’t a project, but a process. Boards must commit to making this an ongoing part of their risk management strategy. To do that, technical teams need to be brought into the process to ensure the organisation has accurate and complete information to develop cybersecurity metrics and to decide whether the targets are reasonable. They must also provide the board with assurance that the necessary teams are tracking aspirational metrics that they intend to operationalise.

Language lessons
Cyber risk is no different to any other technology-specific issue in that it can create a disconnect between the board setting the strategy and the technical functions tasked with delivering it. Technical teams do sometimes struggle to translate technical risk into business risk. Effective communication can be achieved, but it requires time and education: for the board to better understand the risk and ask the right questions; and for technical teams to better align their processes with key risks—and to articulate that in a clear way as part of the ransomware response plan.

Boards must therefore compile a list of key questions for their technical teams. For example:

• Do we have an effective organisation and governance structure to manage cyber risk?
• Are we capturing the right information?
• How prepared are we to respond if a ransomware attack cripples our system?
• Is there clear ownership and accountability across all levels?
• Do we have internal and external threat intelligence?
• Are we acting on alerts?
• Which risk would have a significant impact on the business operating model?
• Do we know where our assets are? Do we know what data is held on our systems? Can they be restored quickly?
• How are we addressing gaps in controls?
• Do we have compensating controls?
• Have we tested resilience plans for a wide range of threats?
• Are you aware of what needs to be done in order to meet insurance obligations?

This is not just a technical and compliance issue. Understanding the business’s exposure to—and mitigation of—ransomware must be a key board priority if the board is to formulate an effective response plan.

Lines of accountability
Central to this is the company’s readiness to respond in the event of an attack. The business must know what to do and who should do it. First, what is the level of compromise? No two ransomware attacks are same and so each individual instance requires a bespoke response. Indeed, it’s fair to say there have been examples of over-reaction to ransomware attacks where senior executives have in fact inflamed fears and generated a more adverse reaction among stakeholders and the media than was actually warranted. So boards should make sure they have the right information before they share it with media, suppliers, customers and so on.

This involves the board setting out a clear line of accountability and responsibility, retaining oversight of the critical responses (including any public response) and delegating where appropriate.

It is therefore critical that directors understand their role in should a ransomware incident occur. Typically these may include:

• liaising with authorities
• handling external communications if appropriate
• notifying key stakeholders (suppliers, staff, banks etc)
• co-ordinating technical response
• managing remediation

Making the case
Typically the CTO should take a lead on making the investment case for a robust, regularly updated ransomware response plan. They may want to include other board members and functions, such as internal audit, the chief IT security officer (CISO) or the audit committee chair, with the conversations happening at a high level.

A growing number of businesses now have a separate agenda for cybersecurity, with budgets allocated and ringfenced, reflecting the growing and evolving threat.

Training
Board directors should consider whether they could benefit from appropriate training to better understand the risks around ransomware. Non-executive directors may well bring outside knowledge, but directors that have a better understanding of the risks around ransomware are not only more likely to generate internal insight into strategies, but also better challenge technical teams (and external experts) on the validity of controls and solutions they are procuring and suggesting.

Investing in board-level training to bring directors up to a good standard of technical knowledge and overall risk awareness may make a significant difference to your response.