We’ve come a long way since the first ransomware attack in 1989, distributed via floppy disk. Today’s cyber criminals are increasingly sophisticated, launching attacks that are predicted to cost victims up to $275 billion per year by 2031, according to Cybersecurity Ventures.
With these elevated attacks comes elevated concern for companies of all sizes – how can you anticipate, navigate and recover from what seems to be an ever-changing array of threats?
These essential considerations and best practices are a great place to start:
Expect the Unexpected
As with most crisis scenarios, the best defense is thorough preparation. Experience in a ransomware attack is helpful, but every instance will differ in terms of what data is involved, how it impacts the supply chain and more. Thinking through as many situations as possible ahead of time, establishing decision trees and pressure testing those plans puts any company in a better position to respond to even the most complex attack.
Additionally, ransomware today is not just about a company at large – these are now senior leadership events that may directly involve the CEO, General Counsel and the like. Rather than wait for on-the-job training, organizations should establish communications-focused tabletop exercises that simulate pressure-packed situations to give leadership teams an opportunity to work together to identify any gaps in existing preparations and map out clear game plans for how they’ll respond.
Still, as much as you prepare, when ransomware attacks do happen, it can be incredibly distressful. Many attacks now include personal threats, deep-fakes or other new technologies and demands for which even the best simulation cannot prepare you. Thinking clearly and calmly in the moment will be key. It is essential for response teams to understand this and take the time to pause and gather needed outside advisors (including legal, communications and technical experts).
Best Practices for Communication
The same goes for communications. Leaders will often be tempted to overcommunicate or paint a rosy picture when an attack strikes, especially when clients, customers and employees are pressuring you to share information. However, unlike say an outage, which can be resolved in hours or days, it can take weeks or even months to complete forensics reviews in a ransomware situation. Speaking too soon or saying too much in the early days of a ransomware incident can undermine trust and signal a lack of control.
Instead, it is best to consult counsel, review pre-established protocols and take the time to fully understand the situation at hand before putting out any communications.
When the time does come for a statement, it is best to be open and honest. While there was a time when ransomware attacks came with a stigma, their increased prevalence has made stakeholders more sympathetic to the situation. Speaking candidly will further bolster their faith in the organization and help maintain their trust. This is true across audiences – especially for employees and large customers, who will want to hear directly from the company. They may even want time with your CISO or another company leader. Advanced preparation helps free up your leadership to be able to meet these requests from key stakeholders.
Engaging with Threat Actors
What about communicating with threat actors themselves? While some risks come with such engagement, legal counsel and ransomware negotiators can advise on whether and how to do so. They can also assist to ensure that any communications help organizations obtain important insight into exactly what data is compromised, and what attackers expect.
The organization needs to have all the facts to decide how to proceed – and may even need to be able to point back to this fact-gathering exercise should criminals proceed to worsen the situation by making false statements about the company’s actions. Collect all possible intel before moving forward to ensure your reputation is protected.
Regardless of whether you choose to directly engage with threat actors, it is important to remember that they will be monitoring all public communications about the incident. While it may be tempting to disparage criminals who have attacked your organization, doing so can provoke them into escalating efforts to inflict pain on your organization.
The bottom line is every organization – and every senior leader - should be prepared for the worst, so that when it does strike, they can minimize reputational harm by working through the situation with confidence and competence.
Learn more about how to handle modern ransomware attacks from a masterclass at the recent Incident Response Forum, where Trent Duffy, Partner and Head of FGS Global’s Cybersecurity Practice, explored these themes: