Calif

Share this post

Calif
Ransomware Response Strategy
Copy link
Facebook
Email
Notes
More

Ransomware Response Strategy

Nhân Huỳnh
Apr 11, 2024
25

Share this post

Calif
Ransomware Response Strategy
Copy link
Facebook
Email
Notes
More
1
Share

Summary

  • Responding to ransomware attacks includes data recovery and digital forensics & incident response (DFIR). This document discusses the strategies for data recovery. The typical DFIR process is still critical and should not be forgotten. 

  • There are three realistic strategies to recover the encrypted data: 

    • Strategy 1: Pay the ransom, and wish that the threat actors (TAs) are true professionals.

    • Strategy 2: Search for weakness in the ransomware, and wish that the TAs are amateurs.

    • Strategy 3: Accept the loss, and wish that your backup and recovery plans are sufficient.

  • These strategies are not mutually exclusive. On the contrary, we advise you to explore all three strategies for the best possible recovery outcome.

  • You can only truly control one element across all the strategies: your investment and support for competent technical teams to execute these strategies.

  • Regardless if you choose to negotiate with the TAs, you should never publicly comment or announce your decisions.

Strategy 1: Pay the ransom

This is a common approach to react to a ransomware attack. Ethical considerations aside, this is a quick, fast, and cost effective response. TAs know this; and this is why we continuously have ransomware attacks. Organizations know this, even though most organizations are hesitant to acknowledge the existence of this strategy.

Here are some of the main reasons why organizations pick this strategy:

  • Unless you are confident that your backup plan is sufficient and your recovery plan can be well executed, this is likely the fastest path to recovery. Decrypting a large amount of data is no easy feat. However, it is still much easier than rebuilding or recovering from an incomplete backup.

  • A quick solution is also a cheap solution. Continuous downtime costs organizations much more than the ransom amount. There is little technical difference between paying the ransom to quickly recover from downtime and paying for an expert consultant firm to solve a problem. At the end of the day, it’s a cost benefit analysis.

  • Ransomware attacks rarely happen in a vacuum. Typically, ransomware is deployed after successful data theft. The risk of having proprietary and customer data potentially exposed and sold is a strong reason for organizations to pay the ransom and ask for the data to be destroyed.

The caveat for considering this strategy is wishing the TAs are true “crime professionals.” At the very least, TAs need to be technically competent enough to design and implement the correct encryption and decryption scheme. TAs, on the other hand, have to protect their reputation that they can and will deliver a working decryption tool. They also have to keep their word and not release proprietary and customer data. The requirement to understand the TAs’ modus operandi further emphasizes the significance of collecting, curating, and sharing threat intelligence across the industry. The more we are willing to share the lessons we learned and the challenges we faced the better we can prepare our peers to respond to the same threats. The shared intelligence plays a critical role in evaluating and strategizing the most suitable response. 

Regardless if this is an option you would like to explore, we strongly advise against publicly discussing your decision. Admitting you are working and negotiating with the TA makes you a more attractive target for additional attacks. On the other hand, claiming that you would never negotiate with the TAs may be seen as a challenge and also attract more attention. In either case, as your organization grows to a certain size, you might become a target on cyber criminals radar because of the potential financial gain.

In addition, please do not underestimate the challenge of recovering a large portion of the infrastructure even with the decryption key and tools. Depending on how much of the infrastructure is impacted, recovery may take days, even weeks. You should communicate this timeline early and clearly to set the right expectations to stakeholders.

We also advise organizations to avoid engaging with the TAs directly. Instead, you should work with a third party who have the technical expertise and experience to help you navigate through the negotiation process. How to pay the ransom, and what you can get in return, are even more important than making the hard choice to pay in the first place. 

Strategy 2: Look for bugs in the ransomware 

Analyzing binaries is hard. Analyzing obfuscated ransomware is even harder. It’s like traversing the mountain paths for days to map out where every turn leads. To find a crypto breaking bug in ransomware can sometimes be as rare as finding a unicorn in a dead end path up the mountain in the middle of the night. We may traverse all the paths just to realize that there are no unicorns on this mountain.

This strategy is slow and expensive. The effort may not even pay off in the end. Therefore, most firms likely won't consider this option. Even if you do, you may not have the technical expertise and help you need to pursue it.

However, it is worth investing in analyzing and understanding ransomware. Crypto breaking bugs may be rare, but they are not impossible to find. In addition, ransomware authors may not fully understand how to use crypto correctly. The only way to determine if it is possible to recover the data, if any, is the long and detailed ransomware analysis by an expert team. Any rushed evaluation would likely be incorrect, which would waste valuable time and resources during the recovery process.

In addition, a successful analysis can help reassure you that there are no potential bugs in the encryption and decryption process. It also helps the technical team understand and potentially improve the recovery process. This is an investment that should be considered early on in an incident. The analysis can happen in the background while the incident is ongoing. 

Strategy 3: Recover from a backup

This is the ideal strategy for every firm. Imagine this: Disasters happen, and ransomware is deployed on your systems. However, your Security Operation Center (SOC) team quickly identifies the infected systems, isolates them and eradicates the threats. The SOC team then works with the engineering team to recover the affected systems with minimal impact on your business. 

Ideal as it may be, this scenario is far rarer than we wish for in reality. To achieve this, you need to make the following investments in your technical teams:

  • Design, implement, and regularly evaluate a backup and recovery plan that minimizes data loss.

  • Build, grow, and regularly evaluate a SOC team that is capable of detecting and responding to ransomware attacks.

  • This is the most important requirement: Continuously invest in the technical teams every year despite not having any incidents.

Investing in a strong technical team is expensive and demanding. You need technical talent, resources, and most importantly commitment to grow your technical teams. A strong technical team can reduce the likelihood of incidents. When disasters like ransomware strike, the SOC team is also the first line of response. Their triage and analysis will drive the initial reaction to the incident, which can potentially save days or weeks of effort down the road.

This strategy also assumes that you fully understand the business value of the encrypted data. A practical question to ask yourself as you evaluate each strategy is “what if the data can not be recovered, what are the potential costs to your organization both financially and non-financially?” Understanding this will help provide data to justify the decision to accept the loss.

Final words 

Ideally, you should have the option to consider all three strategies when ransomware attacks occur. Strong technical teams can provide valuable intelligence when evaluating each strategy. For example, the SOC team’s initial triage and investigation can help answer if any proprietary or customer data was ever breached. If not, the main value of the 1st strategy is simply a quicker recovery. The ransomware analysis may identify critical bugs that prevent even the TAs from decrypting your data. If this is the case, the value of paying the ransom would drop significantly.

The reality is that no one organization is immune to cyber attacks. The only thing we can do is to be prepared for suitable responses when attacks happen. Your commitment and investment into cyber readiness is the only element you can control in the ever changing threat landscape. You have to decide how much you are willing to commit and invest in your defensive capabilities. This will ultimately decide which strategies, if any, you can pursue when disasters strike.

25

Share this post

Calif
Ransomware Response Strategy
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Calif Global Inc.
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More