Finally, depending on the tempo and velocity of the threat indicators, senior management may take preemptive protective actions. These would include redundancy of locked data or taking specific systems offline and powering them down. These defense response systems are managed by the R -2 team with senior execution approval and include automated tools and manual processes.

R -0 (R minus 0):
Ransomware Attack Phase

R -0 is the attack phase. The goal of R -0 is to manage the attack to minimize the total economic impact. The fundamental problem in this phase is time. Everything must be done immediately and in sync as the attack progresses. 

As such, the organization needs specific plans with detailed contingencies for responding immediately. These plans should include “what if” action trees, a prioritized list of the top five to ten immediate actions, primary and secondary alternative communication paths for key personnel, and communication plans and resource maps.

The most important issues in the attack phase are the things not to do. These include responding to executives asking for status or communications outside of the attack response plans; attempts to determine the source of the attack; contacting the attackers before a proper negotiation team is in place and prepared to start negotiations, and more. There will be other things not to do that are unique to the organization. Define and prepare for these in advance.

The R -2 team and tool set may have abilities to partially halt and recover from ransomware attacks. Plans for executing recovery should also be in place before an attack.

Planning and preparing for R-0 is a complex and expensive task. Loss containment may be challenging to quantify in advance of an attack, but lack of planning comes at a much higher cost.

R +2 (R plus 2): Ransomware Minimization Phase

R +2 is the post-attack phase. Even with the best advanced detection of smells and R -0 event management and recovery, you may be forced into a position to negotiate with the attackers.

The goal of R +2 is to manage and minimize the total economic impact of the attack. Because of the complexity of these dialogues and negotiations, most organizations should prepare contingency plans and what-if plans for the negotiations. Negotiating with a ransomware attacker is unlike any other negotiation. It is tempting to think that organization’s leadership or staff can successfully negotiate with the attacker. It’s a good idea to remember what a famous lawyer is often quoted as saying, “A lawyer that represents himself has a fool for a client.” Having negotiation support from an experienced ransomware negotiator is critical. As part of the planning process, there should be a clear, mandated way to get this support—either contracted in advance, or via a clear process to quickly obtain this support. This includes a clear mandate that nobody in the organization is to contact the attacker until a proper negotiation team is in place.

Negotiation must include making arrangement for payment. This means acquiring a cryptocurrency, and this may not be as simple as it seems—especially when under attack. In addition to negotiating payment, it’s essential to track restoration and assurance that any data exfiltrated will not be passed to others

After the recovery is over, the ransomware process should be updated based on what was learned in the attack. 

Continual Ransomware Preparation

Ransomware is a complex and changing threat to organizations today. All organizations need detailed processes and procedures that are constantly maintained. Many organizations may have implemented something similar. But, unfortunately, far too many organizations have poor or incorrect preparation. What is presented here is a very brief overview of a detailed process. If you want to learn more, you may contact BCI for further information and access to its panel of experts.