With a bit of luck the city of New Bedford, Mass., escaped having to pay a demanded US$5.3 million to criminals after suffering a ransomware attack last month.
The mayor of the city revealed Wednesday how 158 of the municipality’s workstations — less than five per cent of the total — were locked out by the malware. Fortunately, no critical systems were hit and after the criminals rejected an offer of US$400,000 for the decryption keys to unlock the scrambled data the city decided to restore the data from backups.
Your firm may not be lucky enough to have only non-critical systems trashed by ransomware. Experts agree preparation is the key to protecting against such attacks. But merely relying on backups isn’t enough. In a column for Security Week, Flashpoint CEO Josh Lefkowitz outlined what’s needed for a mature incident response (IR) plan for ransomware:
–A traditional IR plan won’t be enough. You have to face the fact doing the usual things to restore business continuity may not put the pieces back together. The ransomware may have permanently made critical files inaccessible.
–Backups are a good defence, but they may not be perfect. Even the most secure backups can fail, or aren’t updated frequently enough. Accounting for these situations within a ransomware IR plan is crucial.
–Paying up may be necessary. Know in advance what conditions under which the organization may have to pay, if there will be negotiations with the attacker and how the firm will pay.
–Make sure all non-IT stakeholders — communications, legal, compliance, law enforcement — are brought in. There may be legal implications to paying up.
–Finally, test the plan with a tabletop exercise. “Many organizations don’t realize how unprepared they are for a ransomware attack until they experience one,” writes Lefkowitz. “The undoubted chaos and stress brought on by an attack can make it exceedingly difficult to understand, much less communicate and execute, an IR plan.”
According a report last month from security vendor Vectra, ransomware is a fast and easy attack with a bigger payout than stealing and selling credit cards or personally identifiable information, because their value drops over time after a theft. Using hard-to-trace cryptocurrency for the ransom payment is an added advantage – so be better prepared.
You may also be interested in reading this case study of an Ontario town’s experience with ransomware.