Is Your Business Continuity Plan Prepared to Respond to a Ransomware Attack?

It's pretty clear that cyberattacks (including ransomware attacks) have been on the rise for the past several years, causing loss of productivity, damage to reputation, and, of course, its impact on the bottom line. More than 50% of businesses surveyed in the Sophos Annual Ransomware Survey in 2020 suffered a significant ransomware attack. Globally, ransomware attacks are projected to cost close to $20 billion in 2021.

Many companies are unprepared to deal with such an intrusion. What's your plan if you suddenly see a screen like the one above and then receive a demand for ransom? Have you and your crisis team discussed how you would handle the situation? If not, it's definitely time to determine what you need to be prepared for if you are attacked. Questions need to be answered before an attack occurs; you won't have time to start from zero once you have been attacked. Below we discuss some of the areas you need to be prepared to address.

A cyber crisis, whether ransomware or some other attack, requires immediacy on the part of your organization, so you already need to have some answers on how to handle this crisis. For example, has your management team and the executive board decided whether or not they would pay a ransom? If they decide to pay, do they have an emergency fund or access to bitcoin to pay the ransom? The FBI recommends that ransoms not be paid, because payment is no guarantee that you will get your data back - some experts say that only one in four victims actually recover their data. In many cases, companies pay and are then asked for more money to receive an encryption key. Also, victims who paid were often targeted again.

Another question is whether to report an attack to the authorities. Obviously, ransomware attackers are bad actors but might also be terrorists or hostile nations. The Department of the Treasury's Office of Foreign Assets Control (OFAC) has a list of groups that are prohibited from receiving money from US companies or organizations. There are penalties for making such payments, whether you knew who the group was or not (and usually, these groups don't identify themselves). OFAC recommends notifying and cooperating with law enforcement because that could be a mitigating factor when determining penalties. In light of this, part of your crisis planning should include who will notify the authorities (local and FBI); all the necessary contact information should be included in the plan.

You might think "Well, we have backups; we'll just use them." You followed the 3-2-1 backup rule - three copies on two different media types and one copy in another location - so why shouldn't you use them? But there might be some things to consider before using those backups. Your plan should include information on whether there may be regulatory or compliance implications of using those backups before steps are taken to identify exactly how the systems were affected. Also, can your IT Department identify how long the attackers have been in your systems? If they did much of the damage a week ago and you restore to yesterday's backups, you're still not safe. You also need to ensure that your offsite data location hasn't been affected before you can switch to those backups. All of this needs to be part of your crisis management and business continuity plan. Should you call in a forensics team to aid in the investigation?

Finally, you must manage the story because you could have as little as 30 minutes before the news is out about the attack. Effective crisis communication helps preserve a business's credibility, reputation, and value. Your plan should identify who the spokesperson or persons will be and how much information you will release. How will you release info to the media? If customer or client information has been accessed, then those companies or individuals also must be notified; identify how that will be handled and by whom. Is there an employee notification plan in place? If not, that is another area that needs attention. In addition, will there be special phone numbers or email addresses that can be used by media and other stakeholders to get information about the attack?

As with any other crisis, planning is key to surviving a ransomware attack and the time to plan is now. Waiting is not an option.