We recently asked renowned Ransomware Expert Allan Liska: “What should you do, if you’ve been encrypted?” see his response in this video, and in case you’ve missed it, here’s the transcript:
James Green:
So let’s say I just came in, it’s Monday morning and I discovered that over the weekend, all my files have been encrypted. Too late to catch this thing early. Things have gone completely sideways. What do I do now?
Allan Liska:
So the first thing you have to do is triage the situation. A lot of small and medium sized businesses don’t have their own incident response departments. So it’s largely going to fall on security and IT staff to now become incident response handlers. And one of the things you need to do is understand the scope of the attack. How many systems were encrypted? Are your backup’s still safe? Were they encrypted by the ransomware actor? Is the attack still ongoing? It may look like everything’s encrypted, but the ransomware actor may still be in the network and still be trying to encrypt systems. So really understand the scope of the attack. And then you kind of have to assemble your team that’s going to be responsible for the actual incident handling.
So incident handling is not just the IT part of it, the recovering the systems and all that. You have communications, you have your legal counsel, you have all of those people that need to be involved and you need to get them into a room, get a bridge open so that you can update and communicate with your senior leadership team to make sure they’re aware of what’s going on and what the status is. And likely many of these small and medium companies are going to be in over their heads. So you’re going to want to reach out. If you have a managed service provider that does a lot of your IT work, probably reach out to them and find out, Hey, what do we need to do next? Depending on what industry you’re in there are ISACs, information sharing and analysis centers that are sector specific. You may be able to reach out to them.
Sometimes they’ll only work with members, but often if you’re in that industry, they can at least give you a little bit of advice. And don’t be afraid to reach out to your security companies. Even small, medium sized businesses have security vendors they work with, whether it’s antivirus or firewall or whatever, and say, Hey, we’re hit with ransomware. What can we do? What do we need to do next to kind of get some help? So those are kind of the first initial steps you’re going to have to do. And you kind of, unfortunately, have to do all of those at once. It’s not, let’s do one than the other than the other. You really have to start getting all of this together at the same time, because you want to make sure that you’re covering the full extent of the attack.
James Green:
Okay. So to summarize what I heard, you’re going to assemble a team, if you don’t already have a dedicated incident team or a third party retained to do that. Going to assemble a team, which has everybody who is involved from a business standpoint, not just IT and security, but legal, communications, everybody who’s going to help respond to this incident. Get going on that. In the meantime, be checking out backups and see are we going to be able to restore? Do we have good backups? And be looking to see, is the attack still ongoing or is it basically stopped at this point? Looking for, could we stop some things before it gets worse? You mentioned contacting sort of external help. How do I know as like the leader of that incident response team when we’re in over our head and we need to start reaching out to perhaps an incident response company to come in and take over this situation and help us out?
Allan Liska:
So, honestly it depends on the experience and preparedness of the team. It varies from organization to organization, but again, if you’re coming in and you don’t have an incident response plan, you don’t have a disaster recovery plan, that your team has never really prepared for a ransomware attack. Most likely you’re in over your head. Most likely you’re looking at this going, oh my God, I don’t know what to do. I don’t have a good feel. So hopefully you have either cyber insurance or you have an incident response company on retainer that you can pull in and start getting them involved in working with your organization.
James Green:
I’ve heard that just because of the state of ransomware and of the industry, that companies trying to reach a third party to help in the moment of crisis sometimes have to wait because the entire industry is so busy. And so the recommendation is to basically get engaged with these people before you need them. You’re a full-time incident responder, and you’re looking at this stuff all the time. Is that an accurate assessment? What should people do now?
Allan Liska:
Yeah, unfortunately, contacting an incident response company after you’ve been hit with ransomware right now is really, really challenging. Finding an incident response company that has people available to send on site and help with the recovery process can be really difficult. This is where you really want to work with your vendors, your existing vendors. If you don’t have an incident response company on retainer, you want to work with your existing vendors to see if they have teams they can bring on board because you already have that relationship.
So if you’ve been working with a managed service provider, they may have an incident response unit that can come on site. If you have security vendors that you work with, some of the antivirus companies, some of the firewall companies have incident responders that they can come on site. But if you’re trying to reach out to a third party incident response vendor, and you don’t have that preexisting relationship, it can often be very difficult to get them on site. And it will be a lot more expensive because keeping people readily available, costs them a lot of money and they charge more by the hour,
James Green:
Sure.
Allan Liska:
For that, so. But yes, in general, it can be really hard. There are still instant response companies that will come in and do that. Just expect that you’re going to pay unfortunately, an awful lot more for that kind of activity.
James Green:
Okay. So for anybody who’s watching this, who’s fortunate enough to be ahead of it and they could do this now, consider retaining an incident response company in the event that you ever need them. And if you’re too late and already dealing with a situation MSP, if you’ve got one. Start contacting your security vendors and see what they can do to help you. And perhaps they have an incident response team that can help.
Allan Liska:
Right. And one of the nice things is many incident response companies have a $0 retainer. So it doesn’t cost you anything to retain them. But what they’re trying to do is try to get all the paperwork of the way because even in the middle of an emergency incident response contracts can be complex. And there’s a lot of legal maneuvering that needs to go back and forth. So having even one of those $0 retainers means that you have somebody on staff and you’ve already worked out all the legal potential problems. And so you can call them right away. So it’s not even necessarily a cost. It’s just many small and medium businesses don’t think about that ahead of time.
James Green:
Thanks so much, Allan.
Allan Liska:
Thank you.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery