Label

When You Need
Outside Help

We discussed the best-case scenario where your IR and DR plans were up-to-date and everything went well. What happens when it doesn't?

Best Laid Plans

We discussed initial response and implementing IR and DR plans and then demonstrated a best-case scenario after a ransomware attack. Backup servers escaped encryption, had been fully tested, and worked when needed. Incident response (IR) and disaster recovery (DR) plans were up-to-date and accessible and there was enough trained staff on hand to begin the recovery process. The recovery laid out on those pages is the ideal scenario and what every IR manager hopes for if they’re unfortunate enough to get hit with a ransomware attack.
The reality is that many organizations are unable to respond effectively to a large-scale ransomware attack, which is one of the reasons why ransomware groups made more than $350 million in 2020 and will likely make more in 2021. Even if an organization has properly configured and tested backups that the ransomware actors can’t encrypt, and has updated IR and DR plans, the third point is almost always a challenge: having enough trained personnel on staff to manage a quick and thorough recovery.
The shortage of cybersecurity employees has been well-documented, but that shortage isn’t evenly distributed. Larger organizations tend to offer better pay and benefits, which results in successfully hiring and retaining cybersecurity personnel. Meanwhile, small and midsize organizations sometimes have trouble attracting cybersecurity personnel (assuming there’s a budget for a separate security team at all). Research shows that an estimated 50% to 70% of ransomware attacks affect small businesses, so it’s no wonder so many ransomware victims depend on outside help to recover from a ransomware attack. When a devastating ransomware attack hits, these organizations don’t have any choice but to get help.

How To Determine You’re 
in Over Your Head

This site has stressed repeatedly that organizations have to be able to make an honest assessment of where they stand. The decision to call in outside experts is no different. Effective IR to a ransomware attack can take weeks and sometimes months. Ineffective IR can take even longer, and the impact on an organization can be devastating. This happened when the city of Baltimore was hit with a ransomware attack in 2019, poor planning plus inferior initial IR meant that the recovery process took months longer than it should have. Not only can poor ransomware IR lead to a second ransomware attack, it can cause firms to enter bankruptcy or force them to shut down.

If you've read other pages on this site...

... about advanced preparation and thought, “There’s no way we could do all that,” you should definitely consider retaining an IR service. Even organizations who think they can handle ransomware IR internally may find themselves overwhelmed by a ransomware attack and decide they need to bring in outside help.
Before enlisting outside help, you must also consider the cost. Hopefully, an organization suffering a ransomware attack knows how much money they’re losing each day they’re offline. Bringing in a third party should speed up the recovery, but will it save the $300 to $400 (or more) per person that the IR firm is going to cost? That’s something each organization has to decide for themselves.
pay attention

Organizations Are Feeling Lost

One of the downsides to being known as the “ransomware guy” is that, with ransomware constantly in the news, I get a lot of questions from friends. One day I got a call from a lawyer friend who’s one of three partners in a midsize (for their location) law firm. They had been hit with ransomware and didn’t know what to do. The firm didn’t have an IT staff, much less a security staff.
Network management and updates were handled by a local IT person who serviced 10 to 12 clients in the county and who was, understandably, in over their head. After walking through what needed to be done, my friend realized they weren’t going to be able to recover any time fast and they had clients with court dates that they didn’t want to postpone.
I put my lawyer friend in touch with another friend of mine who owned a local IR firm and who agreed to jump in to help them right away. Fortunately, they were able to restore the encrypted machines from tape (!) backups and the IR team couldn’t find any evidence that files had been exfiltrated.
This same story is taking place in smaller organizations around the world every day. Most of those organizations can’t call me or comparable experts directly and are often lost as to what to do, aside from searching the Internet and hoping they find the right solution.

Know Who To Call

Once it's decided outside help is needed ...

... the next decision is—who, specifically? This question may be more difficult to answer. With the threat of ransomware as high as it is right now and not expected to get any better for at least the next five years, many IR firms are unable to take on new clients because their teams are stretched so thin.
This is why having the IR retainer (IRR) is so important. The last thing an organization wants when they’re having their “worst day ever” is to spend hours trying to find the one IR firm who can take on a new client. Every organization should take the time before a ransomware attack to research local IR firms (or even national and international ones, depending on the organization’s size) and sign an IRR agreement. An IRR in place makes it that much easier to bring in outside help, and helps get the organization back up and running faster.

Cyber Insurance

Organizations that have cyber insurance might already benefit from IR services as part of their cyber insurance offering. For organizations that can maintain cyber insurance policies, many of the outside vendors needed after a ransomware attack can be provided by the cyber insurance company.
These include :
Incident response
Forensic analysis
Disaster recovery
Outside legal counsel
Ransomware negotiators
Ransom payment

For small and midsize organizations ...

... having cyber insurance can be the difference between successful recovery and closing the business. An important point here is that when you engage a cyber insurance provider, you’ll have to use its approved vendors. There’s nothing wrong with that, because cyber insurance providers carefully vet the vendors they use, but it does limit the choices available to an organization during an urgent time.

If an organization's cyber insurance ...

... provider is going to play a critical role in the recovery process, it should be brought in as soon as possible. Place the call to the insurance company before even starting the initial triage, because they may have specific requirements for triage.
A word of warning needs to be added here: There is some evidence that ransomware groups are targeting victims who are known to have cyber insurance. One ransomware operator even referred to targets that have cyber insurance as “tasty morsels.” So, a cyber insurance policy may very slightly increase the risk of a ransomware attack.
watch out

Cyber Insurance Woes

This was mentioned earlier, but it bears repeating: Cyber insurance providers lost a lot of money in 2020 and 2021 because of ransomware. Their response to these losses is making it more difficult to get cyber insurance. Cyber insurance providers are raising rates and dropping clients who aren’t taking sufficient steps to secure their environments. Organizations whose entire IR and DR plans consist of “call the cyber insurance company” are going to struggle over the next few years as the industry resets itself.

Negotiators

Even if an organization has no intention of paying the ransom demand, it often makes sense to bring in an outside negotiator for the following reasons:
The ransomware group still likely has exfiltrated files
It’s always possible that major problems with the recovery will occur

As with IR firms, it's better to have ...

... a negotiator on retainer than scrambling to find one at the last minute. Many IR firms have negotiators on staff, so an IRR might mention access to a negotiator. All of this information should be laid out in the IRR and documented internally. Documentation should include what the negotiator needs in order to proceed with negotiations, should it become necessary. This way, the IR team can make sure they’re collecting and documenting the required information during triage.
Some cyber insurance providers have negotiators on retainer. The insurance company will make those negotiators available to their clients. Organizations should check with their cyber insurance company to see if a ransomware negotiator is included as part of their policy.

Tasks the Outside Experts 
Can and Cannot Help With

Outside help can smooth out the recovery process and get an organization back up and running fairly quickly. In order for that fast recovery to happen, your organization should prepare to work with these outside firms by doing the following :
Document as much about the environment as possible
Make security and event logs available to the investigators
Understand organizational priorities and realize that it will take time to recover fully

The first two points on this list can ...

... often be pieced together by the IR teams after the attack, but the effort would significantly delay the recovery process. So, the more an organization can provide up front, the faster recovery will proceed. The third item on the list has to be provided internally. IR firms can suggest priorities based on previous engagements, but only the organization can actually set its priorities.

IR and MSPs

Many small and midsize companies rely heavily on managed service providers (MSPs) and managed security service providers (MSSPs) to handle day-to-day IT operations and keep their organization safe. When a ransomware attack happens, the IR firm needs to interact with these firms to get much of the information that the IR firm needs. Organizations should determine how easy it is to get new authorized users added to their MSP or MSSP, and the documentation should be clearly laid out in the IR plan. If there are any legal, compliance, or regulatory issues with giving the IR team access to the logs and data hosted by the MSP, those should also be worked out in advance.
Pay attention

Expect Unexpected Speed Bumps

I was working on a ransomware IR with a manufacturing company that relied on an MSSP for security monitoring. The company brought in an outside IR firm to help with recovery. The IR firm needed 30 days of logs from the MSSP to determine when the ransomware actor gained access and how they moved around the network.
The MSSP made 60 days’ worth of logs available in their portal, but the IR firm wanted to download the logs in order to run the logs through their own analysis engine. Downloading 30 days’ worth of logs was going to take weeks, so we asked the MSSP whether they could send the logs on a portable drive. The MSSP’s policy was that it would take 14 days to prepare and ship the logs. After some escalation we got the MSSP to overnight the logs so analysis could begin.
This incident is one of many unexpected glitches that can happen when working with multiple outside vendors. Try to document as much as you can about each vendor’s requirements and prepare to be agile when you hit unexpected speed bumps.

Listen to the Experts

The last point on this page is the one that ...

... many organizations seem to have the most trouble accepting: Listen to the experts. Whether it’s the insurance company, IR firm, negotiator, or law enforcement, take seriously what they have to say. They’re not always objective, because all of these outside experts (except law enforcement) work for the firm that hired them, so they’ll often follow misguided instructions. But these firms have dealt with dozens if not hundreds of ransomware cases, so their insight can be invaluable.
One example of this principle is that cyber insurance firms often advise against paying a ransom. But organizations who feel they can get back up and running faster opt to have the insurance company pay the ransom for them. As explained by the Marsh McLennan cybersecurity insurer:
Insurers do not make decisions about whether to pay extortionists—the insurance buyer always makes the final call. The unfortunate truth is that—for many organizations—paying a ransom demand is the cheaper and more effective option. Even if cyber insurance absorbs the cost of a disruption, victims have many other considerations. How many initiatives will be sidelined as an organization flounders with its networks down? What happens to customers who depend on the services your company provides? What happens to your reputation? If an insured refuses to pay, its insurer supports the insured, paying network recovery costs and reimbursing it for income lost as a result of the attack.

Paying the ransom isn't always ...

... the wrong decision, from an organizational perspective. But it’s still important to heed the advice of cyber insurance companies, negotiators, and IR firms, who often counsel otherwise.
That’s just one example. There are other areas where differences of opinion can arise. IR firms generally advise you to wipe infected machines fully clean or even replace and rebuild them from scratch, as described here. Some organizations want the encrypted systems just to be cleaned of known indicators and quickly added back to the network. Doing this greatly increases the chance of reinfection by the ransomware actor. It might save time in the short term, but long term it will likely be a costly mistake.
Again, there’s a reason to bring in experts after a ransomware attack. Listening closely to their advice and following their guidelines aren’t only going to improve the chances of a full recovery—they keep the organization more secure in the long run.

Dominate Ransomware!
Download The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

how-to-remove-ransomware-infographic

Download The 
"How To Recover From Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Recover a From Ransomware Attack" resource on your site or blog using this code.

Share this Infographic On Your Site

how-to-remove-ransomware-infographic

Get More Resources In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too.

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT SHOULD WE PAY THE RANSOM
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram