4 steps to prepare for a ransomware attack: A C-suite guide

The increased threat posed by increasing ransomware attacks, including the latest Kaseya attack that impacted nearly 1,500 organizations, has forced the C-suite to think differently about the possibility of compromised systems. In the aftermath of Colonial and JBS, this attack highlights the critical need for businesses to plan for these events. Just as business leaders have an emergency preparedness plan in a natural disaster, it is critical to implement one for ransomware.

While these attacks had a substantial impact, quick action helped mitigate the scope of the damage. Had Colonial not quickly sprung into action, the effects would have exponentially increased if leadership had stalled on response. Flights out of the southeast were already making stops due to limited fuel at their originating airports. Had the situation remained uncontained for much longer, our transportation infrastructure, which was critical to helping distribute COVID-19 vaccines and other essential services, would have been even more crippled.

But how can leaders prepare for a ransomware attack that could take an entire organization’s system offline? While CISA’s ransomware checklist is a great place to start, organizations should ready a comprehensive ransomware preparedness strategy ahead of time that is adapted depending upon the severity of an attack. Here are four steps leadership should follow in developing a ransomware response strategy.

1. Evaluate the Levels of Risk Ransomware Could Pose to Operations Ahead of Time and Conduct Tabletop Exercises

Organizations need to understand where they are most vulnerable, from their most critical operations to other seemingly innocuous areas like HR or business records.

In the case of Colonial, although the ransomware attack took down its payment system, company leadership also decided to shut down the pipeline’s oil production to mitigate damage. While some business operations may not be top of mind when thinking about potential ransomware impact, any business operation relying upon internet access is vulnerable. Organizations need to secure their most critical networks and think through how other business operations could be hampered by ransomware. If one segment of the business is compromised, it can have ripple effects across the entire enterprise.

2. Develop a Business Continuity Plan

It is critical to create a business continuity plan (BCP) and a disaster response plan (DPR) before any cyber incident, particularly a ransomware attack. These plans are critical to ensuring an organization can move quickly to get business up and running in the aftermath of an attack and mitigate damage. What systems could be held up by ransomware? Is valuable organization data backed up and encrypted regularly?

In high-stakes situations like ransomware attacks, company decision-makers must be involved from the get-go. Which leaders should be interested in these early-stage conversations? How will customers, key stakeholders, and the public be notified of the attack? Which entities should be engaged to help mitigate any additional risk?

Having plans in place is imperative but practicing them is also equally as important. Tabletop exercises are critical to helping business leaders and managers get acquainted with the protocol beforehand. Knowing exactly who is responsible for what and what strategies should be deployed when is vital. Plans should be easily accessible, saved in a secure location, and even physically printed if an attack results in a total system compromise.

3. Lay Out Your Payment Plan

If paying the ransom becomes the only path forward, it is crucial to have a payment plan in place. C-suite leaders need to determine ahead of time where the company funds will come from and who will be responsible for the conversion to cryptocurrency and subsequent payments.

Having these plans in place before an attack will make the response process more efficient and prevent further costly mistakes.

4. Focus on Prevention

Ensuring that suitable security protocols are implemented companywide serves as the first line of defense from ransomware attacks. Train employees on security best practices early and often, as basic cyber hygiene can prevent costly mistakes. Applying a solid zero-trust architecture is also a smart, common-sense way to reduce the impact of any cyberattack.

Ransomware is something no organization wants to experience; however, preparing for that possibility is vital. Planning for a ransomware attack can help limit fiscal damage and human risk resulting from inaction or a poorly executed response. Analyzing the potential scope and impact of a ransomware attack should be on the top of the C-suite priority list.

Rob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics. With over 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he is known as “The Godfather of DFIR”. Rob co-authored the book Know Your Enemy, 2nd Edition, and is course co-author of FOR500: Windows Forensic Analysis and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.