Preparing for the (Almost Inevitable) Ransomware Attack: The CEO Playbook

It has happened yet again — another major ransomware campaign that has left thousands of companies and organizations scrambling to minimize the damage and trying to determine whether to pay the pirates. But despite its scope, the recent attack, exploiting a years-old vulnerability in a widely used type of public-facing VMware servers known as ESXi, should have surprised no one who pays attention to cybersecurity.

The threat of such attacks has become so prevalent that no organization with an online presence can responsibly avoid the question: What should you do if your organization learns it has been the victim of a ransomware attack? In the case of the VMWare attacks, many organizations, including ours, have posted remediation steps. But for any business connected to the internet — and what business isn’t in 2023? — first aid is no alternative to preventive medicine.

Ransomware is rampant throughout the U.S. and across the globe, according to an advisory jointly released last year by the FBI, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA) and its international partners. In 2021, ransomware attacks increased 13% globally, according to Verizon’s 2022 Data Breach Investigations Report, a rise “as big as the last five years combined.” While 2022 saw a drop in ransomware that many experts attribute to the war between Russia and Ukraine and its disruption of the cyber underworld, attackers are growing more sophisticated by the day.

We’ve almost reached the point where it’s not a matter of if but when an organization learns that a cybercriminal has encrypted its data and is holding it hostage, demanding a ransom to restore the data to a usable form. The more sophisticated ransomware operations even offer call centers that walk their targets through the process of setting up a bitcoin wallet to make an untraceable payment and regain access to their data. Whether it’s hospitals, schools, police departments, nonprofits, individuals or businesses of all sizes — no organization with an online presence is immune.

Here’s how to start thinking about the unthinkable.

The Initial Steps         

The first thing we counsel when someone contacts us about a ransomware attack is acceptance. Take a breath. No one knows the extent of the threat at first, nor the best approach. First aid requires lowering the emotional temperature so that everyone can focus on the task at hand.

The next, most immediate task is containment. Think of ransomware as a virus spreading from device to device and file to file, encrypting data as it goes. Ideally, an organization’s IT team’s earliest action is to stop the spread. If not, that’s the priority: Stop the contagion and limit the potential damage.

The next step is an assessment. What was encrypted and therefore inaccessible without the digital key that will unlock that data? Are there backups or other ways to restore that data? Too often an organization learns that its contingencies were not as fail-proof as previously thought. There may be a backup, but maybe the last update was 48 hours before the attack. Or the backup does not include important files that are now inaccessible unless the ransom is paid.

What Manner of Beast?

Ransomware comes in many noxious varieties, so it’s important to figure out what specific variant — what type of attack software — has hit an organization. That will help determine the right course of action. Maybe the industry’s white hats or law enforcement agents have already figured out how to crack that particular variant.

Or maybe an organization has been hit by a variant that first encrypts the backups before hitting an organization’s data. In such a case, it’s possible an organization thinks it has backups but no longer has access to those files, either.

To diagnose the disease, we always recommend that an organization bring in outsiders who specialize in these kinds of attacks. Even the world's largest companies turn to an outside firm to help them assess the problem and strategize a solution.

Why Not Pay the Ransom?

At the end of the day, paying the ransom is a business decision that is based on the risk exposure of the organization, but every victim should exhaust every avenue possible to not pay the ransom. The price is invariably steep – the median ransom demand in the first half of 2022 was $450,000. Unfortunately, even if a victim pays the ransom, there’s no guarantee that the systems will be ‘unharmed’ or that the threat actors haven’t saved a copy of the data for future extortion.

While the risk assessment may vary based on the organization’s mission and the extent of the damage, paying the ransom should never be the first option.

Proactive Best Practices

Ideally, an organization has already laid the groundwork for operational security practices, both internally and with partners by the time its CEO makes contact to report that they’ve been hit. In that scenario, they’ve conducted tabletop exercises, or practice sessions in which key employees walk through the steps that they need to take in case of a ransomware attack. These proactive organizations have also already made contact and developed relationships with the relevant law enforcement agencies and other experts. They have tested their backup systems and sought to harden them from attacks, just as they do with their core systems.

But if an organization has not yet considered the possibility of a ransomware attack and how it would respond, the time to do that is right now. If an organization is prepared and has ways to replicate any vital information it needs – then its CEO can sleep at night knowing that even in the face of the ‘almost inevitable,’ they are already one step ahead.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Companies