---

Or, “Yet another ransomware blog post?”

“Yet another ransomware blog post?” I hear you asking.

Well, yes! Besides, Ransomware attacks have been on the rise again costing affected organizations and industries more than ever. Let’s dive into some numbers to set the stage:

According to IBM and Ponemon institute, in 2024, the average cost of a ransomware attack climbed to USD 5.24 million. This rise in cost reflects the growing sophistication of ransomware attacks, including the use of ransomware-as-a-service and the targeting of supply chains, which can extend the impact beyond the initial victim to additional networks and systems.

To top it off, this resulted in quite a few changes in the regulatory landscape, resulting in more robust regulatory frameworks such as the NIS2 Directive, the CRA (Cyber Resilience Act) – These regulations, while valuable, pose challenges for organizations trying to comply. Many are left wondering, “Another regulation? What do we need to do now? How do we increase our resilience against threats like ransomware while meeting compliance?”

At NVISO we want to view security as a business enabler, so we ask ourselves “could we meet organizations at their current readiness level and help them identify tangible next steps to take to develop actual resilience against ransomware, while attaining compliance requirements?” This led us to create a series of blog posts to guide organizations in building resilience against ransomware attacks while meeting regulatory requirements.

This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building.

The “headless chicken” effect

For the purposes of this blog post, let’s consider how a ransomware attack typically plays out in an underprepared organization.

This scenario is examined from three distinct points of view:

• The end-user who inadvertently initiates the attack
• The senior management grappling with the crisis
• The technology team attempting to contain the damage

By exploring these perspectives, we can identify common misconceptions around building resilience against such attacks, all of which contribute to the “headless chicken effect.”

ANY similarity to actual persons or entities, living or dead, is PURELY coincidental.

The End-User

In a recent ransomware incident, an organization fell victim to a sophisticated attack orchestrated by a ransomware group. The attack began with a phishing email that tricked an employee, an end-user who had not received regular security training, into downloading a malicious attachment; don’t get us wrong here, there are cases where people that have been extensively trained can fall for it due to a short lapse in judgement or momentary carelessness. Now back to our story…

Unaware of the proper steps to take when encountering suspicious emails, the end-user clicked on the link, initiating the infection chain. Once the ransomware was inside the network, it rapidly spread, encrypting files and disrupting essential services. The end-user soon realized their endpoint and data were inaccessible. Panicked and unsure of what to do, the end-user acted in an uncoordinated manner, disconnecting their system from the network without a strategic plan and without informing the IT. This haphazard action allowed the ransomware to spread further before containment measures were effectively implemented.

This story could easily play out quite differently; the user could just blame IT for everything and fail to realize a cyber-attack is actually ongoing.

Senior Management

As the ransomware attack unfolded, senior management experienced the crisis from a different perspective. They were inundated with questions and concerns, expecting immediate answers. “I thought we had backups?” asked one executive, only to find out that the backups were not regularly tested or stored securely, leading to significant data loss when the ransomware deleted shadow copies. Another manager questioned, “What is the contractor we are paying so much for the IR retainer doing?” It became evident that having an Incident Response (IR) retainer was not sufficient on its own, as critical systems were not isolated in a timely manner.

Senior management grappled with understanding the full impact of the attack. They were concerned about the financial and reputational damage, asking, “What does this mean financially and reputationally?” and “Should we pay the ransom?” Faced with the pressure of encrypted data and operational disruption, some decision-makers considered paying the ransom, believing it would be a quicker and cheaper solution. However, there was no guarantee that the attackers would provide the decryption key or that they wouldn’t strike again, which could lead to further financial loss, adding to the budget required for actual mitigation measures.

Adding to the chaos, the media had somehow found out about the breach, before the organization could have any control over the narrative, leading to further questions from management: “How did the media find out?” There was no pre-established crisis communication plan, resulting in delays in informing stakeholders, including customers, partners, and authorities about the breach.

Technology Team

From the technology team’s perspective, the situation was a firefight without clear procedures or roles. Overwhelmed and under-resourced, the IT team struggled to contain the ransomware. They were not sure of the specific steps to take, leading to haphazard actions and further spread of the malware.

The IT team also faced the challenge of communicating effectively. The team did not have designated secure channels to coordinate their response efforts, which allowed the attackers to monitor their internal communications and stay one step ahead. Additionally, with no pre-established communication plan, slow decision making and approvals required from relevant stakeholders further delayed their efforts. This lack of coordination exacerbated the impact of the ransomware attack, leaving the organization in a state of disarray.

Typical misconceptions around Incident Response in case of ransomware

The scenario we’ve just introduced illustrates several key misconceptions that can severely hinder an organization’s efforts to build resilience against ransomware attacks. Below we debunk some of those:

1. “Having backups is sufficient”: While having backups is crucial, it is not enough. Do you know whether your backups are compromised? Could the restoration of an unchecked backup re-infect your environment with ransomware? Backups must be regularly tested and stored securely, preferably offline, to ensure they are not compromised during an attack. The organization in this scenario lacked secure backups, leading to significant data loss.
2. “Cloud backups are immune to ransomware”: Cloud backups can also be targeted by ransomware if they are not properly secured. The organization must ensure that cloud backups are protected with strong access controls and regular monitoring to prevent unauthorized access.
3. “Internal communications are safe”: Internal communications can be monitored by attackers. It’s essential to use secure communication channels when discussing incident details. In this scenario, the organization struggled to communicate effectively, both internally and externally, due to the lack of a secure crisis communication plan.
4. “Disclosure to the authorities and/or other stakeholders is not necessary”: Timely disclosure to authorities and stakeholders is critical. It helps in coordinating a response, mitigating damage, and complying with legal obligations. The organization faced delays in informing stakeholders, exacerbating the financial and reputational damage. Further, failing to communicate with relevant stakeholders and authorities in a timely manner is in violation of the NIS2 incident notification requirements.
5. “Paying the ransom guarantees data recovery and is cheaper”: Paying the ransom does not guarantee data recovery and can encourage further attacks. The organization should focus on robust incident response and recovery strategies rather than relying on ransom payments.
6. “Disconnecting affected systems is always the best first step”: While disconnecting affected systems can prevent further spread, it must be done strategically. In this scenario, the lack of a well-defined plan led to haphazard actions that allowed the ransomware to spread deeper into the network.
7. “Having a SOC/IR retainer is sufficient to detect & respond to the ransomware attack”: While having a Security Operations Center (SOC) or Incident Response (IR) retainer is beneficial, it is not sufficient on its own. The organization must have an integrated approach, including regular training, updated incident response plans, and internal capabilities to complement external resources.
8. “Ransomware attacks are immediately noticeable”: Ransomware attacks can often go undetected for a significant period and are typically noticeable when the ransomware is triggered (i.e., people complain they cannot access their files), thus allowing the malware to spread. Continuous monitoring and early detection mechanisms are essential to identify and mitigate threats promptly.
9. “Only large organizations are targeted”: Ransomware attacks can target organizations of any size. The misconception that only large organizations are at risk can lead smaller entities to neglect necessary security measures.
10. “Incident response is purely a technical problem and solely an IT responsibility. No need to train non-technical people in such situations”: Incident response is a multidisciplinary effort that involves technical and non-technical staff. Regular training for all employees on recognizing phishing attempts and proper response protocols is essential.

A conceptual framework to building resilience

To effectively build resilience against ransomware attacks, it is essential to adopt a comprehensive conceptual framework that encompasses three key capability dimensions: Respond, Sustain, and Recover. The “Respond” dimension focuses on immediate actions during an attack, including incident detection, containment, and communication. The “Sustain” dimension emphasizes ongoing efforts to maintain robust cybersecurity practices, such as regular training, continuous monitoring, and secure backup management. Finally, the “Recover” dimension addresses activities aimed at getting back to “business as usual”, including data restoration, system recovery, and implementing lessons learned to improve future responses. In the following sections, we will highlight critical elements under each of these dimensions to provide a holistic approach to building resilience against ransomware attacks.

Respond

The “Respond” dimension is crucial for mitigating the impact of a ransomware attack and involves building a robust response capability that encompasses people, processes, and technology. To build this capability, organizations could refer to common industry frameworks/standards and best practices such as the NIST Cybersecurity Framework and SANS Incident Response Framework. This may include (but is certainly not limited to) the following:

People: Establish a dedicated incident response team with clearly defined roles and responsibilities. This may include both internal and external teams (e.g., IR retainers). Ensure that all employees, not just IT staff, are trained to recognize signs of a ransomware attack and understand the initial steps to take. Regular training sessions and awareness programs are essential to keep everyone prepared.

Process: Develop a comprehensive incident response plan that includes detailed procedures for identifying, containing, and eradicating ransomware. This plan should outline steps for internal and external communication, including how to securely communicate during an incident to avoid attackers monitoring internal discussions. The plan should also include guidance to ensure timely disclosure to stakeholders and authorities.

Technology: Ensure the organization has the necessary tools and technologies required to timely identify and effectively respond to ransomware attacks. This can include tools such as Endpoint Detection and Response (EDR) systems, Security Information and Event Management (SIEM) systems, and automated containment solutions (e.g., XSOAR). Additionally, consider the adoption of Zero Trust models; ransomware typically follows the path of least resistance. Having multiple conditions in place can greatly support your defense against ransomware attacks.

The above can be included in an Incident Response Plan (IRP) and specific Incident Response Playbooks tailored to Ransomware attack scenarios.

Testing the response capability is equally important. Conduct regular tabletop exercises to simulate ransomware scenarios and test the incident response plan. Advanced attack simulations, such as red team exercises, can provide a more in-depth evaluation of the organization’s preparedness. These simulations help identify gaps and weaknesses in the response plan and overall incident readiness.

After each test or real-life incident, refine the response plan based on lessons learned. Conduct post-incident reviews to analyze what worked well and what needs improvement. Update training programs, processes, and technology configurations accordingly to ensure continuous improvement of the response capability.

Sustain

The “Sustain” dimension focuses on maintaining business operations during a ransomware attack through effective crisis management and business continuity planning. Building this capability involves establishing arrangements that ensure the organization can continue to operate, even under stress including:

Crisis Management: Develop a crisis management plan that includes protocols for maintaining internal and external communications during an incident. This plan should designate secure communication channels to prevent attackers from eavesdropping on sensitive information. Regularly train crisis management teams to handle public relations, customer inquiries, and media interactions to maintain trust and transparency.

Business Continuity: Establish a comprehensive Business Continuity Plan (BCP) that outlines procedures for maintaining critical business processes during an attack. This includes identifying essential functions and ensuring they can operate independently of compromised systems. Establish a Disaster Recovery Plan (DRP) to define how IT infrastructure and data can be restored to minimize disruption. Ensure that critical data is backed up regularly and stored securely, both on-site and off-site, to facilitate rapid recovery.

Crucially, the “Sustain” dimension also encompasses regularly testing the crisis management and business continuity plans through simulations and stress tests. These exercises should mimic real-world scenarios to evaluate the organization’s ability to sustain operations under adverse conditions. Testing should involve all relevant stakeholders, including IT, operations, and executive management, to ensure a coordinated response.

At the same time, it includes continuously refining the crisis management and business continuity plans based on feedback from tests and real-life incidents. This spans, conducting after-action reviews to identify strengths and areas for improvement, but also updating plans, training programs, and communication protocols to reflect new insights and evolving threats.

Recover

The “Recover” dimension focuses on transitioning from active incident response to rebuilding and restoring normal business operations. Building this capability involves coordinated efforts across people, processes, and technology to ensure a smooth return to business as usual.

People: Establish clear criteria for standing down from active “firefighting” and transitioning to “business as usual”. Assign roles and responsibilities for the recovery phase, ensuring that both IT and business units are aligned in their efforts. Conduct debriefings with all involved teams to gather insights and lessons learned from the incident. Communication is key during this phase to ensure everyone understands their role in the recovery process.

Process: Develop a detailed recovery plan that outlines the steps for restoring affected systems and data. This plan should include prioritization of critical systems and services to minimize downtime and ensure business continuity. Align the recovery plan with business requirements to ensure that restored systems meet operational needs. Implement a phased approach to recovery, starting with the most critical elements and gradually restoring less critical components. Additionally, update controls and processes based on findings from the incident to prevent future occurrences.

Technology: Ensure that backups are readily available and can be quickly deployed to restore data and systems. Implement redundant systems and failover mechanisms to enhance resilience. Regularly update and test recovery tools to ensure they are effective and up-to-date. Technical recovery should also focus on aligning restored systems with business requirements including Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) and ensuring that security controls are updated/deployed to address vulnerabilities exposed during the incident.

Testing and Refinement: Regularly test the recovery plan through simulations and drills to ensure its effectiveness. These tests should involve both technical and business teams to validate that recovery efforts align with organizational requirements. After each test or real-life recovery effort, conduct thorough reviews to identify any gaps or areas for improvement. Update the recovery plan, tools, and training programs based on these insights to enhance future recovery efforts.

By focusing on these elements, organizations can ensure a coordinated and efficient transition from response to recovery, minimizing downtime and restoring normal operations as quickly as possible. This holistic approach not only addresses immediate recovery needs but also strengthens the organization’s resilience against future ransomware attacks.

What next?

Taking these actions will undoubtedly increase your organization’s resilience while helping you meet regulatory requirements. We know it can be challenging with finite resources and a limited budget, so focus on high-impact actions first. In the upcoming blog posts, we will tackle the topics including, but certainly not limited to the following:

• Demonstrate how to develop your Incident Response Plans/Playbooks
• Provide insights on how to assess your readiness via Tabletop Exercises
• Discuss effective Backup & Recovery methodologies and strategies and its vital role in Disaster Recovery Plans
• Highlight the importance and provide tips on effective communication across different levels (e.g., executives, authorities, third parties, etc.)

Stay tuned! 😉