Ransomware Victims Encouraged to Actively Engage to Regain Control

Opening lines of communication with ransomware actors is crucial for achieving a favorable resolution during an incident that could significantly disrupt operations, according to Dan Saunders, Director of Incident Response EMEA at Kivu Consulting. He noted that only 30% of negotiations with threat actors in the past year resulted in financial settlements for victims.

“There’s a common misconception regarding engagement with threat actors,” Saunders articulated. “The idea that engaging them guarantees a financial outcome is misleading.”

Engaging these malicious actors enables organizations to regain control of the situation, implement mitigation strategies, and prevent further escalation of the incident, which could include threats of physical harm, such as “swatting.”

This proactive engagement allows organizations to gather actionable intelligence from the extortionists, helping them understand the root causes of the breach while buying time for forensic investigations and establishing a crisis communication team. “If our identity were to be disclosed, do we have an effective communication strategy to address the anticipated surge of inquiries?” Saunders questioned. He emphasized the likelihood of security researchers and journalists scrutinizing leak sites related to the incident.

However, he cautioned that organizations must prioritize their operational security to mitigate risks, particularly if threat actors may already be operating within the network and monitoring responses. “Establishing out-of-band communication is vital to maintain control and prevent unintentionally revealing strategies to threat actors, as they prefer direct negotiations rather than third-party involvement,” he advised.

Emphasizing Proactive Measures

Better preparation for ransomware events is essential to minimize business impact, necessitating collaboration across the organization. “While we have established playbooks for responding to ransomware attacks with our trusted service providers and IT teams, it is equally important to involve other stakeholders,” Saunders stated. He urged organizations to consult incident response plans and conduct drills with leadership to simulate cyber extortion scenarios.

Understanding the organizational assets, data storage protocols, and protection measures is fundamental for assessing risk exposure post-attack and identifying necessary parties for breach notifications.

“Legacy data often pose significant challenges; outdated systems and unnecessary data retention can exacerbate the situation,” he concluded.

This necessitates a comprehensive exploration of the organization’s network architecture to identify critical assets, understand data classification, and evaluate the potential consequences of data exposure.

The urgency of implementing best practices for incident response has escalated, especially in light of recent high-profile ransomware attacks affecting prominent retailers and brands.