Ransomware 2022: We’ve Been Hit!
By
— February 27th, 2022
What’s in This Post:
- Staying focused on the big picture during “pressure-on” moments
- Organized ransomware response domains
- “What to do” ransomware response checklists
- Should you pay?
Imagine:
5:45 am: you rise and go for a morning run.
6:30 am coffee and shower.
6:50 am: you answer the ringing mobile phone only to hear: “We’ve been hit!”
In between mumbling expletives and a faint sensation of hyperventilation, you recognize you’re about to have a very different kind of day. The questions start coming at you like major league fastballs to a rookie at-bat:
How do we respond?
What’s the sequence?
Checklists … where are the checklists?
What the hell is happening???
Like Michael Jackson sang: “You’ve been hit by … a smooth criminal.”
A cybercriminal, that is.
There is good evidence that it can be quite overwhelming to think clearly when the pressure is on.
And trying to think one’s way through ransomware attack? Definitely a “pressure-on” moment.
Navigating the maze of ransomware response decisions and recovery concerns is enough to broil the brain of even the most cool-headed thinker. During the difficult and stressful moments of a ransomware attack when there can be a demand for details upon details, staying focused on the big picture could be of more help than one might imagine.
As the EU Business School, How to Think Clearly: 7 Tips for Success puts it:
“Have you ever had moments when thinking clearly was just impossible? Times when, no matter how hard you struggled or tried to concentrate, your mind just kept tying itself in knots?
If your answer to this question is “yes,” you’re not alone. Everybody thinks they know how to think. But few people have given any real attention to the topic of clear-headed, critical reasoning. Clear thinking requires a certain degree of attentional focus and stability. You need to be able to keep your mind on one thing.
To eliminate distraction brought on by a rush of detail may not be written into the incident response plan, but it is arguably an important component of what to do when ransomware attacks.
A few suggestions, then, and resources, to help heads stay cool and straight thinking prevail:
Stakeholders might appreciate the neatly organized domains by which Cybersecurity and Infrastructure Security Agency (CISA) breaks down a response to ransomware attacks to three main and memorable areas:
- Detection and Analysis
- Containment and Eradication
- Recovery and Post-Incident Activity
Happily, CISA’s Ransomware Guide also provides detailed “what to do” steps in each of the categories above, a reference you may wish to have at hand when the time for detail is right.
National Cyber Security Centre, (NCSC), in its publication Mitigating Malware and Ransomware Attacks (link below), section “steps to take if your organisation is already infected”, NCSC also provides a sequenced, detailed checklist that can help limit the impact of ransomware attack.
Which brings us, finally, to the $64 ransomware question to include in the big picture roadmap: Should you pay up?
In its excellent article How to Respond to a Ransomware Attack: Advice from a Federal Agent MIT Sloan states: “The first piece of advice from federal agencies is simple: Don’t pay ransomware hackers, Nix [assistant to the special agent in charge at the U.S. Secret Service] said at the recent EmTech CyberSecure conference hosted by MIT Technology Review.
“I want to say point blank, you're going to hear every single federal law enforcement [agency] say, ‘Do not pay the ransom,’” Nix said. (Experts advise that there are other ways to retrieve data.)”
“Nix advises companies experiencing ransomware attacks to visit stopransomware.gov, a website that has a host of information from federal entities and information about how to be in touch with them. “[Even] if you don't call the Secret Service or the FBI,” he said. “If you go to there, there is significant information for you to battle through this issue.”
Interested in more about ransomware attacks? Check out my two previous blogs on this topic for FWI | Poppulo: