Ransomware Response: A Plan is Only as Good as Its Execution


April 9, 2024

World map

A ransomware operator calls the front desk of a victim company to alert them to the fact that they have been compromised and the organization has just a handful of hours to negotiate a ransom payment, or the attackers will publicly release sensitive data exfiltrated in the attack.

Instead of triggering a well-rehearsed incident response and business continuity contingency plan, the company puts the threat actors on hold several times before ultimately engaging in an extended dialogue that could only have made the attacker feel they themselves were the victim of an elaborate prank.  

The attackers posted several recordings of the calls on their leaks site, and while the recordings are bizarrely amusing in a very surreal manner that verges on the absurd, there are lessons to be learned here for organizations concerned about the potential impact from ransomware attacks: namely, that a plan is only as good as its execution.

At one point the attacker is puzzlingly redirected to the victim company’s HR representative, who is obviously unclear on the concept of ransomware attacks and the types of people who might perpetrate them, after having talked with at least one other employee at length.

“The attacker threatens Beth, saying they will start calling the company’s clients, employees and partners. The hacker adds that they have already contacted the media and provided a recording of a previous call with one of her colleagues, which is also on the gang’s dark web site,” TechCrunch reports the call transcripts as relaying.

“So that includes a conversation with Patricia? Because you know, that’s illegal in Ohio,” Beth says.

“Excuse me?” the hacker responds.

“You can’t do that in Ohio. Did you record Patricia?” Beth continues.

“Ma’am, I am a hacker. I don’t care about the law,” responds the hacker, growing even more frustrated.

“I would never negotiate with a terrorist or a hacker as you call yourself,” Beth responds before asking them for their contact information.

When the hacker tells the HR rep that they don’t have a phone number to share, she decides that’s a good point to end the conversation.

“Alright, well then, I’m just gonna go ahead and end this phone call now. I think we spent enough time and energy on this. Well, good luck,” Beth says.

“Thank you, take care,” the attacker replies.

Takeaway: Ransomware attacks can bring a business to a grinding halt. When critical systems and data are locked, daily operations are severely disrupted.  

This can lead to lost revenue, missed opportunities, and damage to the company's reputation. In some cases, businesses are forced to shut down temporarily, which can have lasting repercussions.  

Most ransomware attacks today include data exfiltration prior to the encryption of systems. The stolen data is used as leverage to compel the victim to pay the ransom demand with the threat of releasing or otherwise exposing the data if payment is not made.  

Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional liability risk.

For many organizations, this exposure of customer data has regulatory implications and can lead to lawsuits and fines. Ransomware attacks often trigger legal and regulatory consequences.  

Depending on your industry and location, there may be data protection laws and regulations that require you to report data breaches promptly. Failure to do so can result in substantial fines and legal liabilities.

While some larger companies can weather disruptions like this, it may be an existential event for most small to medium organizations who may not have the resources required to spend weeks getting systems back up and running.  

To mitigate operational disruptions, organizations should ensure robust backup and disaster recovery plans are in place. Regular testing of these plans is vital to ensure data can be restored quickly and efficiently in an attack.

The following are general procedures every organization should implement as a baseline security posture against the threat of ransomware attacks:

  • Patch Management: Keep all software and operating systems up to date and patched.
  • Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack.
  • Access Control: Implement network segmentation and policies of least privilege (Zero Trust).
  • Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
  • Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready to respond to an attack.
  • Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems.

But basic security hygiene is not enough though, just as “having a plan” is not enough. The plan must be communicated effectively to all stakeholders and the stakeholders must understand their role in an incident response scenario.

Leadership needs to foster open communication between employees and the security team and establish clear procedures for employees to report potential security events, and the organization needs to continuously assess the effectiveness of incident response and business continuity plans.

By fostering a sense of shared responsibility for security by promoting communication between security and other departments, integrating security into the daily operations of all teams, employees will better understand the role they play in safeguarding the organization from ransomware threats.

Organizations need to understand that planning is not the same as preparedness. Ensure all employees are cognizant of potential threats and understand their roles in the organization's incident response plan is critical, as is regular testing and updating of the plan to ensure a smoothly coordinated response to any potential threats.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.