Authored by Brian Scriber, M3AAWG Ransomware Initiative Champion
Distinguished Technologist and Vice President Security & Privacy Technologies, CableLabs
“When going through hell, keep going,” a phrase oft misattributed to Sir Winston Churchill, is an apt description of those fighting through a ransomware attack. There is an abundance of guidance to prevent ransomware attacks, but guidance for businesses actually responding to an attack, specifically small and mid-sized businesses, is sparse and contradictory. The Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) aims to cover this gap with the Ransomware Active Attack Response Best Common Practices.
The impact of ransomware can be profound, resulting in degraded operations and significant financial loss. Attacks on large-scale corporations in energy (e.g., Colonial Pipeline), food distribution (e.g., JBS), and communications and healthcare (multiple entities were attacked by the WannaCry virus) have been reported in the news.
In a study of ransomware attacks between August 2020 and July 2021, corporations made up 40% of all attacks. While large-scale corporations make the headlines, these attacks are happening to small and mid-sized businesses, too. It is time to arm those smaller businesses with tools to navigate a path to recovery.
M3AAWG is not providing a single path that is a one-size-fits-all approach. Instead, we offer a simplified path that can be tailored to your organization and unique situation. The path includes questions that need to be answered that will help tailor the response.
Through all the stages of the ransomware recovery, options are available for actions to take and parties to engage. We also identify areas where caution should be exercised and deliverables that establish a higher likelihood of success in the next step.
The response team is different for each business, but the guide focuses on information technology (IT) professionals in making key decisions about a ransomware attack.
Resources and considerations that help in the decision-making process are provided. Equally important are the recommendations made about the communications process. Communication and team building are critical for the internal tasks of recovering from an attack. We also explore how to handle communications external to the organization.
This guide begins with the detection of the compromise or ransom notification, and the signs of ransomware activity to look for. We identify immediate actions to take, as well as actions to avoid. Analysis follows that helps define the scope and impact of the attack and build out a response plan. The response section covers four topics: engagement, containment, eradication, and recovery/remediation.
Each of these major sections calls out who is responsible for the work, who is notified, who approves each step, how it progresses, outcomes, and the deliverables from key activities. We include insights from experienced individuals and provide advice at each step to support important decisions along the way.
Those key decisions aren’t always obvious in their solution space; understanding the benefits, drawbacks, and implications are important parts of this process.
The document also covers engaging incident response teams, considerations of interactions with cybersecurity insurance providers, and when, or if, to engage law enforcement. Considerations around payment and negotiation of ransoms, notification requirements, and acknowledgment of victimhood are all explored.
While the adrenaline levels may not be as high after the event, it’s important to review the incident, the response, the technology used or needed, and the engagement of people involved (both internal and external). Additionally, the recovery process necessitates deploying technology beyond the initial event. This document dives into those considerations as well.
There is no perfect map through an event like this, but consolidating and linking the key resources that these small and mid-size businesses can use may take some of the emotion and panic out of the first phases of victimization.
What M3AAWG has provided in this best practice document may clarify the decision points along the way, so there’s less time spent in this ransomware hell. Remember, “…keep going.”