Navigating through a cyber crisis, especially during a double-extortion ransomware attack, plunges organizations into an exceptionally challenging situation. If phrases like “complicated situation” or “complex context” begin to circulate, it usually signifies that the crisis management could be heading towards rough waters. As Digital Intelligence Lab, our aim is to provide insights and strategies not just for managing but spotting signs of these crises through our doubleextortion platform. Here are three critical mistakes to avoid during such a crisis and tips on how to detect them early.
Mistake 1: “Shut Everything Down”
The initial reaction many have following the alert from a NOC that “we’ve been hacked, our file servers are locked, and there’s a ransom note on the desktop” is to “shut down all servers immediately!” While understandable and potentially useful for preventing further data corruption before assessing the extent of the damage, this isn’t always the best course of action.
A forced shutdown can have several short and medium-term consequences. Turning off servers abruptly stops all processes and may lead to the loss of volatile memory, which can contain crucial information that might enable recovery opportunities. Some ransomware temporarily saves encryption keys in the memory of the encryption threads, and in some cases, it’s possible to retrieve these keys.
Additionally, volatile memory can contain valuable information that can be crucial in an analysis phase, such as traces of the attacker’s malicious actions or hidden timed traps within systems. The collateral effects of a forced shutdown extend beyond the loss of investigative data; it can also corrupt system files and data, particularly large files like machine images or backup archives undergoing encryption, possibly leaving them in an irretrievable hybrid state.
Mistake 2: “Restore to Yesterday Morning”
Discovering a double-extortion attack often leads to an immediate desire to restore systems to a state before the attack, especially after finding irrevocably encrypted files. This is a high-pressure situation for everyone, from staff to Senior Management, who typically demand a quick fix and a return to normal operations.
However, the belief that the attack started when the files were encrypted is misleading. Modern ransomware attacks, including double-extortion schemes, are often multi-phase and can span hours, days, weeks, or even months. Moreover, the actors who carry out the ransomware deployment might not be the same ones who initially compromised the network infrastructure. Thus, blindly restoring systems to the state they were in the day before the attack is immensely risky and might lead to re-infection, potentially without the safety net of available snapshots.
Mistake 3: “My IT Provider Will Handle It”
In recent years, many managed IT service providers have expanded into cybersecurity, offering a range of managed solutions from advanced firewalls and anti-spam to vulnerability assessments and penetration testing. However, relying solely on your IT provider to manage the fallout from a ransomware attack can be a risky oversight.
Managed IT service providers are skilled in system management but often lack expertise in the specific operations of cybersecurity. The nuances of attack dynamics, criminal tactics, and the hidden risks that lurk after an initial ransomware impact are crucial for a thorough recovery and are typically outside the core competencies of general IT providers.
Bonus Strategy: Monitoring Third-Party Risks and Impacts
In our interconnected digital ecosystems, third-party relationships often introduce complex layers of risk. At Digital Intelligence Lab, our doubleextortion platform specializes in assessing and monitoring the cyber risk profiles of third parties. Understanding how your suppliers and partners handle crises is crucial, as their failures can directly impact your operations and security posture.
Conclusion
Through our Double Extortion Platform, Digital Intelligence Lab not only helps organizations navigate their crises but also monitors how third parties handle their emergencies. Tracking when third parties fail to manage crises effectively allows us to intercept potential consequences, risks, and frauds within these environments. This is vital for any organization looking to maintain a robust cybersecurity strategy, as the ripple effects from one link in the chain can jeopardize the entire network. By understanding and mitigating these third-party risks, organizations can significantly enhance their overall security framework and resilience against cyber threats.