YOU EXPERIENCE A RANSOMWARE SECURITY EVENT... NOW WHAT??

Security Event Introduction 

As the old saying goes… It is not IF you and your company will experience a security event, it is WHEN will you experience a security event and how will you respond?

This whitepaper has been created to create awareness of Ransomware Security Events that are growing exponentially. The secondary purpose of this paper is to encourage companies to create an Incident Response Plan to be better prepared when a Security event occurs and better yet to incorporate additional services and updates to decrease the chance of a Security Event occurring.   

The paper lays out the steps commonly taken after a Security Event has occurred in order provide a realistic view into the disruption the Security Event Causes. This paper assumes a company does not have a well-detailed Incident Response Plan. There may be additional items needing to be addressed that are specific to certain companies, size of companies, or even certain industries. This paper does not do justice to the confusion and unrest that a Security Incident causes a company, employees, and their clients. If you have any suggestions on items to add to the whitepaper or if you have any questions, please do not hesitate to reach out to me, Paul Riedl, Jr. at Paul@River-Run.com.

Day One

  1. Security Event Identified: Your Technology Team has identified a Security Event has occurred.

  1. At this time, you are not sure of where the attack came from nor how broad the attack has affected your systems and data.

  1. You do not know how long the “Bad Actors” (Hackers) have been in your system or if they have gained access to your data and/or your client’s data.

  2. Is this affecting the internal services or have they gained access to hosted services such as email or our ERP solution?

  1. Stop Security Attack and Damage Control:

    1. The IT team attempts to stop the attack by taking the system off-line and stopping any unknown services. Servers are sometimes turned off.

    2. Users are not able to access company data.

    3. Are the Bad Actors still hiding within the Terabytes of Data on your system?

    4. Have we stopped the attack successfully?

    5. What was the purpose of the attack? Data Encryption - Data Infiltration – Data Publishing – Data destruction

  2. Internal Team Creation:

    1. You scramble to create a team. It takes a strong team to address the Security Event as effectively as possible. You identify all the team members and clearly define their roles and repsonsibilities. You need the following resources:

      1. Internal Project Manager:

        1. Coordinate with internal and external resources.

        2. Establishes timelines and assigns resources as needed.

      2. Authorizer:

        1. Authorized to sign contracts and expenditures and decisions with regards to communication.

      3. SR Engineer (Or Your IT Vendor):

        1. A Technical Resource to perform all technical activities.

        2. Provide information and coordinate with any external technical resources.

        3. Lock down the system and quickly as possible.

      4. Communication Director:

        1. Create and manage the internal and external communication plan and create the communication content.

      5. Utility Player:

        1. Help out the other members as needed.

      6. Miscellaneous Technical Resources:

        1. Assist as needed regarding technical issues.

    2. Meanwhile the IT Team continues to lock down the system, troubleshoot, look for clues to the attack and capturing event logs and segregating services.

  3. External Resources Requests/Notification:

    1. You call your insurance broker or look at your insurance policy to confirm you have Cyber and Business Insurance Coverage. You breathe a sigh of relief knowing you have a policy in place.

    2. You contact your insurance carrier who assigns you to General Adjuster a General Adjuster who will call you back.

    3. You wait...

    4. You call the FBI and report the incident. They take your information and then leave a message for an Agent to call you back. They are working on thousands of these incidents, and they offer their concern and will assist where they can.

    5. You wait...

    6. You call the local Police and report the incident. They take your information and express concern and will assist where they can. Their assistance is limited since the majority of the attacks come from outside the state and most likely outside of the country.

    7. The Insurance Adjuster calls you back and directs you to contact both an approved law firm and an IT Security Firm.

    8. You talk with both firms and then sign a contract with both the law firm and the Security Firm. The Security Firm is hired by the attorney on your behalf so communication with the Security Firm falls under Client Privilege.

    9. Questions arise:

      1. What does each firm do for you during this time?

      2. How fast do they start working on your behalf?

      3. Do the Bad Actors want anything?

      4. Are the Bad Actors still in our system?

      5. What is covered under your cyber insurance? There is sure a lot to read.

    10. The IT Team begins to work with the Technicians from the Security Firms to continue to troubleshoot, look for clues to the attack, and capturing event logs and segregating services.

    11. The IT team recommends using external resources for phone calls (Smart phones) and e-mail communication (personal e-mail).

Day Two

Not a lot of sleep is achieved by any of the team members. Each team member scrambles to do their tasks and communicate with one another to make sure something does not slip through the cracks. Your IT Team and the Security Firm have determined your data is encrypted and being held for a Ransom!!

The team performs the following:

  1. All Members:

    1. Sort through a flurry of emails that have come from the Attorneys and the Security Firm. Respond accordingly. Gather for brief update meetings through the day.

  2. Internal Project Manager:

    1. Coordinate and attend a conference call with the Project Manager at the security company (2 to 3 members), the attorneys (2 to 3), and the Internal Team. This is to introduce everyone and assign roles as clearly as possible. You also will discuss the type of attack, where the attack may have originated and if the attackers are known entities. If there is a ransom situation, discuss the amount to pay and who at the Security Firm will handle the negotiations.

    2. Set up the update meetings with all parties.

    3. Determine the tools that will be used for communication and the storage of new data.

  3. Authorizer:

    1. Strategize with the Security Firm Negotiator.  Review Cyber Insurance coverage.

    2. The Negotiator reaches out via email to the Bad Actors to start negotiations for the decryption keys.

    3. You wait….

    4. Bad actors initially request a very high number. They base the amount on what they think your insurance coverage is and based on how successful they believe your company is at the time of the attack.

    5. Negotiator provides a counteroffer via email. Due to time zone differences and negotiation techniques the Bad Actors may not respond for hours and at times a day.

    6. You wait…

    7. The counteroffers go back and forth a few times. The negotiator makes an educated recommendation as to when to accept the terms, based on past experience with the Bad Actors. The acceptance usually occurs very late in the evening of day two or in the early hours of Day 3 and in worse case scenarios later in the week.

  4. SR Engineer:

    1. Work with the Security Firm to provide secure access to the affected systems.

    2. Provide system logs so Security Firm can start a forensic study.

    3. Recover what can be recovered from Backup. (An external and hosted backup solution separate from your network with proper security is highly recommended.)

    4. Update the Team and the PM ongoing.

    5. Create a brand-new clean network to use moving forward.

  5. Communication Director:

    1. Create internal communication to let the employees know what is happening and what they should be telling people outside of the company if questions arise.

    2. Reassure the entire company that all will be well and the company will be able to recover.

    3. Not all information about what happened and when it will be rectified will be available. The legal advice you receive may direct you to limit what can be shared. Some “facts” usually change during the forensic investigation on the “who, how, and where.”

    4. Create communication to be sent out to all clients if the need shall arise.

    5. Work with the Attorneys to determine legal requirements regarding reporting the Security Event.

    6. Ensure that proper terminology is used.

    7. Modify the communication plan based on the legal requirements.

    8. Have all members of the committee review communication.

    9. Send communication out to the company.

    10. Answer employee questions and provide reassurance of full recovery.

    11. Answer client questions and instruct employees as to what they can and should say to clients.

    12. Questions will arise:

      1. Clients and employees will want to know what happened?

      2. How did the Bad Actors get in?

      3. How long have they been in the system?

      4. What data was compromised?

      5. Did they get any of my information?

  6. The IT Team:

    1. Continue to work with the Security Firms to troubleshoot, look for clues to the attack and capturing event logs and segregating services.

    2. Install End Point Protection solutions onto the workstations that are monitored 24x7 by a SOC (Security Operations Center).

Day Three

Another night of little or no sleep for all team members. The Security Firm is communicating with the Bad Actors, and they are planning to have the Bad Actors prove the decryption they provide will work before money is sent.

  1. Security Firm:

    1. Work with the Bad Actors to determine what files they will decrypt to prove their tool will work – “Proof of Life."

    2. Talks with SR. Engineer to arrange for files to be placed on the Security Firm’s server that the Bad Actors can send proof to.

    3. Bad Actors prove the decryption will work. This process can take many hours or in worse cases many days.

    4. Once proof has been given the Security Firm converts dollars into bitcoin or other untraceable crypto currency and sends it to the Bad Actors.

    5. Questions occur:

      1. Will the Bad Actors send the rest of the decryption code?

      2. Are the bad actors going to Decrypt our data and plant another encryption program on our system at the same time and ask for more money?

      3. What guarantees do we have that they will send the decryption code?

      4. When will we be back and up and running?

  2. All Members:

    1. Continue to sort through a flurry of emails that have come from the Attorneys and the Security Firm and each other. Respond accordingly. Attend regular internal update meetings and update meetings with the Security Firm and the attorneys.

  3. Internal Project Manager:

    1. Continue activities identified in Day One and Day Two.

  4. Authorizer:

    1. Approves the ransom payment and the invoices from the attorney and the Security Firm and any other expenses for additional tools or services.

    2. Coordinate with the Insurance carrier.

  5. SR Engineer:

    1. Work with security company to decrypt the data with the decryption tool the Bad Actors provide. The decryption process can take hours and even days to complete.

    2. Provide information as requested by the Security Firm.

    3. Continue to create a new network to use after the decryption process is done.

    4. Questions Arise:

      1. Are the Bad Actors still in the system waiting to attack again?

      2. Will they be able to get into the clean system?

      3. When can I use email?

      4. When will we be back up and running?

  6. Communication Director:

    1. Does all activities identified in Day Two.

  7. The IT Team:

    1. Continue to work with the Security Firm to troubleshoot, look for clues to the attack and capture event logs and segregate services.

    2. Work with Senior Engineer to determine where physical backups should be installed before any further encryption takes place.

    3. Install End Point Protection solutions onto the workstations that are monitored 24x7 by a SOC (Security Operations Center).

Day Four and Five and Six... and??

More nights of little or no sleep for all team members. The Security Firm is conducting forensics and reviewing the system configuration for any security holes.

  1. Security Firm:

    1. Assists in the decryption process as needed.

    2. Continues the forensic investigation to find out what happened.

    3. Requests information from the internal IT team to complete the forensic work.

  2. All Members:

    1. Continue to sort through a flurry of emails that have come from the Attorneys and the Security Firm. Respond accordingly. They sit in internal update meetings and update meetings with the Security Firm and the attorneys.

  3. Internal Project Manager:

    1. Continue activities identified in Day One and Day Two.

  4. Authorizer:

    1. Work with all members as needed.

    2. Coordinate with the insurance carrier.

    3. Talk with clients and employees as needed.

    4. Provide updates on a regular basis.

  5. SR Engineer:

    1. Work with Security Firm to decrypt the data with the decryption tool the Bad Actors provide. The decryption process can take hours and even days to complete.

    2. Provide information as requested by the Security Firm.

    3. Continue to create a new network to use after the decryption process is done.

  6. Communication Director:

    1. Continue activies identified in Day Two.

  7. The IT Team:

    1. Continues to work with the Security Firm to troubleshoot, look for clues to the attack, and capturing event logs and segregating services. (Might want to add – and back up and protect any potentially vulnerable data could be encrypted or corrupted.)

    2. Installs End Point Protection solutions onto the workstations that are monitored 24x7 by a SOC (Security Operations Center).

    3. Gets services back up and running as they have been cleared by the SR Engineer and the Security Firm.

    4. Respond to any alerts generated by the End Point Protection Service.

Wrap Up and Moving Forward

After the system has been rebuilt, your data has been decrypted and put back onto your system, you are then able to allow your users back on to it. You still worry the Bad Actors may come back or are still hiding in your system. You are able to rest a little easier knowing you have the SOC and the Endpoint Protection running. But you always wonder.

The Security Firm will conduct their forensic activities and provide their report to you and your team. The Attorneys will answer legal questions and provide direction regarding messaging. You will settle with the Insurance Carrier but only after providing a lot of supporting materials and answering a lot of additional questions.

You will then be able to start getting back to working on your business and for your clients.

So please decrease the chance of going through this type of a situation and have the proper tools in place to limit exposure when a Security Event occurs.

  1. Take Security Seriously!
  2. Have a Security Review conducted on your system to identify weaknesses.
  3. Implement End Point Protection on all network endpoints with SOC support.
  4. Review your backup system and process.
  5. Create an Incident Response Plan. Hope you will never have to use it.
  6. Ask River Run any questions you may have!

Topics

 

Share this article

Blog