How to prepare for a ransomware attack

There is greater awareness than ever of this risk of ransomware attacks, spurred by high-profile examples of organisations being locked out from accessing core systems and data. However, some organisations fail to take sufficient action to reduce the likelihood that they will fall victim to such attacks and are unaware of the risks entailed in making ransom payments.

A report by the US-based Ransomware Task Force has set out what organisations can do to reduce the risk of criminals succeeding with ransomware attacks and in their response to such attacks.

In our experience, organisations that devote the time and resources to preparing for a potential ransomware attack are more likely to be able to repel it or at least limit the disruption it can cause them and those they serve. Such preparedness is likely to make those organisations better placed to engage more meaningfully with regulators.

The Task Force’s recommendations point to actions individual organisations can take to prepare themselves for the possibility of a ransomware attack.

The actions organisations can take to prepare

The actions that the Ransomware Task Force has endorsed include:

• Mapping organisational security processes and controls to existing popular cybersecurity frameworks, such as the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) in the US;
• Undertaking ransomware-specific risk assessments, and;
• Leveraging contractual terms to hold managed service providers and IT suppliers accountable in respect of their cybersecurity measures.

These proposals are to be welcomed, and the report’s focus on cyber readiness chimes with our experience in the market. We are seeing organisations take steps to do more in advance to be prepared for when, not if, they are the subject of a cyber attack.

The Ransomware Task Force endorsed the development of business-level materials oriented towards organisational leaders to help them address ransomware risk. Pinsent Masons’ Cyturion – a cyber readiness tool helping organisations become better prepared to managing incident response – is an example of the resources available to businesses. The recommendation is also consistent with the significant uptick in interest we have seen for training sessions or cyber simulation sessions to stress-test preparedness.

We find that those organisations which have taken steps to consider cyber risks are typically best placed to respond when they happen. Organisations with well-developed incident response plans, which have been tested and rehearsed, are best able to react quicker and more effectively. 

Similarly, those organisations which have considered their corporate attitude to engaging with threat actors will have done a lot of the hard thinking in advance of a real-time event. As the Ransomware Task Force put it, “there is a stark difference between being aware of ransomware as a threat and having a real understanding of the dynamics, mitigations, and potential impacts of an attack”. It has urged organisational leaders to view ransomware as a “whole-organisation event, in non-technical, business risk-relevant terms”. We agree and welcome the Task Force’s calls for additional materials to help educate organisational leaders about the threat.

If a ransomware attack does hit, it is important to be nimble and adaptable in practice. Considering these difficult issues in advance can pay dividends in a crisis scenario, however.

Whether to pay a ransom

With the ransomware threat constantly evolving and challenging the measures organisations put in place to address cyber risk, there remains a real possibility that criminals will succeed in implementing a ransomware attach – however comprehensive the defences organisations implement.

The Ransomware Task Force’s report also therefore sets out a series of recommendations on what can be done to make the response to ransomware attacks more effective.

Businesses and practitioners alike would benefit from a more consistent understanding of what, in practice, constitutes appropriate due diligence in determining hackers’ identity – and therefore better understanding whether they may be prohibited individuals, or associated with sanctioned entities or countries – and who might be criminally liable for any such failing. In this regard, a business’ status as the victim of crime carries no special shield of immunity to authorities investigating potential sanctions, terrorist payment or money laundering breaches.

The Ransomware Task Force’s call for clarity does not stand in isolation. It is echoed by increasing calls in the UK for the government to carry out an urgent policy review to consider all options, including the possible future prohibition on the payment of cyber ransoms.

Until such time as businesses have greater clarity, specialist real time advice is essential.

When a critical incident occurs, business leaders are forced to make a number of extremely difficult and time-sensitive business, regulatory and reputational decisions. It is critical that any actions pertaining to ransom payments are built on the foundations of specialist compliance due diligence, and that those processes allow for documented risk-based thinking to be evidenced.

If businesses or their agents fail to take proper account of the compliance risks that flow from making a payment to an anonymous threat actor, it is unlikely that, should the need arise, they will be able to satisfy authorities that they took all reasonable steps to avoid potential transgressions.

Cyturion is a one-stop-shop cyber response tool offered by Pinsent Masons which enables clients to develop a cyber incident response plan tailored to their needs, which sets out what to do, who does it, how they do it, and how the response is managed. Cyturion can help businesses mobilise quickly in response to a ransomware attack, or any other cyber incident.