Chris Swagler | September 8th, 2022

Ransomware is one type of cyberattack that has the power to drain the color from security leaders’ faces. Recovering from devastating, disruptive, and expensive attacks is rarely easy to predict along with final costs. Ransomware attacks increased during the pandemic, doubled between 2020 and 2021, and continue to rise. The cost of ransomware attacks, which focus on the extortion price of the attacks, can initially seem low; however, the cost can add up over time with ransomware groups making astronomical amounts of money. As the process drags on months after the attack is discovered, millions of dollars are sometimes lost. Even though the attacks worry everyone from the IT security team to the board of directors, it seems the companies are not investing enough to prepare themselves for these situations.

An average ransomware attack takes 237 days to identify and 89 days to contain, for a total lifecycle of 326 days, according to the 2022 Cost of a Data Breach Report. These are merely the early phases of the response process; it has been well over 10 months. Additionally, it took 49 days longer, a difference of 16.3%, to discover and contain ransomware attacks than the total average lifecycle of regular data breaches (277 days). The more damage threat operators can do and the more power they will eventually have during the extortion phase, the longer they are allowed to remain. Shorter timelines can result from increased ransomware preparedness, saving a lot of work and money.

According to the 2022 Cost of a Data Breach report, 37% of companies with incident response (IR) plans indicated they didn’t test them regularly. How well will companies respond if they test their plan for the first time while actively under attack? Plans can fall apart under proper pressure when companies need them. By examining the statistics from actual attacks, it’s simple to deduce this. In 2022, the average cost of a breach for companies with IR capabilities was $3.26 million, compared to $5.92 million for those without IR skills, which is a significant difference of $2.66 million, or 58%. Additionally, it represents an increase in savings over the figures from 2021, when the average cost of a breach at companies with IR capabilities saved $2.46 million, or from 2020, when the cost difference was $1.77 million, demonstrating the growing effectiveness of IR capabilities in terms of cost-saving. Companies need to have a plan and test it because it’ll save time, money, and stress in the event of an actual adverse event.

The 2022 Cost of a Data Breach study further notes nearly 75% of companies claimed to have an incident response plan, and 63% claimed to test it on a regular basis. Even though it’s a good start, however, without scenario-specific plans for big impacts, including ransomware, general technical response plans are incomplete. A poll revealed that the lack of specific playbooks for frequent attack types was hindering security response efforts, and ransomware has grown to be quite extensive. Due to the prevalence of double- or triple-extortion schemes today, companies’ staff needs to deal with numerous issues at once during ransomware attacks.

Companies’ technical and executive teams need to be coordinated concurrently to handle the complex response. As an extension of the Cyber Security Incident Response Plan (CSIRP) companies need to have their own playbook in place. That’s assuming that their CSIRP has the adequate maturity level to pull companies through the ransomware crisis.

Most companies examined continue to claim that their technical response plans are either ad hoc, use inconsistently, or have no plans at all, even though security response planning is gradually improving. Only 17% of respondents who have formal CSIRP had created specific playbooks for frequent attack types. Playbooks for ransomware and newly discovered attacks were much more behind schedule. The numbers may increase stress and expenditures for companies in a turbulent time. Companies can be ready for new attacks that are complex in their demands for decision-making authority and cross-organizational ramifications by having scenario-specific playbooks in place. Additionally, it means relying on predetermined procedures that input the knowledge and experience of companies’ most seasoned leaders into reliable, repeatable processes that even the most inexperienced new hires can follow.

A dangerous gap to mind is frequently overlooked when it comes to ransomware attacks, beyond the requirement for a technical ransomware playbook. The executive response to a crisis that affects entire companies is represented by the gap. In ways that other attacks rarely do, a disruptive extortion case will quickly need escalation to executive teams, the CEO, and even the board. The leaders will have to address the media and the impacted parties, and they need to be ready to make quick decisive choices. Because CEOs can stumble in front of TV cameras and may not effectively convey the messages that will best defend companies’ hard-earned reputation, the results are frequently more disastrous than the breach itself. Extreme situations can result in rash decisions that cost companies and their leaderships dearly years after the incidents.

Planning a response to ransomware attacks starts with understanding the fundamentals of incident response. Within the NIST framework, the “Response” section contains four key components:

Preparation – Handling incidents involves drafting, testing, drilling, and updating plans. It’s a crucial component because it affects the quality of the response that will eventually occur.

Detection and Analysis – Companies learn there are events to handle through this port. To determine the severity and have an initial idea of the impact and root cause, Triage occurs. Additionally, it’s a process that begins to escalate to the parties responsible for the technical response at the next stage. Here’s where companies’ technical management will alert the relevant executives in the event of ransomware.

Containment, Eradication, and Recovery – Companies’ incident management teams are activated and are directed through the process of escalation to staff members that oversee potentially impacted platforms, infrastructure, and applications. The plan may or may not account for IT and security, and cover data loss scenarios, however, all the aspects will be considered in reducing damage and restoring access and services quickly.

Where do ransomware playbooks fit in before moving to post-event activities? They must be dealt with concurrently:

Additionally, ransomware cases require proper and specialized evidence preservation so companies can support future forensic and legal investigations.

Ransomware is a ticking time bomb that can quickly escalate into a crisis impacting companies and why executive teams need to be involved immediately after discovery. Executives need to understand how pre-approved qualification criteria can lead to a crisis level alert in the event of a disaster and ask the technical team for companies’ impact analysis. Both the Disaster Recovery team and the Business Continuity team will need to present information from their respective sides. Executives will understand the motivations and modus operandi of the suspected groups that attack companies by looking at a threat intelligence brief on the groups, which will assist them in making the best decisions based on the data. Companies want to rely on pre-made decisions and intent set before an actual attack when companies have the chance to plan and think through the pressing questions given that time is the one resource they have left.

A dedicated executive ransomware playbook needs to have the answer to these questions in advance.

Post Incident Activity Stage – The incident records lessons gained from everyone involved in the incidents, both directly and indirectly, must be gathered through company-wide cooperation. Technical and executive management need to express themselves honestly and openly during feedback meetings without blaming anyone. It helps to improve the plans and how they’re carried out to avoid breakdowns in potential future incidents.

83% of respondents said that their company experienced more than one data breach. With attack numbers increasing year after year, companies need to find ways to effectively manage them. Additionally, companies need to always remain ahead of the current threat landscape and have an effective playbook when dealing with ransomware attacks. At SpearTip, our experts provide clear and concise information accessible to all stakeholders and for all cyber incidents during breach investigations. Our Digital Forensics and Data Mining investigations are led by industry experts who gather, handle, and catalog data following a breach. The ShadowSpear Platform, our integrable managed detection and response solution, allows our certified engineers to quickly identify, neutralize, and counter any irregular activities in companies’ networks before it becomes a devastating event.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.