Insurance giant Marsh has released a comprehensive ransomware incident response guide as ransomware attacks have become more frequent, severe, and sophisticated - especially since the COVID-19 pandemic compelled many organisations to go digital.
In 2020, around 51% of organisations globally experienced a ransomware attack – with an escalation in attacks involving higher ransom payments and increased downtime causing significant financial and operational impacts, according to Marsh.
The insurance giant said it is common for organisations to be caught off guard when facing a ransomware attack and experience a “paralysis” that lessens response effectiveness. Therefore, organisations should anticipate and prepare well for the possibility of ransomware attacks.
Marsh's guide stated that organisations have three basic approaches to recovery: restore from backup, attempt to break the encryption, and pay the ransom and follow the attacker's instructions.
However, the guide noted that insurance proceeds may be available to cover the costs associated with ransom and recovery. It warned organisations that the three approaches are labour and time-intensive and do not guarantee that they will recover their lost data.
The guide advised organisations to incorporate procedures for handling ransomware incidents into their incidence response plan. They should also develop a policy to guide decision-making on whether to pay a cryptocurrency ransom demand – specifying the parameters to be considered, including the ransom cost, estimated restoration cost, the likelihood of successful restoration whether the ransom is paid or not, regulatory implications, and the criticalness of data.
Marsh said organisations must only consider paying a ransom under extreme circumstances.
“It is wise to develop a plan for how to pay a cryptocurrency ransom demand should it become necessary. It is a best practice to pay a ransom demand through your external cyber counsel or cyber forensic provider,” the guide said.
“Obtain a documented position or perspective from external cyber counsel on the potential legal implications of paying a ransom demand to a cyber threat actor,” the guide said.
“Obtain approval from the board of directors on policy documents. Recognise that policies are likely to be discoverable if legal action is taken against the company due to its handling of a ransomware event,” Marsh shared via the guide.
Organisations must understand the details of their cyber insurance coverage, including paying ransoms and other losses from a ransomware attack, the guide said.
The guide also advised organisations to consider:
The guide advised affected organisations to consult a law firm that specialises in cybersecurity and data protection to serve as their cyber incident response coach.
According to Marsh, organisations should seek cyber forensic providers and understand the capabilities they offer for dealing with ransomware attacks.
“Focus on companies that have strong credentials, experience, and a superior reputation for cyber forensics. Your insurer, cyber broker, and your cyber incident response coach can help to identify providers,” Marsh said in the guide.
Marsh also advised organisations to learn about tools that can decrypt different strains of known ransomware.
“Understand the basics of cryptocurrency. Determine whether your legal counsel or cyber forensics provider will be responsible for managing any potential cryptocurrency transactions on your behalf,” the guide said.
“In addition to supporting a smooth, quick transaction, the external cyber counsel will also ensure compliance with NBD Scheme or other regulatory guidance related to ransomware payments. Remember that cryptocurrency exchanges charge fees for cryptocurrency purchases.”
The guide advised affected organisations to minimise exposure and maximise backup by isolating the ransomware infection by turning off servers and computers throughout the organisation and disabling LAN and WiFi connections or blocking network traffic.
Affected organisations must also eradicate the malware executable code from networks and systems, do not delete related files, and recognise that full restoration of the affected data will require considerable hands-on work and can take many days.
If the organisation has cyber insurance, organisations must engage their risk manager and cyber insurance broker to review relevant requirements of the insurance program, their insurer's expectations, and any ransomware-specific services that the insurer may offer.
“If you decide to pay the ransom, confirm with your insurer before making the payment. Many insurers require that they pre-approve in advance of a client making a ransom payment,” the broker added.
Marsh also pointed out that affected organisations must follow their internal and external guidance and carefully consider executing the ransom payment.
“The final decision on whether to pay should be made through careful internal deliberation after sufficient legal advice and cyber forensic technical analysis,” it said.
Marsh said affected organisations must remain vigilant even after dealing with the ransomware attack and improve cyber security by updating internal guidance, bringing in external expertise, identifying weaknesses, and reviewing their backup strategy.
