Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[A] local furniture store was recently victimized by a ransomware attack. These types of attacks come in two general forms (there are variations). One is where data is encrypted and made inaccessible in some way, and a fee has to be paid to regain access. The other is when information is stolen, then a ransom is demanded, with the threat that the data will be released or the people impacted contacted. The primary issue is that someone with unauthorized access has confidential data and even if a ransom is paid, there is no guarantee that the data will be destroyed or that it has been or will be managed appropriately by the adversary.
What does an organization do when they are the victim of a ransomware attack? Can the victimized organization be guaranteed that the data will be restored or not released publicly or to the affected parties?
Contact your local law enforcement immediately. If you don’t have an incident response in place, have the local FBI and Secret Service field office numbers in your contact list. You will also want to alert your legal counsel. In Vermont, you will have to report the breach to the Attorney General’s Office. Your counsel should be able to provide your public relations person with verbiage when the public and customer inquiries begin.
Determining whether to pay the ransom is a question you want to discuss with your legal counsel. Paying the ransom is a major organizational decision. It encourages the criminals involved, there is no guarantee the data will be restored (or not released publicly), there could be demands for money, or it could be used for future requests for money.
Create an incident response plan to prepare, respond, detect, contain, eradicate and recover from the attack. Part of the incident response process is to prepare for this type of attack, which involves understanding that it could happen. One comment made by the furniture store vice president was: “I honestly don’t think I believed it to begin with. It’s something you see in the movies, something you see on TV but it’s never something that I thought would happen to us, especially here in Vermont.”. Attackers do not generally care where you are located, size of your organization, or who you are. You have to be prepared. Even if you have never been victimized by this type of attack, you have to prepare and have a plan in place if it does occur. However, it starts with implementing basic security measures to minimize being impacted by the most common types of attacks. “Detection” means to determine where the malicious software entered and if it has spread to other computers. “Containment” means all affected systems have been identified and those systems monitored and/or isolated to ensure the software doesn’t spread further. “Eradicate” means all occurrences of the malicious code have been removed (otherwise, they could steal or lock more data and demand money in the future). “Recover” means the organization goes through the process to ensure this type of attack or other attacks don’t recur and the impacted systems are restored to production. If you do not know where to start, here’s a template.
Consider whether you can recover from the breach with your backup systems or processes. First, ensure you are backing up your data and test it periodically to determine whether the data you expect to be recovered, is being backed up AND can be recovered. This testing process is really critical! You have to test your backup systems and retrieve data periodically to ensure it can be retrieved when needed.
