If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since.

Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite at first, but as costs accumulate over time, and include the entire recovery project, they can reach exorbitant amounts of money. In some cases, hundreds of millions of dollars are lost as the process stretches over months following the discovery of the attack.

But although these attacks raise concerns from the IT security team all the way to the board of directors, it appears that companies are not investing enough in being prepared for such a scenario.

According to the 2022 Cost of a Data Breach Report, the average ransomware attack took 237 days to identify and 89 days to contain, for a total lifecycle of 326 days. This is well over 10 months, and those are just the initial stages of the response process. Furthermore, compared to the overall average lifecycle of regular data breaches (277 days), it took 49 days longer to identify and contain a ransomware attack, for a difference of 16.3%. The longer the attackers get to dwell, the more damage they can cause, and leverage they can eventually gain for the extortion phase.

Building preparedness for a ransomware attack can translate into shorter timelines, saving a lot of work and money in the process.

The Untested Plan

What if your organization is one of those that already thought a plan was needed, and might have one in place, but this plan was never tested? The 2022 Cost of a Data Breach report found that of the organizations that had incident response (IR) plans, 37% said they did not regularly test them. Consider the following question: “How well will you fare if you test that plan for the first time when you are under an active attack?”

With proper pressure applied, plans can crumble when you most need them. This is readily easy to infer by looking at the numbers from actual attacks. Organizations with IR capabilities saw an average cost of $3.26 million per breach in 2022, compared to $5.92 million for organizations without IR capabilities, a difference of $2.66 million, or 58%. A very significant difference.

Moreover, that’s an increase in savings over the numbers we saw in 2021, when the average cost of a breach at organizations with IR capabilities saved $2.46 million; or in 2020, when the cost difference was $1.77 million, indicating the growing cost-saving effectiveness of IR capabilities. So have a plan and test it. You’ll save a lot of time, money, and stress in case of an actual adverse event, and it sure makes its own business case.

More Organizations Have Plans, But Lack Playbooks

It’s not all bad news. Nearly three-quarters of organizations in the 2022 Cost of a Data Breach study said they have an incident response plan, and 63% said they do regularly test the plan.

But while this is a good start, general technical response plans are incomplete without scenario-specific plans for major impact, like ransomware. A Ponemon survey, sponsored by IBM Security, found that security response efforts were hindered by a lack of specific playbooks for common attack types — and ransomware has become rather common.

With double or even triple extortion schemes rampant nowadays, a ransomware attack can have your team facing a number of aspects simultaneously:

  • Data breach with privacy and regulatory implications
  • System disruption without immediately known recovery times
  • Disaster recovery in case of a destructive attack
  • Dealing with extortive DDoS
  • Negotiating with criminals

This sort of complex response requires orchestration of your technical and executive teams simultaneously. It all needs its own playbook as an extension of the Cyber Security Incident Response Plan (CSIRP) you might have in place. That’s assuming that your CSIRP has the adequate maturity level to pull the organization through a ransomware crisis.

Explore the Report

Catch Up with Playbooks

While security response planning is slowly improving, most organizations surveyed by Ponemon (74%) are still reporting that even their technical response plans are either ad hoc, applied inconsistently, or that they have no plans at all. Among those with a formal CSIRP, only 17% of respondents had also developed specific playbooks for common attack types. Playbooks for ransomware and emerging attacks lagged even farther behind.

These statistics could be driving higher stress and costs on organizations in an already stormy situation. Having scenario-specific playbooks in place allows organizations to prepare for emerging attacks that may be nuanced in the need for decision-making authority and cross-organizational implications. It also means being able to fall back on an agreed-upon process that distills the knowledge and experience of your most experienced leaders into a solid, repeatable process that can be followed to the letter by even the greenest of new recruits.

Crisis Management: A Dangerous Gap

Beyond the need for a technical ransomware playbook, there is a dangerous gap to mind that is often ignored when it comes to ransomware attacks. That gap is the executive response to a crisis that impacts the entire organization.

A disruptive extortion case will very quickly require escalation to executive teams, the CEO, and even the board, in ways that other attacks rarely do. These leaders will have to face the media and impacted parties in short order, and they will have to be prepared to make decisions using time they do not have. The results are often more catastrophic than the breach itself, as leaders can fumble in front of TV cameras and may not clearly drive the messages that can best protect the company’s hard-earned reputation. These situations can go to the extreme with rash decisions that end up costing the company and its leadership dearly years after the event.

Seeing these cases unfold in the media, executives and boards are taking a more active approach and seeking to understand their role in a potential cyberattack or a cyber crisis. They do that to prepare themselves for the risk of major monetary loss, potential insurance pushbacks, and even personal liability. As a result, security leaders are being asked to show and prove preparedness and demonstrate how the entire company will orchestrate an adequate response. One way to show this preparedness is a playbook that can engage these executives early on. Equipping executives with plans, processes, templates for communications, and clear lists with contact information can save them the stress and time they need to make swift decisions and drive the company through and out of the crisis successfully.

These plans can also help make and document decisions in advance with a cool head, extending the ‘commander’s intent’ through to other team members that will use the plan under fire, even as they pivot through the event’s turns. Build a plan, drill the plan, and have metrics and KPIs to show your organization is prepared and keeps improving.

Ransomware Playbooks — the Essentials

Having a plan for responding to a ransomware attack begins with the basics of incident response. Let’s take the NIST framework as a standard for this purpose.

Figure 2: NIST IR Framework: Identify, Protect, Detect, Respond, Recover (Source: NIST)

Within the framework, zooming in on the “Response” section, we have:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, Recovery
  • Post Incident Activity

Preparing to handle incidents is the phase where plans are drafted and tested, then drilled and updated over time. It’s an essential part because it impacts the quality of response that will eventually take place.

Detection and Analysis are the port through which your organization realizes there is an incident to handle. This is where Triage takes place to assess severity and have an initial idea of impact and root cause. It’s also the process that starts to escalate to the parties who will carry out the technical response in the next stage. In the case of ransomware, this is where your technical management will also inform relevant executives.

Containment, Eradication, and Recovery activate your incident management teams and guide them through escalating to staff members that manage platforms, infrastructure, and applications that may be impacted. It could be that this plan also covers data loss cases, and it may or may not account for both IT and security, but all these aspects will go into the effort to minimize damage and restore access and services as quickly as possible.

Before moving to any post-event activity, where do ransomware playbooks come into the picture? They have to be worked with in parallel:

  • Ransomware playbooks should be part of the preparation, providing plans that can guide teams through responses that are specific to ransomware attacks and their nuanced nature. This preparation should aim to prevent incidents and it should outline when and how the organization may use backups in a recovery process. Your executives must be consulted here if service impact is going to affect the organization’s reputation, employees, customers, revenues, etc. Hence, again, the preparation of playbooks is essential.
  • A ransomware playbook should contain qualification criteria and thresholds that would allow ransomware to be called out immediately upon detection and analysis, and thus escalated accordingly to technical management but also to the CISO, CIO, Chief Legal and other executives.
  • The ransomware playbook should be used in the containment, eradication, and recovery stages. Unlike incidents that urge availability above other considerations, a ransomware case prioritizes ensuring that endpoints, servers, databases, cloud, and other assets, are recovered safely and after they have been cleared (and cleaned) for going back online.

Evidence preservation for a ransomware case should also be specific and carried out appropriately. This will allow the organization to later work through potential legal and forensic investigations.

And this is not all.

A View from the C-Suite — The Cyber Crisis Flavor

Ransomware is a ticking time bomb that can quickly turn into a whole-of-business crisis. As such, it requires a lot of involvement from the executive team, immediately upon discovery. There are critical considerations, decisions, negotiations, budgeting, regulatory, HR, finance, legal implications, and strategic approvals that go into the overall attack lifecycle, to name a few. None of these are accounted for inside a classic, technical CSIRP.

A separate playbook, drafted from a strategic viewpoint, has to be crafted with the participation of your C-suite executive team, to ensure that they come together and understand what’s needed of them quickly when an attack advances rapidly. This book will integrate with the other plans.

In case of a crisis, executives will need to see how a pre-approved qualification criteria triggered a crisis level alert. They will ask to see a business impact analysis from the technical team. The Business Continuity team will have to present information from their end, as will the Disaster Recovery team. Looking at a threat intelligence brief on the suspected group that attacked the organization will enable executives to understand the motives and modus operandi and further help them make the right decisions with the data they have.

At this time, where time is the last thing they have more of, your organization would want to rely on pre-made decisions and intent established ahead of an actual attack — when you had the chance to plan and think through the burning questions. Will you consider paying a ransom? What are the conditions you would pay under? What if paying is a federal offense in this case? Will you call a negotiator? What is the holding statement your CEO plans to give the media when that first call comes in? Was it approved by Comms and Legal?

All these questions can, and should be, answered in advance, in a designated executive ransomware playbook.

Back to the NIST framework, we are at the Post Incident Activity stage. This is where company-wide coordination should gather the event logs and lessons learned from all those who were actively involved in the incident, and those who experienced it from the sidelines.

Feedback sessions should allow both technical and executive management to be open and candid in their viewpoint, without blaming anyone, working to improve the plans and their execution to prevent breakdowns in potential future events.

In the 2022 Cost of a Data Breach report, 83% of respondents indicated that their organization has already gone through more than one data breach. With attack numbers only growing year over year, getting better at handling them must be part of how businesses are run.

For the complete 2022 Cost of a Data Breach report, please visit: ibm.biz/breach-report

Planning for Cyber Crisis Management: www.ibm.com/downloads/cas/KMBQMBMW

Want to learn more about how X-Force incident response can help your organization? Check out www.ibm.com/security/incident-response

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today