United States: Ransomware: Recommendations For Preparation And Response

The response to an encryption attack can be very difficult. Encrypted critical data usually places a business in a crisis with no ability – or an extremely limited ability – to conduct basic operations. Too few organizations have developed incident response plans providing for contingent or out-of-band communications. Often, before consulting any incident response experts, the victim business has communicated with the attacker and revealed information that the attacker is able to leverage in negotiations. There is also often a strong organizational desire to avoid any sort of extortionate payment that, when coupled with corrupted backups and an inadequate data recovery plan, can lead to additional hours, or days, of delay. These circumstances often result in substantial down time and revenue loss – but there are ways to prevent these results.

One of the first questions an incident response expert will ask is whether there are any available backups of the critical data – in any form – that may assist in getting the business operational. Even when the answer is "yes," a two-track approach to recovery may be recommended. One track may involve the outside counsel ("breach response counsel" or legal counsel with expertise in incident response) negotiating with the attacker as the single point of contact in an attempt to reduce the ransom to something less than what it will cost to independently recover encrypted data or rebuild a network. The second track will involve urgent work by information technology personnel, assisted by digital forensics personnel, to determine whether backups can be verified and systems restored.

The negotiation can often take three days or more, factoring in the proof of the efficacy of the decryption tool and the difference in time zones between the attacker and the victim. If the restoration of data fails during this time, the decryption tool can still be purchased. Breach response counsel must be sure that all stakeholders are fully briefed, and the appropriate contingencies have been addressed so operational downtime is mitigated. Breach response counsel must also address the necessity and substance of customer communications and media holding statements all while coordinating the negotiations with the forensic response team. This is particularly true with medium to large organizations facing BitPaymer or Ryuk encryptions where the negotiations can closely resemble high-stakes commercial litigation.

The good news, if there is any, is that encryption attacks rarely involve the exfiltration of protected data sets. Assisted by skilled forensics teams, breach response counsel is often able to conclude that the ransomware attack does not trigger legal notification obligations.

Before the Storm

Picture this:

  • The files on all of your servers and workstations are renamed something like ".pwn3d";
  • Your email server has become a paperweight;
  • You have no ability to track accounts receivable, issue invoices, and pay bills and employees;
  • Everything you plug into any USB port on your laptop gets encrypted;
  • Some employees are asking you if their W-2 information has been stolen;
  • Some employees are telling customers that the North Korean cyber army is launching World War III, starting with your computers;
  • Still other employees have contacted their aunts and uncles in law enforcement, and they are feeding you "good advice";
  • Customers are asking why you have not responded to their urgent emails; and,
  • You calculate that one day of total shutdown costs the company tens of thousands of dollars in real costs, not to mention the harm to your brand and the missed opportunities.

That is how bad Hour One of a ransomware attack can get. Some employees' personal devices are also being encrypted because they are using them for work purposes.

When a business experiences a ransomware attack, even one that leaves some vital systems operational, it will naturally experience a great deal of chaos and frustration. The best way to respond is to trigger a well-crafted response plan. If you already have a data security team (internal or external) in place, a written Incident Response Plan (IRP) for them to follow, and have already tested it by conducting a few tabletop exercises, then you can skip to the next section of this article. If not, here is a rough check list of preparation steps that you can take:

  1. Identify the response team leader(s). Your response team leader(s) will coordinate all of the components of your response including informing the various decision makers, notifying your cyber insurance carrier, engaging legal counsel, triggering the response team actions, scoping the situation, working with a digital forensics team, and keeping everyone updated.
  2. Create an out-of-band communications channel. Make sure that you have a way to contact decision makers, employees, and external entities such as vendors and customers, if your email and phones are down.
  3. Know the resources your cyber insurance carrier has available for you. This includes how to give notice of the event to your carrier. Do not be afraid of your carrier! Events like ransomware attacks are why you paid the premiums in the first place! Many carriers provide the assistance of skilled legal counsel and forensics teams who can lead you step-by-step through the whole process even if you do no planning at all (not recommended).
  4. Deploy a system for creating backups, checking backups, and restoring backups. This includes backups of all vital applications and data. Consider how licensed software will be restored or recreated. Consider not only frequency of regular backup creation and validation, but also air gapped backups. It is also important to consider how you will answer this question: how long until we are operational again? Remember, every hour that your company is down will be an hour of frustration, anxiety, upset customers, and lost revenue.
  5. Deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring in addition to the traditional anti-virus suite which only looks at known malware signatures, to a comprehensive information security program mapped to National Institute of Standards and Technology (NIST) family of controls or the ISO 27002 standard.
  6. Educate your personnel. Good password hygiene, how to spot phishing, and basic physical access controls are not just the stuff of tech blogs; they are entirely essential to modern life.

There is much more that can be done to prevent a ransomware attack, but these steps should help to give direction to the chaos, if nothing else.

Aaaaaand, you're encrypted.

Maybe it started with a successful detection and eradication of Emotet or some other credential-stealing malware. Maybe you woke up to find all of your servers are unresponsive and the files now all have the extension ".crab." Or maybe you're having the blood-chilling experience of actually watching the encryption take place in real time before your eyes... Take a breath and GO UNPLUG EVERYTHING FROM YOUR NETWORK NOW! But do not unplug your servers or workstations (laptops/desktops) from their power supplies! That could cause irreparable data loss, depending on the ransomware variant (type).

Here is the checklist for what not to do next:

  1. Do not contact the attacker. It is okay if you read the ransom note, but it is not okay to start communications with the attacker. Anything you say can, and will, be used against you if you end up negotiating for a decryption tool.
  2. Do not turn off any encrypted systems, and especially systems that are in the process of encrypting. You could lose data. You could also lose valuable forensic evidence that can help in the investigation.
  3. Do not communicate with anyone else – except your cyber insurance carrier and breach response counsel. You must carefully consider all communication. Want to find out if you have an unscrupulous vendor, customer, or competitor? Tell a well-intentioned employee that they cannot get to their email because you are experiencing a ransomware attack. Being accused of a lack of transparency is better than poor communication, and much, much better than erroneous communication.

Here is another rough checklist for what you should do next:

  1. Seal off the outside world. Disconnect everything from your network without shutting anything down. You need to prevent the spread of the malware.
  2. Contact your cyber insurance carrier's 24/7 incident response center. The breach response counsel and forensics team will respond immediately and guide you through the entire process, including how to close the vulnerability that started this situation in the first place. The breach response counsel also adds the benefit of protecting communications and certain records associated with the response with confidentiality.
  3. Assess the situation. One of the first things the breach response counsel and the forensics team will ask of you is, "what is your operational status?" Inventory the encrypted systems versus the non-encrypted systems, determine the status of vital systems (email and accounting are common vital systems), and put together a timeline of the incident. Assess the viability of restoring from backups including how long it will take.
  4. Inform the decision makers. These will be the people who control finances, communications/customer relations, and risk management.
  5. Restore systems starting with operationally vital systems. This is actually three steps taken simultaneously with the guidance of the forensics team: (1) collect forensic data to determine how the attacker got in and what the attack did while in your environment; (2) begin restoring from backups, if possible; and, (3) negotiate with the attacker for the decryption tool. Even if your backups appear to be intact, you only have a short window of time to engage the attacker and you do not want that window to close only to find out that your backups failed at 92 percent.
  6. Craft your messaging. While Step 5 is underway, work with breach response counsel to craft internal and external messaging that communicates in a neutral tone that you are experiencing technical issues and identifies the means to communicate with your personnel. There are many considerations present in this aspect of crisis management that could fill an entire article on their own.
  7. Notify law enforcement. Breach response counsel will assist you with this step. By reporting the incident through the FBI's Internet Crime Complaint Center (IC3.gov), you are assisting with the eventual arrest and prosecution of criminals, often gaining the assistance of experienced FBI cyber agents, and you are providing some peace of mind to your personnel and customers through your cooperation with law enforcement.
  8. Complete the forensic investigation. The forensic response team will not only help you to assure that your systems are clean and the vulnerability is secured, they will also tell you whether or not the attacker compromised any protected data sets (SSNs, financial account information, etc.) or trade secrets.
  9. Comply with legal obligations. There are laws that require notification of consumers whose protected data is compromised. Many of these laws carry a stiff penalty for non-compliance, not to mention the possibility of third-party lawsuits. Your company may also have contracts with customers or vendors that require you to inform them of data security incidents. Your breach response counsel will assist you with this step.


There is a reason that ransomware attacks often fall into the "kidnap and ransom" coverage of an insurance program. Although they involve computers instead of people, they are crisis events with a similar pattern and similar pitfalls. With some preparation and a level-headed response, they do not have to end in tragedy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions