Ransom negotiation protocol checklist
First and foremost, before communications can begin, you need to determine if legal engagement with the threat actor is possible. How? An OFAC (Office of Foreign Assets Control) check must be run to see whether any data (i.e., IP addresses, language, system access, etc.) or metadata is associated with an entity that has been put on the U.S. Sanctions list. If the answer is yes, communication with and ransom payments to the attacker is prohibited.
It’s relatively rare for data from an attack to match an entity on the list because threat actors are using tools to mask their identities (i.e., VPNs, proxy connections, language translation, etc.). If you know where to dig, it’s not impossible to discover pieces of information to help unmask threat actors. For example, if a threat actor’s IP address says they are in the Netherlands, but upon reviewing the executable files they dropped on compromised systems you see they are written in Russian, this could reveal the attacker’s true location.
Once you’ve confirmed that legal engagement with the threat actor can proceed, you must weigh your answers to the following questions:
- Is my data backed up and accessible on the network?
- If not, can I rebuild the data from scratch?
- If the stolen data is shared publicly, how will this impact the company?
- Will my business survive if I don’t pay?
Source: Navigating the complexity of ransomware negotiations
Ransomware Protection Playbook
No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.
In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.
No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.
