Careful Security

Ransomware Response Strategies

While companies big and small are susceptible to ransomware attacks, how a company conducts itself in the wake of a ransomware attack can create dire consequences, both for the organization’s reputation and for the data held hostage by attackers.

LockBit ransomware attack

Take for example Accenture, Inc., a large IT consultancy that found itself the victim of a LockBit ransomware attack which they discovered and reported on August 11th…according to them, at least. Reports surfaced soon after the attack stating Accenture might have known of the presence of LockBit in their network as early as July 30th, possibly two weeks before the organization took steps to isolate the problem network segments and contain the threat. Accenture then followed this announcement up with a dearth of public announcements or disclosure, leading many IT experts to believe that Accenture set a bad example to other IT companies. Much like Russia with Chernobyl, a lack of transparency only served to foster mistrust in the community.

What to do when Ransomware Strikes

While the focus of cybersecurity experts should primarily concern themselves with preventing ransomware attacks, CISA’s Multi-State Information Sharing and Analytics Center (MS-ISAC) also provides a number of steps to take if you have been sidelined by a ransomware attack. Steps that, as far as we know, may not even have been undertaken by Accenture in the wake of their ransomware attack. Of paramount importance when dealing with a ransomware attack is to never pay the attackers. There is no guarantee that your data will be recovered or that your network is not still compromised. Knowing this, you must perform the following actions to recover:

Steps to Recovery

Detection and Analysis – Isolate or disable the infected systems and triage for recovery.

Containment and Eradication – Take a system image of an affected system to preserve evidence for identification and analysis. Consult federal law enforcement and security organizations for further guidance. Track the attack down to the initial breach. Rebuild systems based on priority.

Recovery – Reconnect rebuilt systems. Conduct risk/threat assessment. Document the lessons learned from the attack and share these lessons to benefit others in the community.

Had a large company like Accenture performed these actions as soon as they noticed a possible attack, they would have created goodwill for themselves and increased the posture of the IT community as a whole.