Part of the role of a ransomware negotiator is to bring calm to a situation that can feel like a waking nightmare for the victim organization.
Coordinating a response in the aftermath of such a volatile incident puts a company’s finances, reputation and longevity on the line.
“When the actual ransomware attack is occurring, I think the biggest thing is [to] take a deep breath and slow things down,” said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security.
“The first knee-jerk reaction for most organizations is to kind of freak out a little bit, and rightfully so,” Schmitt said.
Ransomware groups are known to exploit human psychology as a tactical advantage, but that behavioral response can create additional work and slow time to recovery.
The psychological component can be minimized when incident responders act with a sense of urgency but in a calm and collected demeanor, according to Schmitt, who has responded to hundreds of ransomware incidents during his career.
Schmitt, who also facilitates ransomware negotiations — acting as the liaison between the victim organization and the threat actor — shares his top three tips for organizations hit by ransomware:
- Slow down and don’t freak out
- Preserve evidence
- Learn from the experience
The typical reaction, following a ransomware attack, is to shut things down, re-image all computers and get the matter resolved as quickly as possible.
However, if evidence isn’t preserved, analyzing the root cause of how the attack started, made its way through the network and ultimately ended up as ransomware may not be possible, Schmitt said.
Organizations that move too quickly are also less likely to learn from the experience.
“When a ransomware scenario happens, it's nobody's fault,” he said. What matters more is how an organization moves forward.
Learning from the experience includes identifying gaps in defense and pursuing a collective remediation of those weak points to improve the company’s security stance and help prevent another attack.
Ransomware response often falters when there’s a disconnect between the technical and business units of the organization, according to Schmitt.
The quality and value of an incident response investigation and recovery is lower when businesses cut corners to resume operations at any cost.
That’s when pertinent details go potentially missed or systems are improperly restored, Schmitt said.
Dynamic communication between all parts of the business can help everyone in the organization understand where things are at, he said. And “even though it seems like things might be moving slowly, they really are moving as fast as possible and they're having the best impact possible.”