The ransomware alert from the FBI (which advises against paying the ransom at all) provides nine factors to
include when reporting ransomware attacks:
- The date of infection.
- The ransomware variant, which is identified on
the ransom page or by the encrypted file extension. - Information about the victim company, including its industry type, business size and so on.
- Details about how the infection occurred, such as through a malicious link in an email or by browsing the
internet. - The requested ransom amount.
- The attacker’s bitcoin wallet address, which may be listed on the ransom page.
- The amount of ransom the organization paid (if any) to the attacker.
- The overall losses associated with the ransomware infection (including the ransom amount).
- A victim impact statement.
These are all reasonable bits of information to disclose, but organizations that have suffered a ransomware attack may be reluctant to report them. This reluctance is often about providing the amount of the ransom, whether it was paid it or not, what the overall losses were and the impact it had on the business.
Admitting that your organization was the target of a ransomware attack can be embarrassing and marginalizing. Also, reporting ransomware attacks reflects negatively on the organization. The organization’s customers and partners may question why the organization didn’t take sufficient measures to prevent such a breach (especially if the impact would have been significant if the ransom wasn’t paid).
Keep in mind that if a company notifies the FBI about a successful ransomware attack against it, there’s no guarantee that the information won’t be leaked or made public in some other manner. Not to mention, there could be financial implications of such disclosures, especially if the company is publicly traded.
There are plenty of ransomware prevention measures available today. The FBI alert provides some of these measures. While there are risks in reporting ransomware attacks to the FBI or other law enforcement agencies, the real concern should be how the organization manages the incident.
When it comes to customers, perception is reality. This also applies to partners, management, peers and stakeholders. Ransomware attacks happen, but the important thing is to minimize the impact and demonstrate a timely recovery.
Organizations can’t control what the press will report on the incident, or whether the breach details become public. They also can’t control what the FBI does with the information provided to them. But organizations can control the impact of the breach and manage perception.
Organizations should deploy protection measures to mitigate the impact of a ransomware attack. They should train their employees on how to deal with breaches, test the incident response plan, periodically test their systems for effective controls, maintain current patches, continuously monitor, implement strong change controls and, more importantly, perform full, incremental and differential backups for timely recovery.
In addition, organizations should prepare communications for management, stakeholders, media and the public. Breach announcements, whether for ransomware or other attacks, are much more palatable if they also contain the information that the company quickly recovered, the impact was minimal because of effective protection measures and no ransom payment was required.
For more information on prevention, etc., contact us at: https://media-moon.com/
