Slow-Playing the Attackers
When you face extortion, there are battle-tested strategies to put the attackers on their back foot and give your team time to get ahead. The best way to mitigate a ransomware attack is by preventing it outright. But, you can’t stop everything, so having robust strategies to handle an active incident minimizes the damage and recovery time.
Ransomware attacks are urgent for both sides. Organizations must quickly respond, recover and mitigate the damage while attackers need a swift payoff to move on to their next target.
But, it’s not all about speeding up. Slowing attackers down is just as important.
After helping hundreds of organizations overcome ransomware attacks, we’ve learned that buying time can change the balance of power and set you up for a more successful resolution.
Stall During Negotiations
Ransomware attackers run businesses. They have English-speaking customer service representatives ready to facilitate payments. Their strategy is to pressure you to pay quickly to regain access to your data.
They also have an incentive to uphold their reputation. If they don't deliver on their promise to restore access after payment, word will spread, and potential victims will be less likely to pay them in the future.
Our Incident Response (IR) Report showed that attackers tend to keep their promises when paid 67% of the time. While, 20.6% of attackers don't keep their promises at all, 7.8% of cases were unknown, and 3.9% partially fulfilled their promises.
It’s worth engaging in communication with attackers, but not on the off-chance they will keep their promises. Instead, use the opportunity to buy your team crucial time to respond to the attack.
Negotiations are high-stakes. If you’re in a high-pressure situation, call us.
During negotiations, several strategies can be employed to stall and gain valuable time:
- Indicate willingness to pay but need more time – One effective stalling tactic is to indicate that you are willing to pay but need time to collect the necessary resources and gain executive approval. This not only buys you time but also keeps the attackers engaged and less suspicious.
- Negotiate a lesser ransom – Tell the attackers that you cannot afford the amount they are asking. This can lead to extended discussions that delay the process and grant more time to focus on recovery.
- Ask questions about the compromise – Use the negotiation period to ask questions that might reveal details about the compromise. Understanding the scope and specifics of the attack can be critical for your investigative and recovery efforts. Questions also stall the attackers as they take time to respond.
- Play dumb – Act confused and be confusing in your responses, which force the attacker to engage with you continuously to clarify their intent and demands. By creating a back-and-forth exchange, you can significantly prolong the negotiation process.
Employing these stalling techniques can buy you the essential time needed to respond effectively. It's best to focus on recovery efforts, determine whether sensitive information has been stolen, and glean whatever information you can from the attackers.
Remember, the goal is to use every available advantage to mitigate the impact of the attack and improve your chances of a successful recovery.
Focus on Recovery While Attackers Focus on Payment
Recovering while being pressured into paying a ransom involves a multifaceted approach to help your organization bounce back as quickly and safely as possible.
Isolating the Breach
First, isolate the compromise. Identify which systems have been compromised and how the attackers gained their foothold.
Tools like Cortex XDR can be invaluable in helping you to investigate the breach and answer critical questions about the attack vectors and extent of the compromise. Additionally, this tool provides a comprehensive overview of your environment, enabling you to investigate the source of the attack and take appropriate action to contain it.
Remediation and Restoration
Next, focus on remediating vulnerabilities. Patch systems and revoke any account privileges that could potentially have enabled the compromise.
Addressing these vulnerabilities prevents further exploitation. Make sure your patch management processes are comprehensive and that all systems are up to date with the latest security fixes.
Rely on your disaster recovery strategy and use offline backups for the recovery process. Restore your systems carefully, verifying that the backup data is untampered and functional.
The recovery phase requires continuous monitoring and assessment of your systems. Keep an eye out for any signs of residual compromise or further malicious activity.
Post-Attack Preparation
Slow playing the attackers gives teams (others than your emergency responders) time:
- To understand if data has been stolen, not just locked down.
- Prepare to report the incident to the SEC, if required.
- In case of harassment, they can prepare reactive statements or support for employees or customers.
By concentrating on recovery while engaging in stalling tactics with the attackers, you'll manage the scope and depth of damage caused.
Make Time Your Ally
Even as attacks become more rapid and sophisticated, using the negotiation stage to your advantage can put the ball back in your court.
If a ransomware attack happens, commit to communicating with the attackers as a means to take control of the situation. Slow-playing them lets you execute your incident response plan effectively, gather valuable information, and focus on recovery.
If you're interested in preparing your defenses in advance, equip your organization with a trusted incident response partner like Unit 42, and be ready for any scenario.