Available Now: Ransomware Active Attack Response Best Common Practices Document

Ransomware Active Attack Response Best Common Practices Announcement

Brian Scriber
Distinguished Technologist and VP of Security & Privacy Technologies

May 23, 2023

Ransomware continues to wreak havoc on global industry, governments, individuals and enterprises. Research shows that more than a third of all businesses were victims of ransomware in 2021, and now over a quarter of all malware has been reprovisioned for ransom. Ransomware is the result of malicious attackers compromising a system or network and exfiltrating or encrypting encountered data; victims are then solicited for return of control or access to their data. In many attacks, separate ransoms are demanded for return of the data and for promises not to release that data publicly.

Existing literature and guidelines on how to best prevent ransomware are common and provide useful tools for most businesses. However, CableLabs has found a distinct lack of support for small and midsized businesses (SMBs). What should SMBs under attack do immediately, what decisions should they make and who should be part of the solution? Answers to these questions were not readily available for those that needed them most.

Responding to the SMB Need

CableLabs’ Security and Privacy Technologies team, through their involvement with the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG), explored the creation of a Best Common Practices document to help them navigate the intricacies of a ransomware attack. The creation and refinement of this document reflects our commitment to delivering a threat-resistant networking environment for both wired and wireless networks. We would like to thank each of the individuals and the corporations who contributed to this work under the M3AAWG umbrella.

The freely available Ransomware Active Attack Response Best Common Practices document walks the reader through the ransomware recovery process, but it doesn’t provide a single path through the experience. This document should be used to highlight what is important so that businesses can quickly and effectively move forward while identifying the considerations, expert advice and implications of each decision and action. The goal is to inform the technical team about the critical steps to take and to communicate the results so that the executive team can make the best decisions possible in terms of recovery—as well as how best to involve all the other functions in the organization from legal and operations to marketing and financial executives. This document also provides tools for the reader while engaging with those outside the organization, including cybersecurity insurance companies, incident response teams, negotiators, forensic experts, law enforcement, regulators and media.

How It Works

The document’s first three main sections—Detection, Analysis and Response—identify the responsible, accountable, consulted and informed parties, along with the expected deliverables at each stage. The fourth section fleshes out additional details related to the key decisions the team will be making, understanding the timing, implications and involved concerns. The fifth and sixth sections explore the people (both internal and external to the organization) and the technologies at play in the recovery activities. The document closes with post-incident clean-up, recovery and reflection on what led up to the attack, as well as mitigations for the future. The conclusion also includes a review of how each stage progressed—what went well, what didn’t, where was luck involved, what was missed and more.

The target audience for this document is anyone on the IT team within an SMB but primarily the individuals responsible for the technology business operations. This may be a Chief Information Security Officer (CISO) or Chief Information Officer (CIO), or it may be the sales lead who helped build out the network. Not every company has the financial resources or the time to plan for prevention like some larger companies might have, so the objective of this paper was to provide tools in an area that was dramatically devoid of reliable advice. This is a document that the authors hope nobody ever has the necessity to read.