Skip to content

Cyber Ransom Procedures: An Essential Guide

Understanding Cyber Ransom Procedures

understanding cyber randsom procedures
  • Url copied to clipboard.

By Resilience Specialist, Amelia Fahey

Cyber security should be an essential priority for all organisations globally. Irrespective of industry, access to technology and the internet opens us up to the ever-evolving digital threat landscape.

But despite our best efforts to protect and prevent, there is still the possibility that you may be a potential victim of a cyber ransom attack.

Therefore, to remain resilient, organisations need to consider, develop and embed an additional step in their cyber response plan; comprehensive cyber ransom procedures.

Prior to an incident, it’s important to understand and agree on strategic objectives and financial thresholds at a senior executive and board level. This can save valuable time and ensure logical and organisational-aligned decisions can be made quickly and easily under pressure.

Mapping this out now as a key response strategy means that people are more confident in how to react to a ransom attack.

Resilience Manager, Harrison Orr touched on the importance of organisations acting now and being prepared for potential cyber attacks in the lead up to Christmas in his latest video, found here.

A ransom may be in response to any type of actual or potential cyber-attack or IT security incident. The purpose of the procedure is to provide time critical guidance to members of a Cyber Incident Response Team or Crisis Management Team. It guides them on how to:

  • facilitate collection of relevant information on the nature and extent of the attack,
  • assess the implications of the attack on the organisation, and,
  • provide a framework for deciding how to respond to the ransom demand/s.

Understanding a cyber ransom demand

Whilst refusing to pay a ransom demand is the preferred approach, and should always be the organisation’s default position, the decision on whether to pay or not is no longer a clear-cut one.

Legal implications of paying a criminal, reputational impact, and confidentiality issues provide difficult criteria on whether to pay. Often, the cost of not paying is greater than making payment.

You don’t need to be an expert to know cyber-criminals may have breached your system, but you do need timely and concisely documented procedural expertise to know how to respond and what that response means for your organisation.

In the third instalment of RiskLogic’s latest Cyber Series, Nick Abrahams, the Global Leader of Technology & Innovation for Norton Rose Fulbright, talks of a case study of a CEO who refused to take responsibility for a response.

“An organisation worth probably north of a couple of hundred million dollars, so decent size organisation, got hit with a ransom attack” says Abrahams. “And quite clearly the CEO had never conceived this could be a problem because, in his words, “the IT guys got it wrong”.

It was an extraordinary case study of response and reaction from a leader. He said to me, “It’s so unfair that this should happen to us”. It seemed such a bizarre thing for a leader to say in such a crisis. It’s a clear example of an organisation who was at the very basic level of cyber response.

Nick’s case study here shows clear evidence that even large organisations still don’t have strong response procedures in place.

Cyber ransom demand considerations

Ransomware attacks are the most common form of ransom demand; however, a ransom may result from any form of cyber-attack or IT security breach. (I.e., a DDoS attack, theft of confidential data, etc).

Care should be taken to avoid confusing a ransomware attack with a cyber ransom demand.

With ransom demands, payment is usually made via Bitcoin using a link provided in the ransom message. There may be limited opportunity to negotiate with the perpetrators. However, if you do, this should be done through external specialist IT security providers and involve your legal and insurance stakeholders.

For ransomware attacks, perpetrators will usually need to demonstrate through a ‘proof of life’ style process that they can decrypt files before payment.

Remember, a ransom demand may be received in a variety of ways including e-mail, website contact form, text message, social media post or note left within a system file. It’s important to always remain vigilant and trust nothing.

As you move into shutting down over the holiday season, now is the time to ask what your procedures are. When were they last validated? Does everyone know the plan? The December period sees one of the largest spikes in attacks, don’t get caught out.

To learn more about how RiskLogic can help with your cyber resilience, click here.

The Resilience Digest