The first question executives usually ask immediately following a ransomware incident is, "How long is it going to take us to get back up and running?"
Out of fear or inexperience, some people set poor expectations with leadership, leading them to believe they will be back up and running within 24-48 hours. Unfortunately, that is often not the case.
One item that often catches internal teams off-guard is the decryption key. Some gotchas:
1. Negotiations take time for several reasons (haggling, threat actor response time, legal due diligence before payment can be made, proof of their claims, etc.). Expect this may take several days on average.
2. Once a decryption key is obtained, the systems will not be usable immediately. A decryption process will have to be created that will allow each system to be decrypted both as quickly as possible, as well as in a secure enough manner as not to put the environment at risk. Decryption can take days, to weeks, to even over a month depending on the amount of data, data transfer speeds, decryptor efficiency, etc.
3. You may need additional storage. Before systems can be decrypted, you will need a copy of all of the encrypted systems. This can take a very large amount of storage. Getting ahold of that amount of storage on short notice can be extremely difficult and may take a lot of time. Renting instead of buying may help with your insurance claim. Making a backup of all systems can take several days or more as well.
4. Without a backup, if something goes wrong with the decryption, you may lose any chance of ever getting your data back because of corruption.
5. Decryptors are not marvels of software engineering and may not work. You may have to work with the threat actor, if they are agreeable, to troubleshoot the issue and get a working decryptor, if they can even provide one.
Setting poor expectations can cause a cascade of bigger problems and quickly raise the temperature even more, hindering the entire remainder of the recovery. We use many proactive optimization strategies to decrease these risks as much as possible. The sooner we can be tagged-in to assist, the more time we can save, and the more landmines we can help organizations avoid - either technically, or from unintended consequences that will impact any cyber claims.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.
Learn MoreWith experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.