5 Ransomware Mistakes

Common Errors in Ransomware Training Sessions

By Tom Marsland, VP of Technology

Underskilled security teams are more vulnerable to breaches, and learning solely at academic institutions or through traditional certification programs can leave a large gap in cyber preparedness. People are only as good as their experience, and providing simulation-based cyber range exercises is one of the best things companies can do to prepare. 

Cyber range training programs with live-fire cyber attack simulations help practitioners and security teams develop skills and test ability. The safe, controlled environments, real security tools, and real-world scenarios allow security teams to prepare against a variety of tactics and attacks and give each team member the experience they need to grow as professionals throughout the Cyber Learner Lifecycle.   

Ransomware incidents have unique characteristics and challenges, and teams coming into cyber ranges for attack simulation exercises do make mistakes while practicing their response from time to time. At Cloud Range, we have hosted hundreds of ransomware training sessions and have compiled a list of the most common mistakes made by incident responders.

1. Lack of Preparation

Ransomware attacks are, let’s face it, the latest buzzword out there today. There’s a reason for that – they are increasingly prevalent and the effects can be far-reaching. Having a well-prepared incident response plan that includes specific procedures for ransomware incidents is crucial. Without this, response teams may struggle to react effectively. 

We still onboard new teams every month that do not have dedicated incident response plans or with enough detail to be effective. The response plan should be kept as a printed document and have enough information to be self-containing. Too often the plan requires responders to look up items on the network, such as a phone number for an incident response retainer, etc. In a ransomware attack, these may not be accessible.

2. Slow Detection and Response

Ransomware attacks often require a much more rapid response than other kinds of attack, which is necessary to prevent the encryption of critical systems and data. Slow response can happen for various reasons, such as when teams have not practiced incident response enough to work quickly and collaboratively, do not have a pre-planned response playbook, and/or don’t understand how fast they can lose access to their network in a ransomware attack. Delayed detection and response can result in a more extensive encryption of data and potentially higher ransom demands.

3. Inadequate Communication

A common error is failing to communicate effectively, both internally as the plan is executed but also with external stakeholders. This can include not communicating quickly enough with CISOs, executives, and the legal team – or even not properly notifying law enforcement, regulators, and affected individuals. Many times, there are laws regarding such notifications and they must be followed or else the organization is risking both legal and reputational consequences.

4. Incomplete Understanding and Prematurely Closing Incidents

It’s crucial for the incident response team to understand the specific ransomware utilized and its capabilities to make informed decisions during the incident. Too often, teams think they’ve eliminated all traces of the attacker from the network and proceed with restoring system functionality from backup, only to have their backup data encrypted when it is connected to the network as well. Teams must have a clear understanding of the tactics, techniques, and procedures (TTPs) used by the group attacking them so they can be sure the threat activity has been eradicated.

5. Neglecting Continuous Learning and Improvement

Ransomware attacks are continually evolving – and incident response teams must continuously be adapting their strategies and tactics. Neglecting to learn from previous incidents or stay abreast of what’s happening in the industry can leave an organization vulnerable to future attacks.

While many of the common mistakes made by incident response teams apply to various incidents, the speed of ransomware attacks – including how fast you can lose data or be completely locked out of your systems – can make poor or slow response more potentially damaging. Therefore, it’s essential to regularly practice incident response to different attacks in live-fire simulations, and to tailor incident response plans and procedures to address the specific challenges posed by ransomware attacks.

Cloud Range’s comprehensive ransomware preparation program, Path to Ransomware, helps SOC and CSIRT teams understand and prepare for the various aspects and challenges associated with ransomware attacks. 

Learn more about Cloud Range’s live-fire cyber attack simulation program for cyber teams.