Industry insights

The ransomware paper (part 2): Real-life scenarios and lessons learned

Keatron Evans
December 6, 2021 by
Keatron Evans

Now that we’ve addressed the basics of what ransomware is and how it works, let’s focus on how the media talks about ransomware — and what they don’t talk about very often but should.

First, I want to dig into and quantify a point I made in the last paragraph of part one of this series: Ransomware is something that happens after you have already been compromised. The way most ransomware stories are reported makes it appear that organizations are actually being breached by ransomware, but that’s not how ransomware works.


An analogy: Smash-and-grab attacks


Let’s use the analogy of thieves who use a smash-and-grab approach to stealing items from cars. I bring this up because I’ve seen it on the news a lot, and it tends to pick up around Christmas since people have gifts in their cars while shopping and traveling. Thieves quickly break windows in victims’ cars and pillage anything they can from inside: gifts, money or loose change, keys and anything that may be left inside the vehicle.

Now, imagine someone engineered a way that allowed the smash-and-grab thieves the ability to lock your car engine, so it’s impossible to start without having a specific, very long code to unlock the engine. This is basically how ransomware operators take over and “lock” your computers, networks and files.


Download Keatron's free paper, "The ransomware paper: Real-life insights and predictions from the trenches."


Get Your Copy


Smash and grab has always been a thing; it’s the concept of then locking your car engine that is the new procedure or technique. Likewise, breaking into your systems and networks has always been a thing; it’s the locking of your files and data using specific techniques that make it a new “action on objective.” (Refer to the MITRE ATT&CK® framework to see all the steps an attacker has to successfully perform to get far enough into your environment to deploy ransomware.)

As a side note, I can confidently say that as an owner of a very smart car, electronically locking your car and demanding a ransom to unlock it isn’t too far out in the future. Remember you heard it here first! I’ll dig more into this in part three, where I talk about the future of ransomware.

Now let’s get right into the hidden issues that never come out in the media.


Ransomware is partly a cultural problem


While the concept of breaking into an organization is not new, the ransomware action in the environment as it’s usually performed is something that many IT and cybersecurity people are simply not comfortable dealing with.

Let me describe some of the things I’ve encountered. I’ve seen CIOs, executives and others hear about some company paying a $40 million ransomware payout. They are alarmed, so they go to their IT leadership or cybersecurity leadership and ask, “Are we covered on this?” IT and cyber leadership say, “Yes, we’ve got it covered,” even if it’s not really covered.

This is a problem in our industry. It’s part of the industry culture. I have some pretty unique views and insights on this because I spend about half my time educating these people and the other half performing consulting for these same people. As an industry, we have issues acknowledging we “don't have it covered” or that we don’t understand something. Most CIOs and other executive leadership find out their IT and security organizations aren’t prepared for ransomware after a successful attack, and they are paying a huge ransom.

I want to be 100% clear that I’m NOT saying that IT and security professionals are willfully and intentionally lying to leadership. Part of the culture is we really do think we know “everything” about IT or security.

I‘m not excluding myself from this circle; I’m definitely in it as well! However, I’ve probably been more tempered than most, as I encounter anywhere between 500 and 700 professionals per year in a five-day training situation. And sometimes, I have students who have far more experience than I have and know much more about the topic than I do. These experiences and interactions keep me perpetually “reality checked.”

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

If you’re in a company and you’ve been the most knowledgeable asset for a few years, that complex of not wanting to be wrong creeps in. This leads to a lot of situations where we’re not always prepared for these ransomware attacks. The remediation that’s needed falls into three groups: end-users, executives and IT and security staff.

  • For the end-users, it’s a relatively simple update. Make sure your current end-user security awareness training includes some awareness concerning ransomware.
  • For executives, it is a little more effort. They will be more in tune with the huge financial losses associated with the attacks and will therefore need to be re-introduced to the associated risks. This will help them understand what is being asked regarding training refreshes and updates for end-users and IT/Security staff.
  • For IT and technical staff, they have to reskill or upskill. This group needs extensive training and awareness on ransomware remediation. This is much more in-depth and technical training than general ransomware awareness.

Let me give you two recent examples concerning cases I worked on.


Ransomware case 1: Underprepared


In this case, the organization was hit with ransomware. After a, shall we say, “lively” discussion between the risk management, security, legal and PR teams, it was decided that they would simply pay the ransom. After making this decision, they went ahead with the process.

It took them much longer than expected to get an account set up to pay the large ransom. The organization had no idea what the setup process was, and initially tried to set up an account through Coinbase instead of following the instructions sent by the ransomware operators.

They were two days into trying to get this done when I was contacted for the first time. By the time they got set up and could make the payment, nearly three days had passed. A big part of the decision to pay the ransom was to get everything restored as quickly as possible. The amount of money they told me they were losing per minute due to things being encrypted was the most I'd ever heard of in these cases. I was legitimately shocked.

Here’s what made this a very interesting case for me to include in this article: the time to do a full restore from backup to recover the segment of the environment affected by the ransomware would have taken about 17 hours. However, their response of paying the ransom took more than three days. Yes, this means that their decision to pay the ransom was actually more costly in downtime loss than if they had chosen not to pay the ransom at all and just restored from backup.

This is a classic example of why you must have a plan to properly respond to ransomware — even if you already have an incident response plan and even if you decide to pay the ransom. It’s not as simple as placing an order on Amazon when paying out a $3 million ransom demand. And if you don’t plan it out and go through the process as a matter of practice and preparation, you may not produce the outcome you and your executives were hoping for.


Ransomware case 2: Overconfident


In a separate incident, a much larger organization decided that they were not going to pay. This decision was partly based on the incident response. Cybersecurity engineering teams had made it clear to cybersecurity and IT leadership that they were ready and capable of handling any ransomware attack that might come about.

They gave very specific numbers and time frames on how quickly they could restore things from backup and become fully operational again if ransomware were to hit. They had even practiced restoring some of their test data from backup. Still, they didn't practice restoring actual production data, getting that data back in use in production, and restoring the services affected by the ransomware.

This was a case where management became alarmed when they started to hear about the high-dollar ransom paid, approached their team and said, “Are we prepared to deal with this?” and the team responded with an overconfident yes.

Again, I want to point out this was NOT deception. It was a case of thinking they were more prepared than they were. Let me give a parallel example. A few years ago, I went back into serious martial arts training after a five-year hiatus. I thought I still had all the same capabilities I had before. One match was enough to let me know I indeed did not have those same capabilities.

But back to the ransomware: the result was that the restore was very messy, it took a much longer time to restore than initially reported and some of the data was never restored or recovered. Another factor was that the IR team was unaware of some of the newer procedures carried out by some ransomware operators.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Key ransomware response takeaways


These cases would have had much better outcomes if both teams had properly prepared at the policy and technical levels for each possibility.

If you're a traditional incident response team or cybersecurity team, and you've never dealt with a ransomware case, you likely need some additional education, awareness and structured walkthrough practice.

Many technologies such as cloud services can ease some of the pains of things like restoring from backup. But if you never exercise those specific cyber muscles, they atrophy and get weak like our real muscles. From what I have seen, the biggest gap in the ransomware response is at the operational response level.

Next, read the final part of this series, where we’ll explore the future of ransomware.

Keatron Evans
Keatron Evans

Keatron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is VP of Portfolio and Product Strategy at Infosec, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker — and lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at major industry events like RSA and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more.

Keatron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP) and Licensed Penetration Tester (LTP). When not teaching, speaking or managing his incident response business, KM Cyber Security LLC, Keatron enjoys practicing various martial arts styles, playing piano and bass guitar, and spending time with his family.