Ransomware remains an evolving threat, and being prepared with a solid incident response (IR) plan is crucial for any organization, especially financial institutions. When ransomware strikes, the clock starts ticking, and every minute counts. One of the most critical aspects of a successful response is ensuring that communication channels are clear and all necessary parties are informed.
The Importance of Incident Response Communication
In a recent ransomware notification scenario, our regional DHS office closed the case, noting that it fell under federal agency jurisdiction. This highlights a common challenge: knowing which agencies are responsible for different aspects of cyber incidents. If not prepared, the time lost in sorting out these details can be detrimental to mitigating the threat. Therefore, one of the most important elements of a response plan is knowing which entities to contact and having those relationships established ahead of time.
Here are a few steps to ensure effective communication and a well-coordinated response:
Establish Communication Protocols
Define a clear communication strategy internally and externally. Ensure that your incident response team knows who to contact and when. Identify key stakeholders—both inside and outside your organization—that need to be alerted when ransomware is detected.
Involve Local and Federal Authorities Early
In many ransomware incidents, contacting local FBI offices is critical. They are often the first point of contact for cyber-related crimes and can guide you through immediate steps. Additionally, resources such as the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) may come into play. However, knowing the specific jurisdiction of each agency can save valuable time. For example, regional DHS offices might escalate certain cases to federal agencies, as we experienced. Be prepared for these nuances in jurisdiction.
Partner with Cyber Insurers
Cyber insurers can provide immediate advice, but they may not always be in sync with federal or local authorities. They often have their own incident response protocols, which may differ from law enforcement or government agency processes. Understanding these differences in advance can prevent confusion and delays.
Leverage Local Resources
Establish contact with local cybersecurity organizations and law enforcement. The National Cyber-Forensics & Training Alliance (NCFTA) and platforms like nomoreransom.org can provide tools to help decrypt files or recover data without paying the ransom. Involving local resources early can help you avoid gaps in communication and response.
Monitor Vendor Advisories
Credit unions, in particular, should keep an eye on cybersecurity advisories from their CORE vendors. These vendors often release crucial information on ransomware threats targeting financial institutions. Being part of information-sharing groups like the National Credit Union Information Sharing & Analysis Organization (NCU-ISAO) can ensure that you are always updated on the latest threats and solutions.
Utilize Information Sharing Groups
One of the best proactive measures is joining groups such as the NCU-ISAO or broader ones like the National Council of ISACs (Information Sharing & Analysis Centers). These organizations provide early warnings, best practices, and information on emerging threats. They also serve as conduits to law enforcement and federal agencies, helping to ensure that your response is swift and well-informed.
Conclusion
A well-coordinated ransomware response hinges on your communication strategy. Knowing who to contact, understanding which agencies are responsible, and leveraging local resources can prevent missteps. For credit unions, staying plugged into advisories from CORE vendors and participating in information-sharing groups like the NCU-ISAO can ensure that you are always prepared when ransomware strikes. Time is of the essence during a ransomware attack, and having a clear, predefined response plan can make all the difference in protecting your organization’s data and reputation.
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.