Rebounding from Ransomware: An Expert Guide -- Redmondmag.com

Rebounding from Ransomware: An Expert Guide

In this timely Coffee Talk, ransomware expert Allan Liska breaks down what IT pros need to do after a ransomware attack ends, from leveraging post-crisis budgets to strengthening security for the long run.

By Redmondmag.com Editors
05/09/2024

Transcript

Hi, everyone. Welcome to the latest installment of our editorial webinar series, Coffee Talk. Each hour-long, information-packed episode organized by the team at Redmond magazine features insights from independent experts on a wide range of tech industry topics.

Many thanks to our underwriting sponsor, Quest Software, protecting and empowering users and data, streamlining IT operations, and hardening cybersecurity from the inside out since 1987. Without their support, this series would not be possible.

Thanks to you for joining us. I'm John K. Waters, Editor in Chief of the Converge360 Group at 1105 Media, and I'll be your moderator. The topic of today's talk is "Rebounding from Ransomware: An Expert Guide." Our lead presenter is Allan Liska, intelligence analyst and solutions architect at Recorded Future.

Before we get started, a bit of housekeeping: This episode is being recorded for later access. Look out for an email with a link to the recording in the next few days. We'll have time for questions, so please type them into the Q&A box at any time. Our sponsor has provided additional resources available now on your console, and as a thank-you to the first 200 attendees who stay until the end, we will send a $5 Starbucks gift card.

Now, I'd like to introduce our presenter. Allan Liska has worked on both blue and red teams in the intelligence community and the private sector for over two decades. He's seen firsthand the damage ransomware attacks can cause and understands how threat actors operate and communicate. A frequent guest on PBS, CNN, and other outlets, Allan is known as the "ransomware sommelier." You're in for an insightful session. Allan, please take it away.

Allan Liska's Presentation
Thanks, John. It's always great presenting with you, and thanks to everyone for attending today.

As John mentioned, I'm Allan Liska, a ransomware researcher at Recorded Future and author of Ransomware: Understand, Prevent, Recover and the Yours Truly, Johnny Dollar ransomware comic book series, which is available in the RSA bookstore if you're attending RSA this week.

Today, we'll discuss what happens after a ransomware attack ends. You've just experienced what's likely the worst event of your professional career. The network is rebuilt, the incident response team and your insurance-provided coach have left, and your business is mostly back to normal. So, what's next?

This moment feels like the Jackson Browne song "The Load-Out/Stay." Your team has been running nonstop for weeks or months, rebuilding and restoring operations, and then it suddenly stops. The adrenaline drains, and you face the letdown.

First, check on your mental health and your team's. It's not healthy to operate on adrenaline for extended periods, and many teams face attrition after ransomware attacks. Reports suggest 67% of security professionals leave their organizations after a ransomware incident, and you want to retain your experienced team. Addressing mental health is critical in cybersecurity, especially post-incident.

You'll need to brief leaders internally and, depending on your industry and critical infrastructure status, externally as well. This is where your legal team becomes your ally, preparing you for what to say and helping you navigate regulatory or congressional briefings.

Stay in touch with everyone involved: your incident response team, breach coach, legal counsel, negotiators, and law enforcement. Law enforcement updates can provide decryption keys when ransomware infrastructure is disrupted, allowing recovery of previously unrecoverable data.

Monitor the ransomware group that attacked you. Ransomware actors often hold grudges, release stolen data, or mock victims regardless of ransom payment. Keep an eye on where your data is resurfacing. Consider working with third-party services to monitor for leaked data, as stolen data can reappear 6–12 months later.

After an attack, your security budget often opens up. This is your chance to "$6 Million Man" your security—make it better, stronger, faster. But have a plan. You may have fewer personnel, so improvements must be timely and strategic. Review reports from your incident response and insurance teams, identify weaknesses, and prioritize what to address first.

Have a prepared plan ready for leadership when budget approval is granted. Think about capabilities that could have prevented the attack and prioritize sustainable, impactful improvements with manageable ongoing costs.

Avoid overreliance on outside consultants, as they can consume your budget and may not know your environment as well as you do. Lead the planning, using consultants as supplementary resources when needed.

Test your assumptions with tabletop exercises, engaging the entire organization, including senior leadership, while ransomware response is still top of mind. This builds trust, identifies unforeseen challenges, and ensures new plans are effective.

Maintain momentum with a prioritized, actionable list. Share progress with stakeholders to demonstrate the security team's value. Consider a monthly newsletter for leadership outlining updates and initiatives, keeping security in view and reinforcing cultural improvements across the organization.

Recognize that you may not resolve all security debt quickly. Focus on high-impact, demonstrable improvements, and communicate your security story effectively to gain continued buy-in.

A ransomware attack can be a catalyst for improving your organization's security culture and integration with business operations. Take this opportunity to build trust, implement meaningful changes, and become a core part of the organization's daily practices—not just the team people call when they receive a suspicious email.

Don't let this chance pass. Use it to make a lasting, positive impact on your organization's security posture.

[Audience Q&A follows; listen to it here.]

Featured

Bringing an Evaluation Server into Production

Brien Posey explains how to convert an expired Windows Server evaluation VM into a production server using DISM and proper license activation steps.
Microsoft Ties Majorana 2 Quantum Chip to Its Build AI Push

Microsoft used Build to show off Majorana 2, its latest quantum computing chip and the next step in a long-running effort to build a commercially useful quantum computer by 2029.
Microsoft Scout Leads Build Push Around Agentic AI

Microsoft used its Build developer conference Tuesday to push Copilot deeper into agentic AI, announcing Microsoft Scout, a new "always-on" personal agent designed to operate across Microsoft 365 apps, coordinate work in the background and act within enterprise security controls.
Build 2026: Microsoft Discovery Hits GA as Redmond Pushes Agentic AI Into R&D

Microsoft is making its agentic AI platform for research and development generally available, extending the company’s AI strategy beyond workplace copilots and developer tools into scientific and engineering workflows.
Microsoft Uses Build 2026 To Put AI Agents at the Center of Windows

Microsoft used Build 2026 to position Windows as a platform for building and running AI agents, expanding its developer focus beyond AI-assisted apps and into agents that can act across local devices, cloud environments and enterprise systems.