Say No to Ransomware — Have a Plan!

This post was originally informed by a TLP: AMBER FB-ISAO Weekly Cybersecurity Report, distributed on 10 July 2019.

By David Pounder and Brett Zupan

Over the past several weeks, ransomware has been a widespread topic. However, on 02 July there was a bit of good news for a change. St John Ambulance, a “not-for-profit provider of specialist patient transport services across England” advised customers they were “subjected to a ransomware attack.” Fortunately, having a plan in place allowed St John Ambulance to resolve the issue within 30 minutes without paying any ransom demands. While the company was “temporarily blocked from accessing the system affected and the data customers gave [them] when booking a training course was locked” there did not appear to be any information shared or exposed. Even though the UK-based company did not have to report the incident, they still performed due diligence by advising the Information Commissioner’s Office (ICO) and the Charity Commission, as well as the police in accordance with their established procedures. These notifications and the speed in which they were delivered is another indicator of strong preparedness processes in place.

This recent report is another encouragement for non-profit organizations, especially on the heels of news about Father Bill’s and MainSpring, a Massachusetts-based non-profit homeless shelter, successfully blocking a ransomware attempt. These incidents demonstrate how, with advance planning and preparedness, organizations can recover from ransomware without having to pay costly fees to malicious actors or suffer further financial impacts. However, it is still important to note that an incident did occur; the attack was successful in that it locked out an aspect of the organization’s business and delivered the ransom demands. The difference is, as security researcher Graham Cluley noted, St John was “able to put in place emergency recovery plans to restore from unaffected backup systems. That’s in marked contrast to ransomware attacks that have hit American cities in recent weeks — which have resulted in extortionists being paid over a million dollars.” St John Ambulance’s recovery and response plan worked. But a plan on paper needs to be validated through exercises and testing in order to ensure gaps and vulnerabilities in the plan are addressed prior to implementation. In contrast, the city of Baltimore, which is still battling the effects of their ransomware attack, also opted not to pay the demands but ran into recovery challenges with an untested plan, and the financial impact has already exceeded $18 million.

There is a lot of no-cost government and third-party guidance to help inform faith-based organizations, charities, and other non-profits what to put into a ransomware recovery plan. In general, adhering to good cyber discipline goes a long way to reducing or mitigating threats posed by ransomware. Some other key principles include FBI recommendations:

  • Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.” This is extremely important to ensure that not only are the backups conducted, but that there are no bumps in the road when you attempt to restore them.
  • Conduct an annual penetration test and vulnerability assessment.”
  • Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization.” With regards to backing up data — one suggestion would be to use the “3–2–1 backup process” — 3 backups, 2 different mediums, 1 offsite.

If impacted by ransomware, the ultimate question is: do we pay the ransom? In FBI guidance, the U.S. Government “does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

  • “Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
  • “Some victims who paid the demand were targeted again by cyber actors.
  • “After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
  • “Paying could inadvertently encourage this criminal business model.”

Ultimately, in the event of a ransomware attack, all organizations need to have a list of pre-determined responses. This list should be established by leaders before, not during, an attack.

  • Understand the situation. What is the extent of the infection? What data is being ransomed? What decision points determine whether to pay or not to pay?
  • Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.
  • Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
  • Contact law enforcement immediately. Victims of ransomware should report it immediately to CISA at, a local FBI Field Office, or Secret Service Field Office.
  • If available, collect and secure partial portions of the ransomed data that might exist.
  • If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
  • Delete Registry values and files to stop the program from loading.


David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.

Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.

Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

The Faith Based Information Sharing and Analysis Organization (FB-ISAO)