Martin R. Okumu lived through the ransomware attack on the City of Baltimore in 2018, which affected 90% of the municipality’s applications. As the then-director of IT infrastructure for the city, he learned a lot of valuable lessons about defending against and recovering from a ransomware attack.

On Tuesday afternoon, he shared those lessons with (ISC)² Security Congress 2021 attendees during a virtual session. He is now the Chief Information Officer for the City and County of San Francisco.

In many ways, Okumu said, Baltimore was not prepared for the attack. The city did not have a cyber incident response team (CIRT), or well-defined plans for activating an incident response, or how to handle communication and escalation.

These are elements that organizations need in order to fend off a ransomware attack. “If you have these things in place and outline these procedures, you are in better shape than we were,” he said.

The city descended into chaos and confusion in the attack’s aftermath because of the lack of clearly defined procedures and roles, Okumu said. The only saving grace was that the city had invested in both on-premise and cloud backups. Still, it cost U.S. $18 million to recover from the attack after Baltimore refused to pay a ransom demand of between 1 and 5 bitcoins, Okumu said.

The Attack

The attack was first discovered in the early morning of May 19, 2018. It had started sometime between 4 a.m. and 7 a.m., Okumu said. When trying to log on to their computers, users were getting a message saying the systems had been encrypted with Ransom.Robinhood ransomware. The perpetrators, he said, “want you to know what has happened. They don’t hide.”

The city did not respond to the attackers, who in subsequent days made more extortion attempts, even offering to unlock one machine to prove they could do it, Okumu said. Their messages to the city became more aggressive in time and, finally, they issued a final deadline of June 7 for a response. Rather than respond, the city proceeded with its recovery process, which took months.

Be Prepared

To prepare for ransomware attacks, Okumu stressed the importance of an incident response plan (IRP) that addresses both the technology and business sides of recovery. On the former, it’s important to know your environment, establish a communication and escalation procedure, and have a methodical process for plan activation.

On the business side, the plan should address elements such as having a communication plan for the CISO, CIO and company executives as well as a risk management component that includes cyber insurance. It is also wise to have a ransomware expert on retainer so you’re not scrambling to find one in the aftermath of an incident and to set up a bitcoin account in case you decide to pay the ransom.

Backup Strategy

Having a backup strategy is also critical. “This is the reason we were able to recover,” Okumu said. “Make sure your organization has a solid backup plan. This is the number one area where businesses for one reason or another do not want to spend money. I don’t understand why.”

Data backup is only one of many steps organizations should take to protect against ransomware. Okumu walked through a series of other steps, including incident assessment and the creation of a CIRT. To ensure CIRT success, he said it’s critical to have an executive sponsor on the team and a clear mission statement.

Other steps include figuring out how to communicate internally during an incident as well as outside entities, such as the FBI, Homeland Security and CISA, local law enforcement and regulatory agencies.

It’s important to treat an incident as a crime scene by taking measures such as creating a record of critical facts about the incident and capturing images of affected computers. Okumu also recommended having a digital forensics specialist, either in-house or through an outsourcing arrangement.

If there is a need to engage outsiders, he cautioned against third parties that promise to solve the problem but whose main goal is to capitalize on the situation. Organizations should have a short list of parties to contact, such as insurance carriers, outside legal counsel, forensic investigators, regulators, crisis communication managers and “responsive vendors.”

(ISC)² Security Congress 2021 continues Wednesday, October 20 with opening keynotes beginning at 8:00 a.m. ET.