top of page

4 Personalities that will destroy a Ransomware Recovery Operation

Ransomware attacks are increasing again, and this time hackers are targeting small and mid-size firms.

Most small businesses executives are not ready to be the victim of an attack, and the lack of preparedness often causes them to fall victim to one of 4 Personalities of Doom, all of which make the situation worse.

Before we talk about the 4 Personalities of Doom, let's address a few other realities.

  • There are 17.5 million businesses in the US with 1 or more employee but are not part of the Fortune 2000.

  • 2021 had the most reported ransomware events in history. There were approximately 1500 events reported to the FBI.

  • Based on history, the probability of being hit with ransomware is extremely low. Even if attacks were to increase 100-fold to 150,000 reported attacks (that is 3,000 attacks per US state), there is still only a 1% chance of becoming a victim.

However, not all news is good. Many small business victims can't/don't/will not recover.

  • Most organizations are critically under-prepared due to a lack of investment in cybersecurity.

  • The average downtime from a ransomware attack for a small business is 30-60 days.

  • The hackers may not sell your data, but they are definitely selling the information on how they hacked into your network to other groups.

  • The cost of recovering from an attack is pushing beyond $2 million, and even with insurance coverage, many victims run short on coverage thereby requiring the use of corporate or personal funds to recover.

With all of the instantly new pressure to lead an organization through a recovery, the lack of training, and lack of preparedness it is easy to understand how (and why!) executive leaders fall for one of the Personalities of Doom. So, let's talk about these personalities:

  1. Chicken Little

  2. Rambo

  3. Ostrich

  4. Hercules

Chicken Little is the person who is all doom & gloom. Runs around telling everyone why it happened, how impossible it is to recover, how anything you try to do will fail, and cannot or will not put their emotions in check to be productive. They will suggest that paying the ransom is a waste because the hackers will "take the money and run" (this is a great trope for movies but as a whole, hackers send the decryption keys), that cloud solutions are not viable, that you will never get equipment in time to restore. Making it worse, this person is often one of the smartest technical people in the company, carrying a lot of technical credibility with them, which makes it easy for others to buy into their rationale.

Rambo is the opposite extreme to Chicken Little. Like Chicken Little, they often have technical credibility, BUT they believe they are Rambo and can fix the problem and "save the day". The talk about "tracing IPs" and "hacking back" (pro tip: Don't hack back and don't authorize hacking back unless you are ready to go to jail. It is a federal offense in the United States [Computer Fraud & Abuse Act - Title 18 US Code 1030] to hack another computer without consent. Your day will get significantly worse when the FBI shows up to arrest you and not help you clean up the mess.). Making it worse, often Rambo does not know how to properly collect information in a forensically sound manner and instead destroys whatever shred of evidence they find. Additionally, with Rambo copy and pasting and deleting, they destroy the crime scene (because when your organization is a victim of an attack, that is what it becomes, a crime scene) leaving only evidence of them, Rambo, at the scene.

Ostrich is the interesting one. Many times, this person is the business owner, CEO, President, or CFO - someone responsible for financial decisions within the organization. The person is in shock that the organization was hit. The Ostrich doesn't want to listen to outside counsel or experts. They wrongfully believe that this problem will go away (it doesn't). They don't want to admit that the stolen data is worth anything or that the problem is as big as it is.

And finally, we have Hercules. Hercules is often a CIO, CISO, CFO with technical oversite, a familiar IT consultant, or even MSP. These people feel bad that the organization was hit with ransomware, sometimes even blaming themselves (FYI, it is RARELY their fault). The problem with Hercules is that they create impossible situations that are, quite frankly, impossible to complete. Hercules makes promises they can't keep. In an attempt to minimize anger and emotions, they downplay the severity of the situation and discount the steps required within the process of ransomware recovery. They talk about speedy recovery times ("we can have this back up tomorrow" or "next week", etc.) without really understanding what it will take. Herculese underestimates the interest of outside parties (your MSP or IT consulting team only have so many people, if they aren't available your organization will have to wait their turn in line), they don't understand supply chain issues (Amazon, CDW, Connection don't care that you're down, if you order a computer or switch from them, it will arrive on their schedule, not yours), they forget that it takes time to move money from 1 account to another. The frustrating thing with Hercules is that the less they consider the reality of the situation in hopes of making people happy, the more they miss deadlines thereby making people more upset.

NOTE: Amazon, CDW, and Connection have chosen not to partner with Arcas Risk Management. If you want to retain our services, please visit out Partner page to find a qualified Partner.

Ransomware is a parasite on business, and while we need to find ways to eradicate it, for now we are stuck with the risk of being victims. If you do become a victim, look for these personalities to avoid making a bad situation worse.

If you're an executive at an organization dealing with data loss, data theft, or ransomware, keep your emotions in check and look to remove these personalities from the situation so that you can make reasonable decisions and move efficiently in the remediation process.

53 views0 comments