What are alternative methods for sending essential communications if our domain is down due to a ransomware attack?

Key findings

• Emergency channels: For truly essential communications, an out-of-band (OOB) communication system, completely separate from the compromised network, is crucial. This ensures coordination even when primary systems are down.
• ESP reliance: If an organization uses an external Email Service Provider (ESP), campaigns might still be launched from non-company machines. This assumes access to the ESP is not reliant on compromised local infrastructure (e.g., single sign-on).
• Domain reputation risk: Using a free or generic ESP domain as a quick backup can severely impact deliverability. Such domains lack established reputation with recipient servers, often leading to emails being blacklisted or sent to spam folders. Learn more about what happens when your domain is blocklisted.
• Disaster recovery planning: A comprehensive incident response plan for ransomware includes isolating infected systems and securing backups to prevent further spread and facilitate recovery. Consider these six steps for responding to an attack.

Key considerations

• Primary vs. secondary comms: Differentiate between essential (transactional, security alerts) and non-essential (marketing) communications when planning. Priorities will shift during a crisis.
• DNS security: While DNS is generally robust, ensure domain registration is with a reputable provider and protected against compromise. If your DNS is impacted, your primary domain emails are essentially unusable.
• Backup ESPs: Having a backup ESP or redundant sending infrastructure can mitigate risks. This might involve splitting volume across multiple IPs or ESPs. Consider whether you should use a backup ESP.
• Access protocols: Ensure access to critical communication platforms (like ESPs) is possible from outside the compromised network, without reliance on single sign-on systems that might be affected.

Key opinions

• Domain sharing: Relying on shared domains (like a generic ESP domain) for critical communications is generally not a best practice. It is seen as a risky path that can lead to deliverability issues, especially with major providers like Gmail.
• Reputation impact: Even if a generic ESP domain is warm, its reputation isn't tied to your specific mail streams. This means delivery might not be great. There's also a risk of negatively impacting other users sharing that domain if your volumes are high.
• Essential vs. marketing: Marketing communications are unlikely to be a priority during a ransomware attack. The focus shifts entirely to essential, transactional communications, such as those related to application processes for universities.
• Contingency planning scope: Marketers emphasize the importance of identifying the specific risks being mitigated, whether it is marketing messages or general business communications, as this dictates the appropriate contingency measures. Developing an effective ransomware defense strategy is key.

Key considerations

• Alternative ESPs: Consider having a separate ESP ready for critical communications, particularly if your current system is internal or less resilient to domain-level outages. This can also help you find alternatives for time sensitive emails.
• Disaster recovery for email: Implement a disaster recovery (DR) plan for email streams. This might involve splitting email volume across multiple sending IPs or even different email sending platforms to ensure redundancy.
• Preventing blacklisting: Understand how to prevent your domain from being blacklisted (or blocklisted), especially during a crisis where unusual sending patterns might trigger filters. For more details, see our guide on an in-depth guide to email blocklists.
• DNS tampering: While DNS is relatively resilient, the risk of a compromised domain stems more from a compromised web hosting provider than direct DNS tampering by ransomware itself.

Key opinions

• IP redundancy: Best practice for disaster recovery involves splitting email volume across at least two (ideally three) sending IPs. If one IP is compromised or goes down, volume can be shifted to the others, maintaining continuity. This is a core part of robust technical solutions for email deliverability.
• Domain failover planning: While less common than IP redundancy, similar failover strategies can be considered for domains if the risk profile warrants it. This includes having a separate, warmed domain ready for emergency use.
• Out-of-band communication: For truly essential communications, a completely separate communication system, independent of the main network or domain, is recommended. This ensures vital coordination even during severe outages.
• Reputation is paramount: Experts consistently highlight that sender reputation is hard-earned and easily lost. Any alternative sending method must consider its impact on both current and future deliverability. Understand how long it takes to recover domain reputation.

Key considerations

• Pre-warmed infrastructure: Any backup domains or sending IPs should ideally be pre-warmed with some consistent sending volume to establish a positive reputation. This prevents new IPs or domains from being treated as suspicious during a crisis.
• Authentication protocols: Ensure all backup sending methods are properly configured with SPF, DKIM, and DMARC. These authentication protocols are critical for deliverability and trust, especially in emergency scenarios. A simple guide to DMARC, SPF, and DKIM can assist with this.
• Third-party access: Verify that access to ESPs or alternative sending platforms is not contingent on your internal network infrastructure. This means having separate credentials or access points that are not impacted by a local ransomware attack.
• DNS resilience: While ransomware typically targets data, securing DNS infrastructure through multiple providers or robust registrar practices is important. This mitigates the risk of DNS records being altered or held hostage.

Key findings

• Incident response plan: Upon detecting a ransomware attack, the immediate response should include isolating affected systems to prevent the malware from spreading. This is highlighted by Exabeam's guidance on incident response for ransomware.
• Secure backups: Securing and testing backups is a fundamental step in recovery. This ensures that data, including email systems configurations and contact lists, can be restored without paying the ransom.
• Proactive prevention: Strategies like installing spam filters, anti-malware software, and next-generation firewalls can significantly reduce the risk of ransomware attacks impacting your domain, as noted by PurpleSec's advice on how to prevent cyberattacks.
• Email authentication protocols: Implementing robust email authentication (SPF, DKIM, DMARC) can prevent threat actors from spoofing your domain even if it's compromised, protecting your sending reputation.

Key considerations

• Communication plan: A data breach response guide, such as that from the FTC, emphasizes having a clear communication plan for affected individuals, potentially using alternative channels if primary ones are down.
• Network isolation: Immediate isolation of infected systems is critical. This might disconnect your primary email infrastructure, necessitating pre-planned alternative methods.
• Regular testing: Regularly testing your disaster recovery plan, including alternative communication methods, is essential to ensure they work when needed. This includes scenarios where your main domain is down.
• External access: Documentation often implies that key personnel need access to critical systems from outside the compromised network environment to manage the incident and communications.