Chair, Privacy & Data Security Practice
Shook, Hardy & Bacon, LLP
Ransomware attacks have sucked billions of dollars from American companies. Not just in ransoms paid, but also in lost revenue, the costs incurred restoring systems and investigating the incident, and the cost of class action lawsuits that have followed when customer/employee personal information is impacted. This article addresses some of the most common questions about ransomware and provides suggestions on ways to mitigate that risk.
What Is A Ransomware Attack?
Ransomware is a form of malware that encrypts (locks) your data and prevents access unless you unlock the data with a decryption key. There are three stages to a ransomware attack.
In the first stage, the threat actor (“the bad guy”) exploits an existing weakness (vulnerability) in your network. This vulnerability could be an open remote desktop protocol port, an employee who clicks on a phishing link, or unpatched software for an application or server/firewall. This stage gives the threat actor a foothold in your organization.
In the second stage of the attack, the threat actor performs reconnaissance in your network to identify and often exfiltrate/steal your data.
In the third stage, the threat actor deploys the ransomware that begins encrypting your files. Without effective monitoring tools, all you will see is the end result when you turn on your computer, cannot access files because they’re encrypted, and find a ransom note threatening to release the stolen data on the dark web unless you pay a ransom.
The analogy I like to give clients is to imagine if you were to leave your house for the weekend but your front door and a couple of windows are unlocked. Those unlocked doors/windows are your vulnerabilities. A burglar will test your doors and windows until he finds an unlocked one and uses it to access your house (i.e., exploit your vulnerability). Once inside, he will perform reconnaissance – looking around your house to find where your valuable items are hidden – and he will steal (exfiltrate) some of your items in the process. Imagine if, before the burglar leaves your house, he goes around changing all the locks so you can no longer access your house. When you return home you realize your key doesn’t work anymore. You see a note on your front door that says, “If you want to re-enter your house you must pay me $5,000,000 in Bitcoin; and I stole your valuable/sensitive items, so unless you pay me in the next 72 hours I will sell everything I stole on the Dark Web.” That is essentially a ransomware attack.
What To Expect When Under Attack?
When you are under attack, you can expect to lose access to critical functions as the encryption spreads like a virus throughout your connected network. Your access will be down for at least a few days and potentially even a few weeks. You will receive questions from employees, customers, business partners, and the media asking what is happening. You should expect to spend tens or hundreds of thousands of dollars, at minimum, responding to the incident. The good news is there are steps you can take to mitigate these risks.
Responding To The Attack
Like a boxer punched in the face by Mike Tyson, you will initially panic and be stunned when you first realize you are under attack. Try to set aside the panic (and the pain) to focus on some key initial steps that will help you recover:
- Contact your cyber insurance carrier immediately. The carrier will provide you with experts who can help restore your data, contain and eliminate the threat, identify and fix the vulnerability, negotiate with the threat actors (even if you need to buy more time), and advise you on your legal obligations.
- Do not erase anything and do not provide the only copies of your servers/workstations to third parties. These devices hold important information about the nature of the attack that the forensic firm will need to help you recover.
- Begin the process of restoring your information from backup.
- Operationally, you may need to start using an alternative method of communication while the recovery and remediation efforts are underway. You may also need to use a backup method of doing business, whether that is old-fashioned paper and pen or using personal laptops. (By the way, the lesson here is not “you’re better off just doing business the old-fashioned way with paper and pen” – that method may avoid a ransomware attack but it creates much larger data breach and security issues.)
- Work with your newly engaged cybersecurity experts to contain the threat, close the vulnerability, and identify which files may have been stolen or accessed.
- Your legal counsel will ensure you are: (a) meeting legal requirements to preserve certain evidence; (b) performing the forensic investigation under privilege; (c) issuing statements to employees, customers, and business partners that don’t create additional liability; (d) notifying the right law enforcement entities; and (d) notifying third-parties and customers whose data may be impacted in the manner required by law.
Are You Allowed To Pay A Ransom?
There are instances where paying a ransom may be necessary. For example, where data your organization needs to survive has been encrypted and you cannot restore your system using your backup files (either because the backup files were also impacted or because they don’t exist). Another example is where sensitive customer data has been stolen and there is a threat to release that data on the dark web.
An initial question is whether the threat actors will actually provide the decryption key or delete the stolen data if they are paid the ransom. Usually, yes. Their business model does not work unless they do.
So when is it illegal to pay a ransom? The law prohibits transactions that directly or indirectly benefit certain individuals/terrorist organizations on a list maintained by the Department of Treasury’s Office of Foreign Assets Control (OFAC). You cannot pay anyone on that list, and doing so may result in criminal and civil penalties. If you decide to make a ransom payment, the company you hire to facilitate that payment will first perform an “OFAC check” to ensure the payment you are about to make is not being made to an entity on that list.
Who Do I Need To Notify About The Attack?
If the threat actor accessed certain sensitive information (e.g., customer/employee personal information, or proprietary/sensitive information of business partners) there may be a legal obligation to notify those third parties whose information is impacted. There may also be an obligation to notify state attorneys general or other regulatory authorities. In some instances, your contracts with business partners may require that you notify them even if there is no proof that their information has been impacted. Your lawyer should be guiding you on these obligations, the timing of notice, and the content of that notice.
But even if there were no legal obligation to notify, you may want to consider providing an informal update to customers and business partners about what is happening. If you decide to do this, it is incredibly important to work with legal counsel on this messaging because one wrong word could create a potential negligent misrepresentation or deceptive trade practice claims.
The Risk of Class Action Lawsuits and Regulatory Enforcement Actions
Unfortunately, we live in a litigious society driven by individuals who are incentivized to file lawsuits against victims of a cyberattack. When you notify customers/employees that their information was impacted by the ransomware attack, there is a good chance that a plaintiff’s lawyer will learn about the attack from the news, from your regulatory notification, from a statement on your website, or from an individual who received notice and has questions about it. Increasingly, those lawyers are filing class action lawsuits against companies that are victims of cyberattacks. They use social media to find potential clients “impacted by the XYZ data breach.” These lawsuits are usually looking for a quick settlement where each impacted person perhaps receives very little, but the lawyers receive hundreds of thousands of dollars in attorney’s fees.
There is also a lower risk that the Office of the Florida Attorney General will seek penalties against your business for: (a) failing to adopt reasonable security safeguards to protect sensitive consumer information; (b) taking too long to notify impacted consumers; or (c) making statements about the incident that were not accurate. This is why incident response preparation is as important to minimizing costs as the response itself.
How To Mitigate The Risks
The good news is that there are steps your organization can take to minimize the likelihood of an attack and the impact of such an attack. From a technical perspective, one such measure is implementing multifactor authentication on any application, remote access protocols, email, or other sensitive information.
- Multifactor authentication requires you to authenticate yourself in more than one way (e.g., something you know, like a password, and something you have, like a phone where you receive a text with a short code).
- Ensure you are backing up your information securely, from an offline source that is not connected to your network.
- Purchase cyber insurance. A cyber policy typically covers most costs you will incur when responding to a ransomware attack, including legal counsel, forensic experts, data restoration services, certain operational losses, and sometimes cyber-extortion costs (threat-actor negotiation services and payment of a ransom). It also typically covers the costs associated with class action lawsuits and regulatory enforcement actions.
- Prepare an incident response plan, which is your roadmap for what to do if you ever fall victim to a cyberattack. The document describes who would need to be involved (internally and externally) and what steps to consider on operational, security, legal, and financial issues.
- It is not enough just to have a plan; you need to test it. The individuals who would be involved in responding to a cyberattack should meet at least annually to walk through a simulated attack. You can hire a third-party cybersecurity firm or a good lawyer to moderate this exercise.
- Perform cybersecurity training for all levels of employees/directors/owners of your company at least once each year.
- Deploy endpoint-monitoring tools that are constantly searching for unusual behavior and malware on your network.
- Minimize the amount of sensitive data you collect. If you do not need it, don’t collect/keep it. If you really need it, encrypt it.
- Engage a third-party cybersecurity firm to assess your environment. Let them identify your vulnerabilities (unlocked doors/windows) and prioritize which ones you should fix in which order. Florida has some outstanding cybersecurity firms that can help you do this.
There are other security measures you can and should implement. Working with a third-party cybersecurity expert and legal counsel experienced in cybersecurity will help you identify which of those measures are right for your organization, and how to prioritize implementing them.
Al Saikali chairs the Privacy and Cybersecurity Practice at the law firm of Shook, Hardy & Bacon, LLP. He and his team regularly represent companies in preparing for and responding to cybersecurity attacks. If you have questions, you may contact Al at firstname.lastname@example.org.