Ransomware attacks continue to plague businesses across the globe. As companies enhance their defenses, attackers increase the sophistication of their software and its deployment. Ransomware attacks used to be limited to the locking of a company’s computer system by encryption software and a demand to pay in order to obtain the key, but not anymore.

In early June 2020, for example, the REvil ransomware group auctioned off three databases containing approximately 22,000 stolen files that were associated with a Canadian agricultural firm, for a starting price of $50,000, after the victim refused or failed to pay the ransom. This sale reflects a growing trend of ransomware attacks that includes theft of sensitive company data, along with the usual locking up of computer systems, as a means of amplifying the pressure on victim entities. As a result, companies that have operational backup systems, and therefore do not need to pay the ransom to get access to their data, may still consider paying in order to prevent the public release of their stolen confidential information.

Opportunistic cyber criminals are also taking advantage of the operational and business pressures and anxieties created by the Covid-19 pandemic to target ransomware attacks against law firms, healthcare facilities, financial services, technology companies, government institutions, and other organizations. After establishing access, ransomware groups are more frequently spending extended periods of time—sometimes days to weeks—mapping systems in order to maximize the operational disruption and the pressure to pay.

The success of these attacks reiterates the key takeaways from a May 2020 alert from the Cybersecurity and Infrastructure Agency (“CISA”), a stand-alone U.S. federal agency operating under Department of Homeland Security oversight, warning that companies continue to be vulnerable to ransomware attacks due to “poor employee education on social engineering attacks and a lack of system recovery and contingency plans.” This alert, along with lessons learned from numerous ransomware incidents caused by successful phishing attacks or out-of-date software, suggests that a combination of technical and non-technical measures can help protect against a potential ransomware attack and mitigate the attack if one were to occur.

NIST Draft Data Integrity Framework

Organizations seeking to reduce their exposure to ransomware attacks should consider reviewing the January 2020 draft Data Integrity Framework (“Framework”) for detecting and responding to ransomware and similar destructive events, issued by the National Institute of Standards and Technology (“NIST”), an American entity that provides guidance frameworks and measurements for use by public and private entities. While based in the U.S., NIST has an increasingly global influence with many organizations choosing to align with its standards in the cybersecurity space.

Despite still being in draft, with the comment period closing on March 20, 2020, the Framework’s six component parts provide helpful guidance for approaching ransomware risk:

  • Integrity Monitoring: Establishing an operational baseline for systems can help detect, understand, and measure attacks. Knowing what the environment is supposed to look like can help companies identify files that have been changed and who made those changes.
  • Event Detection: Companies should consider deploying detection tools, such as intrusion detection, malware detection, and user anomaly detection to proactively identify potential ransomware or data integrity events.
  • Logging: Robust logging that is consistently monitored facilitates proactive detection, and detailed logs allow companies that experience incidents to better determine where the attackers have been and what they have accessed, which can be helpful in making key decisions.
  • Mitigation and Containment: Before any attack happens, companies should consider what technical steps they can take to mitigate an attack, including isolating backups, disconnecting a system from the network, or bringing down the network in its entirety. While each of these has practical consequences, the best time to test and confirm whether these responses are technically and operationally feasible is before, not during, an attack. In particular, it is vital that backup systems have extra protection from ransomware attacks, and that they be as current as possible to minimize the loss of data and periodically tested.
  • Forensics and Analytics: Once the threat is contained, it is important to investigate the attack to better understand the vulnerabilities that allowed it to happen in order to help reduce the risks of future similar attacks.
  • Reporting: Defining internal and external reporting mechanisms in advance of a ransomware attack can help companies ensure that key stakeholders are receiving the information necessary to respond to and recover from a ransomware attack.

In deciding how best to implement these principles and mitigate the risk of a ransomware attack, here are 13 steps that companies should consider.

13 Ransomware Risk Mitigation Measures

Technical Controls

The following are examples of technical measures that companies can leverage to help stop ransomware attacks before they happen:

1.            Software updates and patching: Attackers frequently take advantage of out-of-date software and unpatched systems. Establishing a regular cadence for patching and updating systems mitigates ransomware risk.

2.            Asset management: In order to ensure risk-based patching and updates, organizations should know what devices and systems are in their network, including any legacy or unused servers.

3.            Block known tactics for distribution: Forensic experts on the front lines of ransomware attacks have identified ports and protocols, such as Server Message Block, Remote Desktop Protocol, and Remote PowerShell, as commonly used mechanisms to distribute ransomware throughout a network. To the extent feasible, companies should consider blocking or adding extra layers of protection around internal communications that leverage these ports and protocols.

Training

Employees, at all levels, can serve as a first line of defense in preventing and responding to ransomware.

4.            Phishing training: Phishing remains the most common tactic used to gain access that allows the attacker to introduce ransomware. Companies can therefore significantly reduce their risks by conducting regular phishing training and testing.

5.            Practice for the worst: Many companies have benefited from tabletop exercises or other mock drills where decision-makers run through ransomware scenarios and test response decisions, escalation procedures, and communication strategies. These exercises help companies determine, ahead of time, under which circumstances they would consider paying ransom, if any.

6.            Keep the Board and C-Suite in the loop: It can be helpful for an organization’s executive leadership and Board to understand the role they will play in responding to a ransomware attack, especially with increased attention from regulators on senior leadership involvement in preparing for and responding to a cyber incident.

Ransomware Incident Response Planning

Companies can also reduce the impact of a ransomware attack by having the following measures in place ahead of time:

7.            Line up forensic help: Retaining outside technical experts and cyber counsel in advance can help to reduce delays in getting critical information to decision-makers. These experts are often familiar with particular variants of ransomware, allowing them to assist in more rapidly countering and containing the attack. They often have contacts in law enforcement that can help identify the attacker and evaluate the risks of negotiating or making a payment. If negotiations are warranted, these experts can also conduct the negotiations and obtain the Bitcoin or other cryptocurrency needed for payment.

8.            Know your local law enforcement contact: Having a current local FBI field office phone number (or other local law enforcement contact outside of the United States) in your Incident Response Plan or ransomware playbook can reduce delays in contacting the FBI and perhaps obtaining additional valuable information about the ransomware group. Law enforcement may be able to provide insights, including whether the group is associated with a possibly sanctioned entity, is known for providing working decryption keys upon payment, or is likely to make future extortion attempts. Such information can help in making the decision as to whether to pay the ransom.

9.            Have a communications plan: Companies should also consider how they will engage with key internal and external stakeholders in the event of a ransomware incident. Planning in advance who will hold the pen on key communications and the levels of approval required before distribution can help victim companies properly sequence the flow of information and ensure consistent messaging.

10.         Create out-of-band communications ahead of time: A ransomware attack can compromise corporate email and messaging systems. Companies can reduce communication delays following a successful ransomware attack by creating, before any attack, an emergency out-of-band communication channel. Setting up secure backup G-Suite or ProtonMail accounts is inexpensive, and, during an emergency, they can provide an alternative communication network that can be accessed from any device connected to the Internet.

11.         Evaluate insurance coverage: For companies with cyber insurance, it is important to understand whether ransom payments are covered, and, if so, when the insurer must be notified in order to maintain coverage. Depending on the event, the insurance company may expect to be involved in the decisions about how to respond to the ransom demand, including whether a payment should be made.

12.         Evaluate payment priorities and considerations: Deciding whether to pay a ransom is a fact-based determination that is unique to each company. When making this decision, companies should consider the cost of the operational disruption versus the business impact of data exposure, reliability (or lack thereof) of the ransomware group, and legality of the payment.

13.         Understand disclosure obligations: The record-keeping and disclosure obligations that can arise from a ransomware attack are complicated, and companies can benefit from thinking through these issues ahead of time. This is especially true for ransomware attacks that also involve the exfiltration of data, which may trigger breach notification obligations to individuals and regulators, even if the ransom is paid and the stolen data is returned. Companies subject to the GDPR should also keep in mind that unavailability of personal data can sometimes trigger breach notification obligations both to the relevant Data Protection Authority and individuals in circumstances that would not have triggered notification under U.S. state data breach notification regimes.

For clients facing a breach, the Debevoise Data Portal (now in beta testing) provides a secure online suite of tools that uses a simple, query-based system to help clients assess and respond to their data breach notification obligations across all 50 U.S. states and federal laws, including the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act. If you are interested in joining the small group of Debevoise clients who are beta testing the Debevoise Data Portal, please contact us at dataportal@debevoise.com for more information.

As is the case for most cybersecurity exposures, the risks from ransomware can be significantly reduced through a combination of technical and non-technical preparations. Adopting these measures can help prevent successful attacks, and, if one does succeed, can significantly limit the resulting legal, reputational and commercial damage.

* * *

To subscribe to our Data Blog, please click here.

Please do not hesitate to contact us with any questions.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and complex commercial litigation. He can be reached at agesser@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law. He can be reached at fpopp@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a member of the firm’s Data Strategy & Security practice. Her cybersecurity and data privacy practice focuses on compliance design, incident preparation and response, and regulatory notification. She can be reached at mxu@debevoise.com