Follow ACC Docket Online:  

Pay to Play: Our Data is Locked Down, But Not by Us

T he stories are all too familiar — some bad actor locks down data promising its return only if a ransom is paid (e.g., WannaCry, KillDisk, and CryptoLocker). In 2015, ransomware attacks became prevalent on mobile devices, such as the adult entertainment app that locked Android phones until a US$500 fee was paid. A recent mobile ransomware, “LeakerLocker,”  threatened to send photos, text messages, website searches, chats, location information, and email messages to all contacts (again for Android phones) unless the user pays US$50.

The US Federal Bureau of Investigations (FBI) estimates that ransomware garnered criminals over a billion US dollars in 2016, and extorted funds will continue to increase by 25 percent in 2017. This increase is partially attributed to the proliferation of Bitcoin, a virtually untraceable form of electronic currency. Top targets include businesses rather than individuals, specifically those companies whose access to data is critical in order to function (e.g., hospitals, schools, and government, including police departments).

Because only 42 percent of victims recovered their data after paying ransomware demands, businesses should focus on prevention and developing a sound response plan. But first, what is ransomware, and is your industry a likely target?

What is ransomware?

Ransomware is malware — a virus that spreads either by a user who clicks on a link or attachment, (often delivered via an email phishing campaign), through the download of a malicious website (“drive-by download”), or through the exploitation of server-side security vulnerabilities. The infection is not always immediately activated. Smart ransomware bad actors let the virus hibernate so that it infects back-ups as well as current data.

Data is then encrypted or held “hostage” with a request for action — payment of money in Bitcoin usually — and the data will be released.

Who is behind ransomware?

The underlying reasons for why a bad actor would take such action range from social hacktivism, such as protests (disruption that is linked to a cause); nation state (political gain, IP); organized crime (money); insider threats (revenge); or action by a lone wolf (personal reasons). The biggest threats are hacktivists, nation states, and organized crime. Unfortunately, if the data is released — either online or within digital communities — it can be sold and resold many times over.

Who are the likely targets?

The United States suffers the greatest impact globally. This is not unexpected considering that the United States and China make up 40 percent of the Fortune 2000.

The industries most frequently affected (in order of highest percentage to lowest) include: services, manufacturing, finance, insurance, real estate, public administration, wholesale trade, transportation, communications, utilities, retail, construction, mining, agriculture, forestry, and fishing. Many of these sectors are heavily tech-oriented, mostly unregulated for personal data (exceptions being finance and insurance), and are often reliant on outdated technology.

How to prepare

There are several steps businesses can take to prevent and better prepare for a ransomware attack:

•    Train employees to avoid typical insertion points (e.g., avoid clicking on links, opening attachments, and downloading from suspicious sources);
•    Enable strong spam filters to prevent phishing emails from reaching end users, authenticate inbound emails, and manage the use of privileged accounts based on the principle of least privilege;
•    Keep system components updated with patches and antivirus software and conduct ongoing security assessments and penetration testing in order to identify vulnerabilities;
•    Develop an incident response plan (see NIST’s “Guide for Cybersecurity Event Recovery”) and take into account cyber-liability insurance coverage; and,
•    Back up your data daily, either to a cloud provider (often safe from local virus infections) or, if local, to an offline server and not directly connected to the typical workstations. If you use an individual back-up drive, only connect it when actively backing up the data, then disconnect. Test your back-ups at least annually to see how long it takes to get critical systems up and running. It may take a week or so.

What to do if attacked

Although 70 percent of businesses hit with ransomware elect to pay, the FBI strongly discourages payment as it doesn’t guarantee the return of data, and payment further incentivizes criminal activity. After ransomware has been detected, your organization should deploy its response plan, including the following steps:

•    Deploy efforts to contain and eradicate the instance of ransomware — remove infected systems from the network, power off devices that have not yet been corrupted, and secure back-up systems by taking them offline;
•    Contact your local FBI office or US Secret Service;
     o    Before an incident occurs, you should already be building relationships with federal and local law enforcement;
•    Deploy business continuity and restore lost data to the extent possible;
•    Conduct a factual analysis to determine if your entity has any regulatory, contractual, or other obligations. You should also be cognizant of the treatment of ransomware incidents under industry-specific privacy laws as well as various state laws;
     o    As an example, the presence of ransomware is a security incident for purposes of the US Health Insurance Portability and Accountability Act (along with its subsequent amendments, HIPAA). However, whether such occurrence also constitutes a security breach under HIPAA requires further factual analysis. In particular, if a forensic investigation shows that data was encrypted prior to the attack and maintained such encryption status after the attack so that protected health information (PHI) remained unreadable and unusable, there may be a sufficient basis to support a finding that no breach occurred. Alternatively, if the PHI became encrypted as part of the attack, a breach is presumed to have occurred as the PHI was acquired by the attacker (unless the facts would otherwise support a finding that the probability the PHI was compromised was low, taking into consideration the risk factors under 45 C.F.R. 164.402).  Mitigating the impact of a ransomware attack through the implementation of disaster recovery and data backup plans may be a supporting factor in establishing a low probability that a breach has occurred;
     o    Analyze US state data breach notification laws as well, noting that in a minority of states, breach notification is triggered simply by unauthorized access (unlike unauthorized acquisition of personal data, which is the majority view). Keep in mind that encrypted data is not always a safe harbor;
     o    Check international data breach requirements and recognize that some regions have an unwritten expectation of “doing the right thing.” Your best option would be to consult local counsel to determine what actions should be performed; and,
     o    Be prepared for investigatory inquiries from multiple regulatory authorities. These inquiries may well disrupt the investigation by taking valuable time away from working on the issue, so take into account the associated efforts required;
•    Contact your cyber insurance carrier, or regular insurance carrier if there is no cyber insurance. There may be time limits or actions required;
•    Consult external counsel, if applicable, regarding any liabilities or responsibilities you may have when it comes to your company or the attacker;
•    Consult a PR firm;
     o    This should be part of the incident response plan already in place; and,
•    Conduct a post incident review and remediate vulnerabilities that permitted the attack.
There may be no way to completely avoid a ransomware attack, but the consequences for being unprepared are significant. Take the proper steps now to prevent an incident (i.e., deploy training, implement anti-virus, update technology, develop policies and practices, and build relationships). In addition, create a response plan and socialize it among your corporate stakeholders. Taking these steps now could save you a fortune later — literally.

About the Authors

Allison TrimbleAllison Trimble is associate senior counsel at DST Systems, Inc.

K RoyalK Royal is the technology columnist for, and director at TrustArc. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.