Executive teams in the U.S. live in fear of a successful ransomware attack, and who can blame them? Attacks are both prevalent and evolving. Many attackers have shifted from encrypting data and locking up systems to also (or in the alternative) stealing data to extort payment. Some of these attacks presume organizations will pay to restore data, avoid a more extensive data breach, or protect consumers from further harm. More recently, attacks have targeted organizations thought to be in a sensitive financial position, willing to pay to keep that secret. If you are not sure how your business would respond to these multi-faceted, sometimes devastating attacks, here are steps you can take to mitigate the impact of these events and potentially reduce their likelihood.
1. Train your workforce
The weakest link in the security program of most businesses is their employees. End users click on malware, fall for phishing attacks, and reuse their network credentials across ecommerce and gaming sites, among other behaviors that facilitate ransomware and other attacks. Take the time to issue training that addresses risky behavior, rather than pound regulatory content into your employees’ brains. You can also train employees to know the signs of a ransomware attack (or a demand for ransom based on exfiltration) and to report it immediately, following your organization’s incident response plan.
2. Implement and test “reasonable” security
Multiple state and federal laws require at least “reasonable” security and some, like New York’s SHIELD law and the newly enhanced Safeguards Rule from the Federal Commission, mandate specific measures including intrusion detection systems and multifactor authentication. Obviously, your organization should implement measures necessary to comply with law. However, continuous risk analysis and testing also is increasingly required by law (in addition to being a good idea). Your focus should therefore be not only on current-state compliance, but also on continuous improvement and justifying risk-based decisions about security implementation. If you take that view, your organization will be better situated to prevent or minimize the effect of a ransomware attack, as well as demonstrating compliance in the event of follow-on regulatory scrutiny. Measures recently outlined by CISA also are a good start.
3. Be ready for regulatory reviews
Speaking of regulators, a seemingly endless parade of agencies is keenly interested in ransomware. These include: DHS, DOJ, NSA, FBI, SEC, Treasury, Fin Cen, DOE, DHHS, and The White House, among others. You should be prepared to proactively report an incident to one or more of these agencies, depending on your legal obligations, and to respond to questions they may have about your response, including the nature of your security (see above).
4. Have an incident response plan
Your organization should already have a written incident response plan. It’s required by multiple data security laws, state and federal, and hard to argue your organization maintains “reasonable” security in the absence of such a plan. You should review the plan, particularly if it was drafted by your IT department without input from legal counsel. At minimum, there needs to be an appropriate point in the plan when legal counsel is included in the response. Because ransomware raises legal issues beyond the question of whether personal data was accessed, that trigger should not be limited to incidents that implicate personal data. And, of course, a “security incident” is not limited to a “personal data breach.” The communications protocols in your response plan should address the situation in which typical methods like email are inoperable. Importantly, copies of your plan should be stored such that a ransomware attack does not deprive you of access to it.
5. Consider a practice run and ask tough questions now
Not sure how well-prepared your business is to respond to ransomware? Find out. Not sure whether you should pay a ransom? Play out the factors now. Get the subject matter experts and decision makers in a room and do a practice run, asking hard questions as you go. Do you know whether it is legal to pay a ransom? Can you figure it out if the actor gives you a deadline of 24 hours? Is your organization willing or unwilling to pay criminals to avoid having your data published online?
A practice run can also surface gaps in your plans or preparedness. If more than half the team cannot articulate their role, or their description of their role does not align to your incident response plan, you will prefer to find out during a collaborative meeting than in the middle of a real attack. Does the plan address restoration of encrypted data, or only exfiltration? Does the plan identify third parties that may be necessary for support, like forensics, legal partners, and law enforcement? It only takes a few hours to run a table-top exercise, and you will almost certainly identify enhancements that will improve the timeliness and efficacy of your response.
6. Create data and system resilience
Obviously, one of the best steps you can take to minimize the impact of ransomware is to develop resilient systems, including data backups. Ideally, your organization has a business continuity plan. That plan would typically be based on a criticality assessment that identified your organization’s most business-critical systems and data. Back up and restoration plans would be tied to that criticality assessment, restoring operations in order of importance. That plan also should address emergency access. For example, if your communication systems are unavailable, the plan should address how your organization will operate while systems are restored. If your plan has not been adjusted to account for a ransomware attack, or if your business has not assessed whether it can and is willing to forgo a ransom payment for the duration necessary to get back up and running, those issues should be addressed with urgency.
7. Strong data governance, or at least limited retention
Of course, attackers cannot steal and publish data you don’t retain, so data minimization has long been a best practice when reducing the impact of a future data breach. Now, it’s also an emerging legal requirement as states roll out new, comprehensive privacy laws. This best practice also has the added fringe benefits of reducing the impact of legal holds, improving system performance, and decreasing storage costs. Improving data governance also should give your organization a clearer understanding of the types of data it uses and stores, where that data is located and, therefore, the security measures in place with respect to those repositories and whether they are appropriate. This same mapping process will also support your resilience efforts, discussed above.
8. Avoid encouraging the use of unstructured data
Speaking of good data governance: it can also help avoid or minimize unstructured data. Unstructured data resides in repositories that are not centrally managed or have no organizational system imposed on the content of the repository. Email is a classic example. Your organization’s email likely includes an array of sensitive information, none of it organized into any certain form that would allow you to quickly know the types of information affected by ransomware. Shared network drives are another common example. Unlike a database, which may have a specific purpose or data types organized in rows or columns, it is difficult to know exactly what was included in the account or drive when the repository has no real structure. When repositories that lack structure are subject to attack, it usually will be necessary to conduct a search of the entire content and produce a reasonably-organized inventory of affected information. (If you are wondering why that’s necessary, consider how you will know whether any personal or confidential information was affected in a shared network drive, and to whom that data pertains so that you can carry out legal notification directed to affected persons.)
Conducting an extensive review of impacted data in an unstructured repository, to build an inventory of who and what was affected, is time consuming and expensive. Our experience suggests it can account for half or more of the total cost of addressing notification obligations in a ransomware attack and can double the timeline for a complete response. If you can minimize or avoid maintaining unstructured data repositories, you will reduce cost and legal risk.
9. Work with experts, particularly when paying a ransom
If you expect to need outside support, you should arrange that now. Forensic experts, legal counsel, and ransom negotiators are all options, as are services that handle consumer protection enrollments, should that prove necessary. Particularly counsel and forensics should be lined up in advance, however, since your organization may want to assert legal privilege and get a sense of the impacts prior to directly addressing the ransom demand which will likely come with a ticking clock.
It is particularly important to engage with experts if you intend to consider paying a ransom, which the FBI discourages. In 2020, OFAC made clear that paying ransoms encourages further attacks and it would not hesitate to pursue sanctions in the event a victim or supporting services violate U.S. sanctions prohibitions by paying an actor identified on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). These sanctions can be imposed on a strict liability basis. More recently, OFAC reiterated that position and its application to parties facilitating payments, not only the party making the payment. OFAC directed its guidance not only to ransomware victims, but also the forensic and incident response organizations that assist in negotiations, financial institutions, and insurers. Due to this potential liability, it is appropriate to engage a service that can reliably advise whether the party engaging in the extortion has left any evidence or given any indication that would correlate to the SDN List. OFAC has designated numerous malicious cyber actors under its sanctions programs.
The risk of sanctions is significant, but not the only factor. You also should consider the actor’s history and veracity. Making a payment will do little good if the decryption tool is not provided (the actor ghosts you upon payment), the tool does not work or corrupts data, the actor comes back for a second payment, or the actor publishes data despite promises not to do so. An experienced negotiator will have some background information to help you judge the prospects and may be able to procure proof of decryption capabilities or data disposal post-payment.
You should also consult your insurance policy regarding reliance on expert support. Besides determining that it will cover a full ransomware response (it may not cover the ransom payment due to OFAC sanctions risk), you may want to assess whether you have a choice about the experts that will be assigned to your matter.
10. Be mindful of privilege
If you decide to procure a forensic investigation, be thoughtful about the engagement and the output. It is challenging to effectively assert legal privilege over these engagements, and your chances are reduced if your organization leverages an existing contract, including hiring a security consultant already on retainer for breach response. Instead, outside counsel should initiate a fresh engagement with a forensic provider. There are additional steps you can take to increase the chances a forensic report will be considered privileged, but you may also want to consider foregoing a written report in favor. Of course, if PCI DSS is implicated, you will need to participate in a review by a PCI forensic investigator (PFI), which will necessarily complicate a privileged argument. Privilege considerations (along with the potential regulatory request noted above) may motivate you to forgo a final report entirely, but these are all elements you can consider and tentatively plan for in advance of a ransomware attack.
Pursuing these steps will put your organization in a better position to respond to a ransomware attack, and hopefully bring some peace of mind even if the threat is never realized. Most of these steps also are relevant to incident response generally, regardless of the vector, and create opportunities for counsel to build expertise and relationships internally and externally that should be rewarding. And of course “Lead company preparations to engage in ransomware response” is not a bad addition to your resume or year-end review!
Author: Elizabeth Johnson, Attorney, Wyrick Robbins Yates & Ponton LLP
