Ransomware attacks are on the rise. Prevention alone isn’t the answer — your plan must quickly detect, contain and recover.
Cybercriminals trying to exploit the fears and uncertainties during times of global crisis have produced a surge of email phishing scams, which the International Criminal Police Organization (INTERPOL) says is the main way ransomware is spread around the globe.
All it takes is for one person to click on a link in a fraudulent email to cause malware spreading through an organization’s network in a matter of minutes and encrypting critical data. Before long, the organization is unable to access its vital files and systems until it pays off the criminals to obtain a decryption key or finds other ways to recover its data. Despite the increasing attacks, there are many measures organizations can take to reduce the success rate of attack attempts.
Build employee awareness
Educating employees on the growing threat of ransomware and the organization’s security protocols is the first line of defense. A global 2020 survey by Proofpoint found less than one-third of working adults could explain the term “ransomware.” 1
Employees should be given guidance on how to detect suspicious emails and promptly bring them to the organization’s attention. Education should also cover a broad range of scenarios for how ransomware can be spread. It’s important that remote workers understand that lack of precaution can enable attackers to use tools like remote desktop protocol to penetrate an organization’s network, and perpetrate a ransomware attack. A user can unknowingly visit an infected website where malware is downloaded or fall prey to a malware disguised as legitimate software.
Marshal an array of defenses
Backing up data is critical to defending against ransomware, but many organizations store backup data on the same network they regularly use. This allows an attacker to encrypt backup data just as easily as files on a company’s regular operating system. To keep backups safe, they must either be placed in a segregated network or placed offline.
For example, following a spate of attacks against hospitals, many now regularly put backups of critical systems offline. This allows a hospital to access essential data if the main network is shut down. However, even if an organization protects its backup data, it can take days or even weeks to restore systems.
Good cybersecurity hygiene also includes patch management, hardened configurations and ongoing detection enabled by threat intelligence. It’s also important to apply software updates for browsers and plug-ins as soon as they are released. Encrypting sensitive information is another way to defend against cybercriminals who threaten to release information publicly if a ransom isn’t paid.
Organizations should also engage neutral third parties to conduct regular audits of their preventative measures for ransomware and other cyber breaches. Cybersecurity insurance is becoming increasingly common. However, it is not a substitute for good security — insurers can refuse to pay claims if organizations fail to use or disclose their lack of appropriate security procedures.
Responding to a ransomware attack
Many organizations are putting more emphasis on quick detection and containment. Every organization should have an incident response and recovery plan that is regularly assessed and refreshed. Be sure to include all appropriate stakeholders, such as information technology, information security, legal, compliance, human resources, operations and communications. Response plans should clearly define responsibilities and enable stakeholders to lead effectively in crisis.
Legal counsel should be engaged the moment an attack is discovered. Counsel can advise on conducting the investigation in a manner that will stand up to scrutiny in the organization’s operating jurisdiction(s) and staying compliant with the relevant notification requirements of data protection and privacy regulations. Retaining outside counsel allows an organization to maintain privilege if the breach leads to litigation.
Unique considerations in a ransomware attack response
Responding to a cyber breach usually includes four parallel activities: investigation, containment, eradication and recovery. These activities are generally the same regardless of the type of attack. However, there are unique considerations when dealing with ransomware.
Evidence collection for investigation needs to focus on how the attackers entered the environment, how malware was utilized, the potential path the attackers traveled and what data was taken or encrypted, if any. Bitcoin wallets provided in the ransom note and communications with the attackers need to be carefully documented as they are important for containment, eradication and recovery stages.
Victimized organizations should conduct investigations beyond the systems affected. Frequently, other malware or dormant ransomware is found hidden in the environment that has not appeared impacted. Making sure that all malware in a network is eliminated is critical.
Regulatory notification expectations
Some jurisdictions define ransomware infections as a cyber breach triggering regulatory and statutory notification requirements. Knowing which geographies are impacted will help organizations enact the appropriate procedures. US health care providers regulated by the Health Insurance Portability and Accountability Act must report a ransomware attack as a security incident, and covered organizations must implement security measures to help prevent ransomware, such as backing up data.
Organizations also need to understand if personally identifiable information is affected and, if so, how it is affected. In the event of a potential breach, it’s critical to consult with legal counsel on whether it should be considered loss of data and subject to notification requirements by relevant data protection and privacy regulations or laws (e.g., the EU’s General Data Protection Regulation).
Legal and regulatory concerns about paying ransom
Unlike other cyber breaches, there is typically one simple way to stop the attack and decrypt files — pay the ransom demanded. Besides the obvious ethical dilemma, the decision to pay off a criminal has many legal implications.
Throughout the world, law enforcement advises against paying ransom. The US Federal Bureau of Investigation shares decryption keys for some types of common malware. The No More Ransom website, which is supported by European police agencies, also shares decryption keys and offers ways to report attacks to law enforcement agencies around the world. A 2020 Proofpoint survey found that 29% of organizations never gained access to their data after paying ransom.1
Businesses should also be aware that hiring an outside service to recover data after an attack could result in a ransom being paid without their knowledge. A ProPublica investigation found two US firms that offered to unlock victims’ data with their own recovery methods actually paid ransom money to secure decryption tools. If the organization engages an external resource to aid in recovery, it should be vetted carefully and explicitly asked whether a ransom will be paid.2
A plan for moving forward
Risk can be mitigated both through preventative measures, and by moving quickly to detect and contain successful breaches. But prevention alone isn’t the answer. An organization’s ability to quickly detect, contain and recover from ransomware attacks will impact its continuity of operations and economic losses.
Legal and compliance professionals can aid their organizations by understanding the potential regulatory and legal issues resulting from a ransomware attack. IT professionals aren’t the only ones who need to develop an effective response strategy for these often-crippling attacks — every stakeholder with a role to play in mitigating risk should do the same.