Data Breach Watch: A General Counsel’s Guide to Preparing for and Managing a Ransomware Attack
Paying a ransom to access your computer files? Not as unusual as it sounds. The Department of Justice estimates that on average, more than 4,000 ransomware attacks occurred per day last year. And the problem is only getting worse. According to Beazley, a data breach response insurer, the number of ransomware attack claims the company received in 2016 was four times higher than 2015. This surge in ransomware attacks presents a serious, costly, and growing threat to businesses across all industries. Being educated on and prepared for such an attack is no longer an effort businesses can afford to sidestep.
What is Ransomware?
Ransomware, as its name suggests, is a type of malware that holds a computer or computer files "hostage" until a ransom is paid. Ransomware is often delivered through malicious links, websites, or attachments. Unbeknownst to users who click on these links, websites, or attachments, malicious ransomware code quickly and quietly infects their computers.
Common variants of ransomware are lock screen ransomware and encryption ransomware. Lock screen ransomware works by locking a user's computer screen, preventing the user from accessing his computer. After the system starts up, the computer screen will display a threatening message, purportedly from a government agency, stating that the user has committed an illegal act and must pay a fine to regain access to his computer. By contrast, encryption ransomware works by encrypting specific files—like Word documents and PDFs—rendering them inaccessible to anyone without the decryption password. In both instances, the message is clear: pay up, usually in a difficult-to-trace digital currency like Bitcoin, or you will never see your files again.
Responding to a Ransomware Attack
Should you give in? Well, that depends on a number of factors, including how badly you need access to your files. For businesses that have not taken preventative steps to backup data, ransomware can have a debilitating impact on a company's business. In February 2016, Hollywood Presbyterian Medical Center fell victim to a widely publicized ransomware attack that seized control of its computer systems. Faced with the inability to access the hospital's records, Hollywood Presbyterian forked over 40 bitcoin (approximately $17,000) to the hackers. Allen Stefanek, Hollywood Presbyterian's Chief Executive, concluded that "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key." Healthcare providers are attractive targets for ransomware attacks because, in many instances, the loss of electronic patient medical records can create substantial risk to patient health. At that point, paying the ransom becomes a virtual necessity.
In Hollywood Presbyterian's case, paying the ransom "paid off"—the hospital regained control over its computer system. However, paying the ransom does not guarantee that you will regain access to your computer or files. According to Kaspersky Lab's 2016 Consumer Security Risks Survey, approximately 36% of ransomware victims give in and pay the ransom, but 17% of those who pay never regain access to their files. Other times, after receiving the ransom payment, hackers demand even more money to provide the encryption key, or the victim regains access to its files, but then is immediately attacked again.
As a general matter, the FBI does not support paying the ransom. Instead of paying up, the FBI recommends following these steps:
1. Immediately contact your local FBI or US Secret Service field office to report the ransomware attack.
2. Implement your security incident response or business continuity plan, as it's important to take the necessary steps to ensure that disruption to the company's business is kept at a minimum. This may include retaining data security professionals to investigate the incident, as well as consulting with legal counsel to identify whether the attack triggers any obligations under federal and state data breach and privacy notification laws. In an interview with Arnold & Porter Kaye Scholer, FBI Special Agent Ray Martinez stressed the importance of implementing and testing a business continuity plan: "Preparing for an unexpected event and actually practicing the recovery procedure, whether that be from a natural disaster or cyber threat, is a good way to determine what is business essential and what steps need to be taken to continue operations."
If you decide to pay up, Special Agent Martinez recommends verifying that the recovered data is not infected, then reimaging the system as soon as possible.
Can You Insure Against It?
Yes, ransomware attacks may be covered by your cyber insurance policy's "cyber extortion" coverage. Losses from ransomware attacks—including response assistance and any ransom paid to attackers—may be covered as cyber extortion-related costs. For coverage to kick in, some insurers may require that the policyholder first obtain their written consent before paying any ransom demand. And be mindful of policy deductibles. In a landscape where the average ransomware demand is less than $1,000, businesses with high policy deductibles may be stuck footing the entire bill. When in doubt, check with your insurer to verify your coverage.
Five Tips for Minimizing Risk
In any event, the best defense to ransomware is to prevent an attack, or minimize the harm an attack could have on your business. Five steps management can take to proactively mitigate the risk of ransomware attacks are:
1. Backup your data and store it in a secure place. In the event you become the victim of a ransomware attack, the backups will help mitigate the damage the attack will have on your business and may negate the need to pay the ransom altogether.
2. Patch your operating system, software, and firmware. Hackers exploit vulnerabilities, so don't make it easy on them by keeping your system out-of-date.
3. Train your employees. Make sure your employees understand what ransomware is so they can help protect the company's data. Employees should regularly backup their own data. They should also refrain from opening emails from unknown senders or downloading suspicious attachments.
4. Refresh your business continuity plan. With ransomware attacks on the rise, your business should have a plan in place to keep operations running while responding to the crisis.
5. Review the US Health and Human Services Office for Civil Rights Fact Sheet on Ransomware. Even if you are not in the healthcare industry, this fact sheet, available here, provides guidance on how the implementation of certain security measures can help prevent ransomware infections and help maintain business continuity.