Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Guide to Surviving a Ransomware Attack

October 21, 2021

CFO Magazine, on October 19, published a summary article on surviving a ransomware attack.

Ransomware can cause a huge financial hit, a loss of data/time and injury to a business’ reputation. Handled well, the business may be almost unscathed. Handled poorly, disaster upon disaster may be the result.

1. Follow Your Incident Response Plan

It goes without saying that every business should have an Incident Response Plan (IRP) though many do not. The playbook should be well-prepared and rehearsed.  

The gold/silver/bronze model standard in many business continuity plans is a good starting point, says Tom Rawlins, senior advisor at security consulting firm NCC Group. The executive or gold team focuses on setting the organization’s strategy and managing the response to stakeholders. The silver team of departmental heads focuses on ensuring the right tactics are used and that resources are available to the various operational (bronze) teams that deliver the response.

“This process is predicated on using the individual’s expertise to do what they do best and not interfering,” Rawlins says. “Leave the technical response to the bronze teams of security and IT, with support and guidance from the silver team, based on the strategy set by the gold team.”

As a member of the gold team, the chief financial officer is responsible for gauging the incident’s impact on the company’s finances and its long-term stability, Rawlins says. “The CFO will likely have personal stakeholder relationships that they manage, so they will probably be the point person to talk to the banks, major shareholders, and investors.”

The IRP “provides a defined set of step-by-step instructions to help staff detect, respond to, and recover from network security incidents,” says Jeffrey Wells, co-chair of the cybersecurity, data protection, and privacy team at law firm Clark Hill PLC.

A good IRP includes a roster of IT team members and trusted outside technology experts as well as a cross-functional incident response team poised to respond when security is breached, Well says.

This group is “charged with determining as quickly as possible what systems and hardware are affected by the ransomware attack,” Well says. A company with multiple locations should have each site conduct a similar triage. The team should determine whether backups still exist and are usable and ascertain whether the attackers sent a ransom note.

Pay particular attention to the variant of ransomware involved. “Sometimes the ransom note will identify this, or the file extension used on encrypted files may provide information,” Wells says.

2. Identify and contain the source of the attack and fix the vulnerability.

Immediately following a ransomware incident, the IT or cybersecurity team must identify the root cause and then contain the attack.

Containment includes ensuring that the malware doesn’t spread. “Ransomware must be contained before eradication and recovery, or there is a risk of having restored information contaminated,” Young says.

That includes figuring out the method of attack, says Bruce Young, leader of cybersecurity operations and control management at Harrisburg University of Science and Technology. “Was it by a clicked link in a phishing email, a drive-by pop-up for a user to update their Adobe software, or a bad actor exploiting a vulnerability providing access to internal resources?”

Vulnerabilities which allowed the breach must be fixed so they are not reused.

As part of the recovery, compromised or encrypted data must be restored and verified in an environment known to be free from ransomware. “Verification includes ensuring that the backup copies of the data are not contaminated.”

3. Contact law enforcement and legal representatives.

An organization dealing with an attack should be in contact with law enforcement, such as the FBI’s Internet Crime Complaint Center (IC3) and the regional FBI office.

The FBI primarily collects information about the incident, but they can offer some level of guidance. They may offer advice about communications with the attackers and may know how to help determine the identity and location of the cybercriminals.

Businesses will want to involve their in-house lawyers, if they have them, and engage external data breach counsel. They can help assess the situation as well as additional vendors such as crisis communications providers and ransom negotiators under attorney-client privilege. They will also offer compliance checks and other due diligence if a ransomware payment is made.

4. Decide whether to pay the ransom.

So, do you pay the ransom?

“Whether the ransom should be paid depends on the organization’s ability to recover from the impact of a ransomware attack,” says Harrisburg University’s Young.

“Ultimately, the executive management team, including the CFO, may determine the risk is high that systems and information cannot be recovered in an appropriate timeframe. Therefore they may decide to pay the ransom,” Young says.

But he says that if an organization has planned and implemented the necessary security measures to detect, prevent, and recover from ransomware attacks, paying the ransom should be avoided.

That advice, of course, does not include the decision of whether to pay a ransom if data has been exfiltrated.

5. Communicate news of the attack to other parties.

Victims of ransomware attacks may be obligated to inform interested parties and stakeholders. These include employees, customers, business partners, insurance companies, corporate legal representatives, members of the media, and the public.

Communications should be timely – and made before the cybercriminals or the media reveal a breach. Be careful what you say if the investigation is not complete.

A public relations spokesperson or senior executive usually communicates with the media, making sure that any information is accurate

6. Meet regulatory compliance obligations.

All organizations, especially those in financial services and health care sectors, must follow regulatory guidelines around cybersecurity incidents and data breaches.

“An experienced lawyer can help navigate not just the technical or even the compliance obligations, but can foresee potential legal, regulatory, and compliance risks,” Clark Hill’s Wells says.

Data or information stolen in the attack may trigger compliance obligations on an expedited timeline, Well says. Often, the company has time to investigate before compliance deadlines are triggered, Wells says. “However, there are circumstances [when] the company has to provide notice before completing an investigation.”

This includes attacks that involve data or information subject to Defense Federal Acquisition Regulation Supplement (DFARS) regulations, New York State Department of Financial Services (NYDFS) regulations, or the European Union’s General Data Protection Regulation (GDPR).

Note well: Companies may have a contractual obligation to notify specific customers, partners, or vendors within a specified time frame.

7. Review what occurred before, during, and after the attack and make IRP and other changes as needed.

Review the detection and prevention security controls that failed to protect the organization.  Meet with relevant vendors to determine possible causes. Was there a misconfiguration, a flaw in product functionality or design, a failed detection mechanism?

Revise the IRP in light of lessons learned from an incident.  

Hire an external forensic investigator instead of relying on the internal IT group. A neutral investigator is key.  A good independent forensic investigative team will get to the bottom of what occurred and help improve the security of the company’s IT infrastructure. Additionally, it will know how to collect and preserve evidence for possible future litigation.

A couple of excellent observations from our friend Dave Ries:

His FBI contacts have suggested contacting both the local FBI office and IC3. It often takes time, sometimes days, to get local FBI agents actively involved.

He has had some incidents with Business Email Compromises (BEC) in which IC3 has notified banks to put a hold on wire transfers before a local agent has been involved.

Useful to keep those pointers in mind!

Hat tip to Dave Ries for pointing me to the underlying article.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology