Skip to content

ChannelsContributorsSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
AboutProductsJoin
Search
Close

A Closer Look: Practical Tips to Managing a Ransomware Attack Part 2

By Andrew Konia, Meaghan K. Pedati & Lorna J. Tang
November 4, 2016
EmailTweetLikeLinkedIn

Part 1 of this two-part series outlined the mechanics and dangers of ransomware. In Part 2, this post will examine what steps to take, or not to take, during and after a ransomware attack.

“We’ve Been Hit – Now What?”

Bill Hardin of Charles River Associates, one of the panelists at the September FTC fall technology conference on ransomware, introduced an easy to remember acronym for guiding ransomware response strategies: “CPR” – contain, preserve, remediate.

  • Contain – As soon as you have determined that your device is infected, immediately unplug infected device from the network, turn off wireless capabilities, disrupt connection to the network, and shut down the agent. If this occurs at a service provider’s location, the service provider should run programs to detect and sever the connection. Create and maintain an incident response plan and train all your employees on the plan.
  • Preserve – The FBI representative on the panel highly recommends that the organization preserve the evidence, and report the ransomware attack to its local FBI law enforcement office or online at the FBI Internet Crime Complaint Center (at www.ic3.gov). The FBI conducts joint investigations with numerous countries to try to identify and shut down these attackers. While the FBI may not be able to resolve the current situation, the more information the FBI has, the better they will be able to potentially disrupt the criminal hierarchy and prevent future attacks.
  • Remediate – At this point, once your data is held for ransom, there are not many alternatives available to you. You can pay the ransom, try to negotiate a reduced ransom payment, or not pay the ransom. The FBI discourages the payment of any ransom. The Bureau believes that “success breeds success” and paying a ransom will encourage those bad actors to keep at it so long as there is a profit to be made.

To Pay or Not to Pay, That is the Question

The FBI recommends that companies not pay the ransom. However, in reality, if the information is critical and there are no backups, companies may be tempted to pay the ransom. The attackers know the sweet spot and have priced the ransom accordingly – a small sum of a few hundred or thousand dollars versus the cost of company down time, lost data, productivity, and general network shut down in addition to bad publicity. But beware when paying a ransom!  There are pitfalls – these attackers are not model citizens.

  • First, do not expect that your data will be returned even if the ransom is paid. Less than 80% of decryption keys are returned to victims that paid.
  • Second, beware of the bait and switch, where once you agree to pay the agreed upon price, the attacker then raises the ransom amount.
  • Third, beware of any links provided by the attacker for you to purchase Bitcoins, as that link may be programmed to harvest additional information from you – to be used against you at a later date or to sell to other organizations to attack you again. If possible, purchase the Bitcoins from a reputable place – some sources are sketchy, and purchasing from them may lead you to provide additional information that can subject you/your organization to further malware.
  • Fourth, by demonstrating a willingness to pay, you increase your risk of being a target of future attacks.
  • Finally, if possible, communicate with the attacker via an anonymous account or an intermediary.

Some organizations may not be in a position to pay the requested ransom amount and may be tempted to negotiate more favorable pricing. One panelist indicated that on average, negotiations may lower the ransom demand by approximately 29%. However, a willingness to negotiate tells the attacker that you have no data backup and he/she may try to take further advantage of the situation.

Mitigating the Damage

Correctly managing the aftermath of a ransomware attack is critical to protecting your customer and navigating liability. Ransomware attacks can affect different industries differently (Click here for a closer look at how ransomware affects the healthcare industry.)  But, regardless of industry, security and communication will be key in the wake of an attack.  Some things to consider include:

  • Be prepared to determine if, and to what extent, you want law enforcement involved. Establishing relationships with law enforcement officials before an attack can help restore your business after an attack.
  • Be ready to respond to customer questions with facts – do not speculate.
  • Be sure your information governance program identifies what data you have and where it is stored, so you know what data is at risk.
  • Have an incident response team and plan in place– internally and externally.
  • If your service was disrupted, be sure to restore service first, then do a forensic search later. Most importantly, don’t repeat poor behavior – if the attack was a result of a phishing email, be sure that email is flagged so other employees do not click on it.
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace.

Read more about Andrew Konia
Photo of Meaghan K. Pedati Meaghan K. Pedati

Meaghan helps her clients navigate international, federal and state privacy and cybersecurity laws so that they may successfully manage risk and accomplish their business goals.  She continues to utilize her experience at the FTC and FCC to counsel and advise clients on best…

Meaghan helps her clients navigate international, federal and state privacy and cybersecurity laws so that they may successfully manage risk and accomplish their business goals.  She continues to utilize her experience at the FTC and FCC to counsel and advise clients on best practices. Specifically, she advises clients on the New York DFS Cybersecurity Regulation, the GDPR, and NIST. She is a member of the firm’s Data Privacy and Security industry team and serves as an editor of the Password Protected blog.

Read more about Meaghan K. Pedati
Show more Show less
Photo of Lorna J. Tang Lorna J. Tang

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase…

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase agreements and ancillary acquisition documents, assignment agreements, intellectual property security agreements, hosting and software agreements, government contracts and subcontracts, and supply and other technology agreements.

Read more about Lorna J. Tang
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Publishing Solutions
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status

New to the Network

  • Employment Law Matters
  • Food & Drug Law Access
  • Michigan Employment Law Advisor
  • Broker- Dealer Law Corner
  • Real Estate Advisor Law Blog
Copyright © 2019, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog