Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

A Closer Look: Practical Tips to Managing a Ransomware Attack Part 2

By Andrew Konia & Lorna J. Tang on November 4, 2016
Email this postTweet this postLike this postShare this post on LinkedIn

Part 1 of this two-part series outlined the mechanics and dangers of ransomware. In Part 2, this post will examine what steps to take, or not to take, during and after a ransomware attack.

“We’ve Been Hit – Now What?”

Bill Hardin of Charles River Associates, one of the panelists at the September FTC fall technology conference on ransomware, introduced an easy to remember acronym for guiding ransomware response strategies: “CPR” – contain, preserve, remediate.

  • Contain – As soon as you have determined that your device is infected, immediately unplug infected device from the network, turn off wireless capabilities, disrupt connection to the network, and shut down the agent. If this occurs at a service provider’s location, the service provider should run programs to detect and sever the connection. Create and maintain an incident response plan and train all your employees on the plan.
  • Preserve – The FBI representative on the panel highly recommends that the organization preserve the evidence, and report the ransomware attack to its local FBI law enforcement office or online at the FBI Internet Crime Complaint Center (at www.ic3.gov). The FBI conducts joint investigations with numerous countries to try to identify and shut down these attackers. While the FBI may not be able to resolve the current situation, the more information the FBI has, the better they will be able to potentially disrupt the criminal hierarchy and prevent future attacks.
  • Remediate – At this point, once your data is held for ransom, there are not many alternatives available to you. You can pay the ransom, try to negotiate a reduced ransom payment, or not pay the ransom. The FBI discourages the payment of any ransom. The Bureau believes that “success breeds success” and paying a ransom will encourage those bad actors to keep at it so long as there is a profit to be made.

To Pay or Not to Pay, That is the Question

The FBI recommends that companies not pay the ransom. However, in reality, if the information is critical and there are no backups, companies may be tempted to pay the ransom. The attackers know the sweet spot and have priced the ransom accordingly – a small sum of a few hundred or thousand dollars versus the cost of company down time, lost data, productivity, and general network shut down in addition to bad publicity. But beware when paying a ransom!  There are pitfalls – these attackers are not model citizens.

  • First, do not expect that your data will be returned even if the ransom is paid. Less than 80% of decryption keys are returned to victims that paid.
  • Second, beware of the bait and switch, where once you agree to pay the agreed upon price, the attacker then raises the ransom amount.
  • Third, beware of any links provided by the attacker for you to purchase Bitcoins, as that link may be programmed to harvest additional information from you – to be used against you at a later date or to sell to other organizations to attack you again. If possible, purchase the Bitcoins from a reputable place – some sources are sketchy, and purchasing from them may lead you to provide additional information that can subject you/your organization to further malware.
  • Fourth, by demonstrating a willingness to pay, you increase your risk of being a target of future attacks.
  • Finally, if possible, communicate with the attacker via an anonymous account or an intermediary.

Some organizations may not be in a position to pay the requested ransom amount and may be tempted to negotiate more favorable pricing. One panelist indicated that on average, negotiations may lower the ransom demand by approximately 29%. However, a willingness to negotiate tells the attacker that you have no data backup and he/she may try to take further advantage of the situation.

Mitigating the Damage

Correctly managing the aftermath of a ransomware attack is critical to protecting your customer and navigating liability. Ransomware attacks can affect different industries differently (Click here for a closer look at how ransomware affects the healthcare industry.)  But, regardless of industry, security and communication will be key in the wake of an attack.  Some things to consider include:

  • Be prepared to determine if, and to what extent, you want law enforcement involved. Establishing relationships with law enforcement officials before an attack can help restore your business after an attack.
  • Be ready to respond to customer questions with facts – do not speculate.
  • Be sure your information governance program identifies what data you have and where it is stored, so you know what data is at risk.
  • Have an incident response team and plan in place– internally and externally.
  • If your service was disrupted, be sure to restore service first, then do a forensic search later. Most importantly, don’t repeat poor behavior – if the attack was a result of a phishing email, be sure that email is flagged so other employees do not click on it.
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace.

Read more about Andrew KoniaEmail
Photo of Lorna J. Tang Lorna J. Tang

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase…

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase agreements and ancillary acquisition documents, assignment agreements, intellectual property security agreements, hosting and software agreements, government contracts and subcontracts, and supply and other technology agreements.

Read more about Lorna J. TangEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • GovCon & Trade
  • Pro Policyholder
  • The Way on FDA
  • Crypto Digest
  • Inside Cybersecurity & Privacy Law
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo