How to respond to a ransomware attack

01 September 2017

In this month’s edition JLT Cyber Consortium Partner Norton Rose Fulbright discuss the key ransomware considerations companies should address in light of the growing frequency and severity of these attacks.

Initial Response

Depending on the particular circumstances of the attack, companies may need to determine: 

  • Scope/root-cause: How did the attack occur? Was this a scattershot attack, such as via a malicious email attachment or link, or was the attack initiated from within the company’s network? What vulnerabilities exist or existed on the systems to allow the attack to take place? 
  • Functionality: What are the capabilities of the malware? Does this ransomware simply encrypt data in an automated fashion or does it have the ability to remove data from the environment? Are there any additional “payloads” or other functionality that might permit broader impact or additional risks to the organization?
  • Impact: Can we confirm that the attackers no longer have access to the environment? What type of data has been affected and what is the impact on the company’s operations, reputation and/or legal obligations? 
  • Cyber insurance resources: Does the company have a cyber insurance policy covering cyber extortion, business interruption and/ or ransomware response? Does the company’s insurer require pre-approval of vendors? Are there additional resources available through a cyber insurer to help respond to a ransomware attack? If a victim of cyber attack has a Cyber Insurance policy in place, they should contact their Broker and Insurer immediately to initiate the data incident response team. A victim of a ransomware attack should never pay the ransom without first conferring with their insurance broker and Insurer.

Containment, Remediation and Restoration

Once the attack is understood, the next step involves preventing further infection and getting the company back up and running. Important considerations in this phase of the response include: 

  • Containment: Has the company confirmed that the ransomware is not still actively encrypting files? Can affected machines be disconnected from the network to prevent further infection without further disrupting operations?
  • Remediating vulnerabilities: Has the initial attack vector been identified and corrected? Can the company confirm that the attackers no longer have access to the environment and cannot return? 
  • Evaluating backups: Are backups available and usable? Are the backups complete or are there any gaps in backups? What is the process and timeline for restoring from backups? 
  • Data preservation: Have forensic images been taken of machines prior to restoring them from backup? Has a live copy of the ransomware been preserved offline for further analysis? 

Paying the ransom 

Unfortunately, victims of these attacks often find that the most expeditious (and perhaps the only) means to restore or recover files is to engage and pay the ransomware attackers for the decryption key. This is particularly true when backups either don’t exist or have been encrypted. Before paying the ransom, companies should consider: 

  • Communications: How can the organization communicate with the attacker? Would a third party vendor experienced in ransomware response (such as a forensic firm or consultant) be better suited to reach out to the attacker?
  • Timing: Is there a deadline by which to respond? Are there any consequences for not meeting the deadline? Can the deadline be extended? Are critical business functions down? 
  • Bitcoin logistics: What is required to obtain the requisite amount of bitcoin? Is there a bitcoin broker or third party with a bitcoin wallet that can assist? What is the cost and process for doing so? 
  • Risks: Will the company become a greater target because they have paid one ransom? Is there a way to determine whether the attackers will follow through and provide the decryption key once the ransom is paid? Is there a way to ensure the attacker will not just turn around and demand more money? 
  • Decryption: What is the process for decrypting the data once the decryption key is provided? Is there a process to get assistance if the decryption key doesn’t work? Can we be certain that the decryption key or process doesn’t contain any malicious capabilities? 

Legal considerations 

Finally, a ransomware attack could impose legal obligations on the organization or implicate other legal issues. 

  • Notification obligations: Could the attack trigger notification obligations to domestic or foreign individuals, regulators and/or data protection authorities? 
  • Profiling the attacker: Is the attacker possibly a foreign nation state or political group? Could the ransom payment be deemed a business dealing with someone on a government-prohibited list of foreign nationals or persons?
  • Law enforcement: Is it necessary or advisable to communicate with law enforcement?
  • Securities regulations and disclosures: Does the company issue securities or is it publicly traded? Does the incident pose a material financial risk to the company, or could it have a material financial impact such that it may be necessary to make certain cyber-related disclosures in the companies’ financial statements to regulators or to investors under the applicable regulations? 
  • Litigation/regulatory risk: Could the incident result in regulatory action and/or individual, class action or shareholder and director suits based upon allegations of having failed to maintain up to date security on their systems and/or failure to disclose the resulting risks? 

Ultimately, many of the important considerations outlined here are very fact-dependent and the appropriate response will depend largely on the circumstances of a particular incident. While these events can be intimidating and stressful, by employing a thorough and measured approach and taking advantage of external resources to assist, many companies have successfully responded to these incidents and minimised the potential business impact. By taking out a cyber insurance policy you will have access to a pre-agreed panel of vendors who can expertly steer you through a ransomware attack.

For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.