Skip to main content
Top Button
Ransomware Risk is a Fact of Life—Preparation Is Key Ransomware Risk is a Fact of Life—Preparation Is Key

Ransomware Risk is a Fact of Life—Preparation Is Key

In the past six months, we have seen companies facing more frequent and complicated types of ransomware attacks, leading to lengthy business interruptions and, in many cases, irreparable losses to data and systems.

Remote working environments are opening up more opportunities for threat actors to compromise security, while ensuring that victim companies are more vulnerable to business interruption. Driven in part by the widespread availability of insurance coverage for this risk, ransom demands are increasing, often with the ransom demand reaching several millions of dollars. The likelihood of companies across various business sectors being targeted at the same time has also increased as more of these attacks are staged by groups offering ransomware-as-a-service that provides a scalable platform for large scale campaigns. The bad actors are often organized crime groups, and with the rise of remote work and concern regarding COVID-19, there are unfortunately more opportunities than ever for the bad actors to launch ransomware attacks.

Ransomware is primarily a type of malicious software through which criminals encrypt data on the victim’s network, resulting in disruptions of many or all IT systems unless the company is able to restore the system from backups or pays a ransom to receive the decryption keys from the criminal hacker. In addition to the traditional locking of files on a computer system, criminals using ransomware are now also attempting to exfiltrate sensitive data from victim’s network. This allows the bad actors to selectively leak some of the company’s information publicly, most often on Twitter. While the data exfiltration and being locked out of the computer system alone often puts enough pressure, this selective early leaking of data creates additional pressure and anxiety for the victim, with the goal to push for faster payment of the ransom.

Most ransomware attacks are initiated through phishing emails that may appear to come from a legitimate person or company the recipient would trust. For example, Ryuk (a well-known group of threat actors) recently was able to start with a simple phishing email and was able to compromise an entire domain with ransomware inside of five hours.[i] The speed of these attacks emphasizes the need for a clear incident response plan that can be initiated quickly and effectively. Another common method involves using misconfigured software that may permit the attacker to log into a network and pass themselves off as a system administrator, after which they begin encrypting network files as well as backups.

Reducing the risk of a successful ransomware attack requires a comprehensive approach involving technical measures, such as effective backups, effective up-to-date cyber-training for all users, an effective incident response plan that is well practiced, and having the resources— forensic and legal—ready to respond within hours of an incident. Incident response is also becoming more complex—whether dealing with law enforcement or the increased need to consider whether paying the ransom may create other liabilities for the victim company as government enforcers are cautioning that such payments could implicate risks around money laundering and sanctions, an issue we have previously noted (OFAC Makes Paying Ransoms to Cybercriminals Much Riskier).

If you have questions about how to mitigate ransomware risks or how to prepare internally for dealing with an incident response, please contact our Data Security and Privacy team. Guillermo Christensen, a partner in our Washington, D.C. office, has handled cyber-incidents including ransomware events and through his national security law practice, regularly deals with OFAC and other U.S. government agencies. As a former CIA intelligence officer and a diplomat with the Department of State, Guillermo has a broad perspective on the inner workings of the national security interagency process that deals with issues such as U.S. sanctions/OFAC, CFIUS and export controls. Guillermo has represented clients in both civil and criminal OFAC enforcement actions and has implemented OFAC compliance programs for U.S. and non-U.S. entities. Rachel Spiker is an associate in our Columbus, Ohio office, and she has handled and assisted in the incident response for several cyber-incidents including ransomware events, phishing campaigns, and business email compromise.

This publication is intended for general informational purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstance.
[i] The DFIR Report, Ryuk in 5 Hours, October 18, 2020,
View Full Site View Mobile Optimized