How to Prepare for Ransomware Risk

In the past year, we have seen companies facing more frequent and complicated types of ransomware attacks and emerging cyber-threats, leading to lengthy business interruptions and, in many cases, irreparable losses to data and systems.
 

In what ways has COVID-19 impacted ransomware attacks?

In just a year, the COVID-19 pandemic has sped up the digital adoption of new technology by several years. While this has led to new innovations and technical improvements, it also has resulted in increased digital exposure and risk. Remote working environments are opening up more opportunities for threat actors to compromise security, while ensuring that victim companies are more vulnerable to business interruption. Businesses are storing more information digitally than ever before, which helps to keep their operations efficient but is also opening them up to new threats within the realm of data security and privacy. Driven in part by the widespread availability of insurance coverage for this risk, ransom demands are increasing, often with the ransom demand reaching several millions of dollars. Secure cryptocurriences, such as bitcoin, allow criminals to easily solicit ransom payments. The likelihood of companies across various business sectors being targeted at the same time has also increased as more of these attacks are staged by groups offering ransomware-as-a-service that provides a scalable platform for large scale campaigns. The bad actors are often organized crime groups, and with the rise of remote work and increased digital exposure regarding COVID-19, there are unfortunately more opportunities than ever for the bad actors to launch ransomware attacks.
 

What exactly is ransomware?

Understanding ransomware is a great first step in minimizing your exposure. Ransomware is primarily a type of malicious software through which criminals encrypt data on the victim’s network, resulting in disruptions of many or all IT systems unless the company is able to restore the system from backups or pays a ransom to receive the decryption keys from the criminal hacker. In addition to the traditional locking of files on a computer system, criminals using ransomware are now also attempting to exfiltrate sensitive data from victim’s network. This allows the bad actors to selectively leak some of the company’s information publicly, most often on Twitter. While the data exfiltration and being locked out of the computer system alone often puts enough pressure, this selective early leaking of data creates additional pressure and anxiety for the victim, with the goal to push for faster payment of the ransom. Leaked data creates cyber-liability risk for companies as sensitive information can be shared with the public putting customers personal information into the public sphere.
 

How do ransomware attacks occur?

Most ransomware attacks are initiated through phishing emails that may appear to come from a legitimate person or company the recipient would trust. Cyber-criminals will typically alter a letter or number from a coworker’s email address to make victims believe they are dealing with someone from their company. For example, Ryuk (a well-known group of threat actors) recently was able to start with a simple phishing email and was able to compromise an entire domain with ransomware inside of five hours.[i] The speed of these attacks emphasizes the need for a clear incident response plan that can be initiated quickly and effectively. Another common method involves using misconfigured software that may permit the attacker to log into a network and pass themselves off as a system administrator, after which they begin encrypting network files as well as backups.
 

How does my business prevent ransomware attacks?

Reducing the risk of a successful ransomware attack requires a comprehensive approach involving the following technical measures: effective backups, effective up-to-date cyber-training for all users, an effective incident response plan that is well practiced, and having the resources— forensic and legal—ready to respond within hours of an incident. Incident response is also becoming more complex—whether dealing with law enforcement or the increased need to consider whether paying the ransom may create other liabilities for the victim company as government enforcers are cautioning that such payments could implicate risks around money laundering and sanctions, an issue we have previously noted (OFAC Makes Paying Ransoms to Cybercriminals Much Riskier).

If you have questions about how to mitigate ransomware risks or how to prepare internally for dealing with an incident response, our Data Security and Privacy team is ready to help you. Guillermo Christensen, a partner in our Washington, D.C. office, has handled cyber-incidents including ransomware events and through his national security law practice, regularly deals with OFAC and other U.S. government agencies. As a former CIA intelligence officer and a diplomat with the Department of State, Guillermo has a broad perspective on the inner workings of the national security interagency process that deals with issues such as U.S. sanctions/OFAC, CFIUS and export controls. Guillermo has represented clients in both civil and criminal OFAC enforcement actions and has implemented OFAC compliance programs for U.S. and non-U.S. entities. Rachel Spiker is an associate in our Columbus, Ohio office, and she has handled and assisted in the incident response for several cyber-incidents including ransomware events, phishing campaigns, and business email compromise.

This publication is intended for general informational purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstance.