Last week, Fish hosted a cybersecurity panel session at our L.E.A.D. retreat in Dallas. We discussed the need for a full-spectrum cybersecurity risk assessment and plan, and during the course of the presentation, we touched on some of the trending cyberattacks that are causing headaches for companies from all sectors and stripes. One type of attack we discussed in particular was ransomware, which has seen a sharp spike over the past year.
Ransomware is a type of malware that functions exactly as it sounds: it holds your company data hostage in exchange for ransom. Usually, an unsuspecting (and often conscientious!) employee opens an attachment in a phishing email or visits an infected website, blissfully unaware that in so doing he or she has downloaded the malware onto company servers. Many variants then travel laterally throughout the company network, encrypting data in the background as it goes. If no behavioral detection measures are in place, this encryption process continues unabated, and employees likely won’t notice much beyond a slight sluggishness in their computers. But then, one day, a skull-and-bones dialog box pops up on the screen announcing that all of the company’s critical data is encrypted and will be remain forever inaccessible unless a ransom is paid, usually within 96 hours, and usually in Bitcoin.
There are only a handful of versions of the malware comprising the vast majority of ransomware attacks, but the collection of variations reads like a human psychology playbook. There is the “ticking time bomb” version, where files are progressively deleted until the ransom is paid. There is the version where, instead of deletion or irreversible encryption, the malware threatens to post your confidential data in a public forum. We’ve even heard of a version where the lockdown screen features scenes from horror movies to get the victim’s pulse racing. Usually, the ransom demanded is easily accessible – often a few hundred dollars, though a recent attack on a hospital fetched a ransom of $17,000 – dramatically increasing the likelihood that a victim will simply pay up. And diabolically, after paying the ransom and sending you the decryption key, the perpetrators provide excellent customer service, going so far to provide 24/7 hotlines for technical troubleshooting if the victim has trouble during the decryption process. All this comes together to maximize compliance and induce further compliance in subsequent rounds of attacks.
For companies where access to data is vital for day-to-day operations, a ransomware attack can be crippling. In certain industries, such as healthcare or critical infrastructure, their systems simply cannot be taken offline, and so refusing to pay the ransom may not be an option at all. Even the FBI has conceded that, in many cases, companies should simply pony up. Ransomware perpetrators know all of this, of course, which is why ransomware is on the rise.
So what can companies do about it? Here are 5 best practices that can prevent, minimize, and mitigate a ransomware attack:
Train your employees to be the first line of defense. If properly trained, employees can be your strongest firewall against phishing attempts. Educate them on tell-tale signs of phishing, encourage them to forward suspicious emails to IT for verification, and test, test, test. Regular mock phishing training exercises can not only keep your employees vigilant, they can help your employees get into the mindset of treating cybersecurity as an enterprise—and not just an IT—issue. (Plus, it could be fun!)
But don’t forget your technical defenses, too. Push out patches and make sure to do it regularly. According to one report, over half of all types of cyberattacks happen within 10 to 100 days of a vulnerability being published, so it’s always a good idea to patch as soon as one becomes available. Whitelisting programs, limiting administrator access, and structuring your network to segment access to critical data are also other ways to limit the impact of a ransomware attack.
Backup your data – then unplug your backup. Regular daily backups will curtail the incentive to give in to ransomware’s demands, not to mention give you peace of mind that you can restore your systems quickly. But make sure that once your systems are backed up, the backup is disconnected from the network altogether (or at the very least, stored on an unmapped drive). That way, the malware can’t infect your backup, and you’re more likely to have a clean version with which to restore your systems.
If you’re hit – disconnect! Once you realize that a computer is infected with ransomware, disconnect it immediately from the network to prevent further infection. And this means Wi-Fi and Bluetooth connectivity, too.
Call your lawyer. If you have a comprehensive incident response plan in place, your first call should be to your lawyer, who will help quarterback the internal forensics investigation and deal with law enforcement. Counsel can also help you review contractual provisions and coordinate your claims for indemnification, as well as assess your exposure. Of course, if the impact of the attack is severe enough that litigation is a possibility, you’ll want outside counsel involved as early as possible to be able to invoke the protections of attorney-client privilege.
Ransomware is but one of many types of attacks that cyber criminals are using to extort businesses and compromise valuable company data. Companies would be well-advised to conduct a comprehensive cybersecurity risk assessment and implement an incident response plan before the inevitable occurs.
Caroline Simons is a Principal in the Boston office of Fish & Richardson. She serves clients in the areas of white collar defense, internal investigations, cybersecurity, and complex civil litigation. Ms. Simons strives at the outset to understand her clients’ businesses,...