On October 2, 2019, the FBI issued a Public Service Announcement to alert US businesses and organizations to plan and prepare for what are being described as high-impact ransomware events. Certain bad actors seem to be no longer simply interested in a quick and easy financial gain from indiscriminately infecting all possible targets on a penetrated network. Rather, some bad actors are turning their attention to high-value data or assets within organizations. These represent the victims’ pressure points that are uniquely or highly sensitive to downtime. Consequently, a ransomware victim’s motivation to pay the demand in these situations is acutely high. To accomplish these sinister ends, however, attackers may still rely upon a tried and true method — phishing.

Is My Organization a Target?

While commonalities among victims often exist, there is no single profile for a potential victim. Healthcare providers and manufacturing businesses along with cities and education institutions exemplify organizations that have recently suffered high-profile ransomware attacks. Often, bad actors succeed in introducing the malware behind an entity’s defenses by enticing an unsuspecting user to click on a malicious link or attachment in a phishing email. Increasingly, bad actors use this initial toehold to conduct reconnaissance. They analyze the potential victim’s environment and identify a variety of potentially valuable assets or information, including: (i) high-value data or assets, such as trade secrets or personally identifiable information; (ii) critical timing issues or red-letter dates, such as tax-filing deadlines or the start of a new school year; and (iii) data backups. At that point, bad actors are well positioned to leverage this information over their victims.

Businesses may face multi-faceted losses when addressing a ransomware event. This includes not only paying the ransom demand but also expenses associated with lost business, time, files, equipment; wages; third-party remediation services; or higher insurance premiums. Not surprisingly, according to CyberEdge Group, 45% of business organizations hit with ransomware pay the ransom to stem the losses from the encryption, despite advice to the contrary from a variety of stakeholders (including the FBI). Similarly, RecordedFuture reports that at least 17% of state or local government entities pay ransomware demands. When thinking about these latter entities, consider the disruption to daily lives from a stoppage in issuing building permits, taxes, vendor payments and, even, marriage certificates. The alternative to paying these ransom demands is rebuilding an organization’s information technology systems that have been affected by the encryption. This could take months as it can involve implementing new hardware and software. Further, this assumes the organization has backed up its data recently and in a manner that has not been affected by the ransomware (more on this below).

Ransomware Crippled My Organization. HELP! What Should I Do?

As ransomware has likely encrypted critical systems and data, an organization in response mode often is forced to work behind the eight ball without access to daily communication methods or data. Hopefully, the organization has developed an incident response plan (and follows it) providing for out-of-band communications in instances in which the organization’s communication systems are not available. Even if the communication system is available, the organization should be mindful that the attacker could be monitoring in-band communications. Here are a few additional steps for an organization to consider when responding to a ransomware event:

  1. Take a deep breath. Many attackers utilize ransom notes intended to exert pressure on victims to pay quickly by indicating that the ransom demand will escalate if the victim waits to pay. Acting too quickly or without deliberate intention, however, could result in inadvertent loss of information necessary to regain access to and/or restore systems and data while impeding a forensically valid investigation. Further, attackers know that they cannot make their demands too excessive too quickly, or some victims might just decide to ignore them. The bottom line is that in most cases, affected companies can take a reasonable amount of time to assess their options.
  2. Disconnect and isolate infected machines and systems from your information network. This may include suspending questionable accounts. These actions, however, should be taken only if they will not alter or destroy evidence. Specifically, do not unplug your servers or workstations from their power supplies as doing so could cause irreparable data loss.
  3. Determine your operational status. Identify the extent to which the encryption impacted your specific systems and data. For example,
    • do backups exist for the affected systems and data;
    • is the affected data critical;
    • what is the value of the affected data;
    • what is the number of systems affected;
    • what do the affected systems support within the organization;
    • what is the expected downtime; and
    • what is the downtime cost?
  • Determine the viability of restoring from backups including how long it will take and at what expense. Even if backups are available, it may be prudent to proceed on parallel tracks while restoring from backups by responding to the incident (including, potentially negotiating with the attacker).
  1. Coordinate with incident response service providers. Consider retaining outside legal counsel, cyber forensic investigators, public relations specialists, IT support personnel and ransomware negotiators in response to an encryption event.
    • The retention of outside counsel could assist in establishing an attorney-client privilege over the actions taken in response to the event while also preparing the organization for any notification obligations it may have.
    • Cyber forensic investigators can assist in determining how the attacker got into the environment and his/her actions while in the environment, including the possibility of unauthorized data access, acquisition or loss that may trigger legal obligations. For example, the ransomware may often be a diversion from or additional layer of a larger scheme (including other rent-a-hack bad actors) who have been in the environment and accessed sensitive data weeks or months before the encryption event.
    • Depending on the extent to which the ransomware event has crippled an organization’s systems, public relations specialists can assist in drafting audience-specific statements for customers, workers, the general public or others. What an organization says and how it frames its response matters for reassuring potentially affected stakeholders, in addition to addressing potential legal obligations.
    • Depending upon the size of your organization, outside IT support personnel may be able to assist in rebuilding systems and restoring data.
    • Finally, a skilled ransomware negotiator may be able to assist in driving down demands that may make an organization more comfortable paying the bad actor.
  2. Determine whether to notify law enforcement. The FBI retains a web-based reporting system for internet crimes, including ransomware. There are several benefits to reporting to the FBI such as the potential for the FBI’s bringing technical assistance to the matter or the attacker to justice. Within the FBI, there are specific groups of agents — assigned to the numerous malware variants — that possess institutional knowledge and can inform appropriate recovery and investigatory efforts. Additionally, reporting may carry reputational benefits and have a positive impact on any regulators that investigate an incident that later comes to their attention. When reporting to the FBI, it is important to consider the information that may be useful to its investigation both in the
    • short term, such as the malware variant, bitcoin wallet, ransom note, and any applicable IP or email addresses; and
    • long term, such as images of machines.
  • Keep in mind, these items do not necessarily identify your organization.
  1. Determine whether to pay the demand. A variety of considerations are at play for cyber-attack victims. These factors include whether doing so would violate US law that prohibits payments to individuals or entities that are subject to US economic sanctions or that are designated terrorist organizations. Additionally, cyber insurance plans may exclude coverage for terrorist acts. Further, the FBI expressed a nuanced position that it “does not advocate paying a ransom” while recognizing that organizations faced with an inability to function will evaluate “all options” to protect relevant stakeholders. Understandably, the demand payment answer will depend on the attack’s impact and timing in relation to business continuity and the potential for service disruption. Other factors include the uncertainty as to whether the bad actor will actually comply with his/her end of the bargain and return a decryption key in response to the payment and whether the decryption key will actually work. Additional variables in the payment for keys process involve attackers that may provide keys that only decrypt a portion of the affected files, at which point the attackers announce that a further payment is necessary. In some instances they may blame an error at their end that resulted in the inability to decrypt everything, but they will charge a further ransom nonetheless.
  2. In parallel, implement recovery steps and a forensic investigation. Getting your organization to operational capacity as quickly as possible is a primary goal in response to a ransomware event. Doing so, however, could result in the inadvertent destruction of forensic artifacts that can assist in determining the incident’s origin and scope, with any attendant potential legal obligations. Evidence must be collected in a forensically sound manner to enable later presentation, if necessary, to a court or regulatory body. Thus, it is critical to proceed simultaneously with respect to recovery and investigation.
  3. Secure your environment. While the primary goal in any ransomware event is to become operational as soon as possible, be sure that your recovery efforts do not leave you susceptible to either re-encryption from the same malware or a new threat. An organization should strongly consider implementing threat-hunting software to determine whether residual threats exist within the environment and proactively complete cyber hygiene efforts.
  4. Comply with your legal obligations. A ransomware event that affects the security, confidentiality, availability or integrity of data could trigger legal obligations to a variety of stakeholders. There are potential statutory or contractual notice obligations to customers, vendors, business partners, employees or others depending upon the event’s facts (that would be informed by a forensic investigation). Non-compliance with these obligations could lead to fines, penalties or class-action lawsuits.
  5. Take a deep breath. Recovery may be slow, but it does get better. Most companies survive and many continue to thrive after a ransomware attack. Keep in mind, you are the victim in this situation and you should be prepared with a compelling narrative as you remediate, recover and move forward.

David Navetta

Randy Sabett

Andrew Epstein

Posted by Cooley