Skip to Content?

What’s in your ransomware defense toolbox?

July 21, 2021
Lock on computer

The rising cost of ransomware attacks puts a premium on prevention. Put to use these practical, preventative measures to minimize the threat of being held hostage by a ransomware demand,

By Larry Lee and Christopher Johnson

The cost to companies and governments in ransomware attacks is growing exponentially. On May 7th of this year the Colonial Pipeline fell victim to a cybersecurity attack, causing the American fuel carrier to shut down its 5,500-mile pipeline and cut off the major artery of transport for petrol, diesel and jet fuel to the east coast. Colonial Pipeline paid hackers nearly $5 million in an extortion fee to restore its disabled computer network, over the objections of the FBI. Weeks later, meatpacker JBS SA is reported to have paid $11 million to resolve a ransomware attack that disrupted the nation’s meat supply.

By June of this year, FBI Director Christopher Wray disclosed that the agency was investigating about 100 different types of ransomware attacks, many tracing back to hackers in Russia.

Cyberattacks aimed at grabbing data for ransom is a growing global problem. The eSentire Ransomware Report detailed in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 30, potentially taking in $45 million for the hackers.

Bill Conner, President and CEO of SonicWall Inc., attributes the uptick in attacks to the emergence of remote workforces and virtual offices giving cybercriminals new and attractive ways to exploit illegally obtained data for monetary gain.

Everything from how perpetrators knock on the virtual door to the schemes they are deploying to gain access, spread threats, evade detection, encrypt files, and coerce users into paying ransom is becoming more advanced, and all employers must be prepared for ransomware attacks.

To Pay or Not to Pay

Ransomware is the malicious software that hackers use to access and encrypt networks and data with the purpose of extorting the owner of the network for financial gain. Ransomware attacks lock up computer networks and data, which hackers promise to unlock for a payment.

When data security is breached, it is rarely an isolated event. Attacks can disrupt utilities and emergency services, takes IT systems and networks offline, control payment portals, freeze access to legal documents and compromise personally identifiable information, records and payroll, which can then be made public and misused for fraudulent purposes.

These vicious attacks first came to light in 1989 with attackers targeting the healthcare industry. By 2017, the FBI’s internet complaint center (IC3) received 1,783 ransomware complaints by businesses and individuals, costing those victims untold millions of dollars. The number of companies attacked is likely much higher; victims are reluctant to publicize attacks and become soft targets for future attacks.

A growing number of victims of cybercrime are opting to pay their assailants to restore data. Industry experts and law enforcement including the Federal Bureau of Investigation’s Cyber Division, however, advise against paying ransom demands in response to a ransomware attack. The perpetrators in these incidents are criminals and there can be no assurance that access to the stolen data will be restored once payment has been made. A recent study found that one in five respondents failed to receive access to their data after paying a ransom demand. And, victims still have the cost of collateral damage to cover.

The FBI’s Cyber Division further discourages ransom payments because it reinforces and rewards malicious behavior, which serves to perpetuate the problem. It also telegraphs that the victim is a soft target that is willing to pay a ransom in response to such an incident, increasing the potential for subsequent attacks.

State and Local Municipalities

Over the past several years, state and local municipalities have also become prime targets for criminal activity. Over 60 attacks against state and local governments were reported in 2019, more than double the number seen in any prior single year. One such city was Baltimore, which got hit by hackers using the malware Robinhood and spent over $18 million to restore essential city services and repair systems.

In the case of municipalities and government employers, paying ransom may be illegal. Payments are also ethically controversial because public funds are used to satisfy the ransom payments, which will likely be used to support other illegal activities and further hacking.

In the City of Baltimore cyberattack, the city did not give in to ransom demands, despite the amount demanded being small relative to the cost of remediating damage. The incident unfolded over several months, and city officials faced mounting public pressure to pay the ransom to restore access to systems and vital services. A cost-benefit analysis would have supported paying the ransom, but withholding payment puts a stop to additional demands.

For local government employers, the controversial nature of paying public funds to criminals has some jurisdictions considering prohibitions against paying ransom. The United States Conference of Mayors adopted a resolution at its 2019 annual meeting formally taking the policy position (i.e., not legally binding) that the organization opposes payment to ransomware attack perpetrators in the event of an IT security breach. The Council noted that paying ransomware attackers “encourages continued attacks on other government systems.”

In an effort to remove the financial incentive for targeting municipalities, New York legislators have introduced a bill (S7246) that would restrict the use of taxpayer money in paying ransom  connected to cyberattacks. Payment prohibitions should allow room for exigent circumstances, such as a hospital under attack that needs to regain access to their data quickly to ensure continuity of treatment for their patients.

Prevention

There are many important steps that employers can take right now to both reduce the risk of becoming another statistic and ensure that, should they suffer an attack, they have plans and procedures in place to react with resiliency. Employment attorneys should be well positioned to spearhead efforts to ensure their clients are ready. Employers and attorneys should give serious thought to the following affirmative steps.

  • Adopt policies and procedures for the consistent application of information security and test compliance regularly.
  • Create and implement an incident response plan with clearly defined roles and responsibilities for those who will be tasked with responding to a cyberattack incident.
  • Schedule an initial risk assessment and conduct subsequent periodic risk assessments to help identify weak points in the workplace network and policies.
  • Encourage and ensure that the Information Technology (IT) department stays current on developments in the cybersecurity threat landscape.
  • Require the IT director or their delegate to regularly update the decision-maker on threat level and emerging trends.
  • Develop and cultivate an advanced workplace culture that prioritizes cybersecurity. All employees should receive mandatory training on the threat landscape, compliance expectations with policies and procedures, and understand what their potential role in incident response may entail.
  • Conduct appropriate due diligence in order to avoid or minimize the cybersecurity risks presented by third-party vendors. Train third-party vendors to raise awareness of risks and weaknesses.
  • Work with employment counsel to review or prepare relevant policies, procedures and plans for implementation and protect employer’s electronically stored information and databases. Decision-makers or their delegates can also work with retained counsel to become more knowledgeable about cyber security issues and fill gaps that protect the electronic information database.
  • Work with the employer’s insurance broker or risk manager to obtain cyber insurance. Typical commercial policies do not provide coverage for the types of risks that are presented by a cyber security incident. It is much better for employers to learn about the benefits of such a policy prior to an attack rather than wish they had a policy after the attack occurs.

Contingency planning and Disaster Recovery

To the extent not already in place, employers should adopt a cybersecurity disaster recovery plan. Any disaster recovery plan should start with reporting the incident to local and state law enforcement, the FBI, and the U.S. Department of Homeland Security.

From there, entities can activate their incident response team of employees and resources to manage the attack and minimize fallout. Any such plan should address the following concepts and issues.

  • Analyzing the ransomware attack for anticipated impact.
  • Formulating and implementing a response plan to remediate and recover from the incident.
  • Taking all backups offline from the network.
  • Mobilizing available resources including IT department and third-party consultants to contain, remediate, and recover.
  • Engaging the legal department or outside counsel to capture and preserve evidence related to the incident, review obligations that may arise under data breach notification laws and assist with a review of insurance coverage.
  • Managing internal and external communications regarding the incident, and proving timely, accurate, and consistent updates and findings to leadership.
  • Reviewing terms of available insurance coverage for data restoration, security breach notification and remediation expense, crisis management services, business interruption, and extortion expenses.
  • Providing credit monitoring and identity theft education and assistance for affected employees and residents.
  • Debriefing the response team after the incident is contained and core systems returned to functionality to gauge efficacy.
  • Implementing training modules for employees, service providers, and volunteers on recognizing and reporting potential information security threats.
  • Instituting periodic testing exercises at the direction of the IT department to assess compliance with policies and procedures and awareness around information security.

Domestic and international bad actors are planning their next cyberattacks. Many are successful attacks. Don’t be held hostage. Work with qualified employment counsel to take preventative measures and build a strong defense for protecting employer data and networks from sabotage and seeing sensitive data become a bargaining chip in negotiations employers do not want to have.

— Larry Lee is an employment law attorney and a shareholder at Jones & Keller in Denver. Mr. Lee can be reached at llee@joneskeller.com.

— Christopher Johnson is a senior associate attorney at Armstrong Teasdale LLP in Denver. Mr. Johnson can be reached at crjohnson@atllp.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.