The rising cost of ransomware attacks puts a premium on prevention. Put to use these practical, preventative measures to minimize the threat of being held hostage by a ransomware demand,
By Larry Lee and Christopher Johnson
The cost to companies and governments in ransomware attacks is growing exponentially. On May 7th of this year the Colonial Pipeline fell victim to a cybersecurity attack, causing the American fuel carrier to shut down its 5,500-mile pipeline and cut off the major artery of transport for petrol, diesel and jet fuel to the east coast. Colonial Pipeline paid hackers nearly $5 million in an extortion fee to restore its disabled computer network, over the objections of the FBI. Weeks later, meatpacker JBS SA is reported to have paid $11 million to resolve a ransomware attack that disrupted the nation’s meat supply.
By June of this year, FBI Director Christopher Wray disclosed that the agency was investigating about 100 different types of ransomware attacks, many tracing back to hackers in Russia.
Cyberattacks aimed at grabbing data for ransom is a growing global problem. The eSentire Ransomware Report detailed in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 30, potentially taking in $45 million for the hackers.
Bill Conner, President and CEO of SonicWall Inc., attributes the uptick in attacks to the emergence of remote workforces and virtual offices giving cybercriminals new and attractive ways to exploit illegally obtained data for monetary gain.
Everything from how perpetrators knock on the virtual door to the schemes they are deploying to gain access, spread threats, evade detection, encrypt files, and coerce users into paying ransom is becoming more advanced, and all employers must be prepared for ransomware attacks.
Ransomware is the malicious software that hackers use to access and encrypt networks and data with the purpose of extorting the owner of the network for financial gain. Ransomware attacks lock up computer networks and data, which hackers promise to unlock for a payment.
When data security is breached, it is rarely an isolated event. Attacks can disrupt utilities and emergency services, takes IT systems and networks offline, control payment portals, freeze access to legal documents and compromise personally identifiable information, records and payroll, which can then be made public and misused for fraudulent purposes.
These vicious attacks first came to light in 1989 with attackers targeting the healthcare industry. By 2017, the FBI’s internet complaint center (IC3) received 1,783 ransomware complaints by businesses and individuals, costing those victims untold millions of dollars. The number of companies attacked is likely much higher; victims are reluctant to publicize attacks and become soft targets for future attacks.
A growing number of victims of cybercrime are opting to pay their assailants to restore data. Industry experts and law enforcement including the Federal Bureau of Investigation’s Cyber Division, however, advise against paying ransom demands in response to a ransomware attack. The perpetrators in these incidents are criminals and there can be no assurance that access to the stolen data will be restored once payment has been made. A recent study found that one in five respondents failed to receive access to their data after paying a ransom demand. And, victims still have the cost of collateral damage to cover.
The FBI’s Cyber Division further discourages ransom payments because it reinforces and rewards malicious behavior, which serves to perpetuate the problem. It also telegraphs that the victim is a soft target that is willing to pay a ransom in response to such an incident, increasing the potential for subsequent attacks.
Over the past several years, state and local municipalities have also become prime targets for criminal activity. Over 60 attacks against state and local governments were reported in 2019, more than double the number seen in any prior single year. One such city was Baltimore, which got hit by hackers using the malware Robinhood and spent over $18 million to restore essential city services and repair systems.
In the case of municipalities and government employers, paying ransom may be illegal. Payments are also ethically controversial because public funds are used to satisfy the ransom payments, which will likely be used to support other illegal activities and further hacking.
In the City of Baltimore cyberattack, the city did not give in to ransom demands, despite the amount demanded being small relative to the cost of remediating damage. The incident unfolded over several months, and city officials faced mounting public pressure to pay the ransom to restore access to systems and vital services. A cost-benefit analysis would have supported paying the ransom, but withholding payment puts a stop to additional demands.
For local government employers, the controversial nature of paying public funds to criminals has some jurisdictions considering prohibitions against paying ransom. The United States Conference of Mayors adopted a resolution at its 2019 annual meeting formally taking the policy position (i.e., not legally binding) that the organization opposes payment to ransomware attack perpetrators in the event of an IT security breach. The Council noted that paying ransomware attackers “encourages continued attacks on other government systems.”
In an effort to remove the financial incentive for targeting municipalities, New York legislators have introduced a bill (S7246) that would restrict the use of taxpayer money in paying ransom connected to cyberattacks. Payment prohibitions should allow room for exigent circumstances, such as a hospital under attack that needs to regain access to their data quickly to ensure continuity of treatment for their patients.
There are many important steps that employers can take right now to both reduce the risk of becoming another statistic and ensure that, should they suffer an attack, they have plans and procedures in place to react with resiliency. Employment attorneys should be well positioned to spearhead efforts to ensure their clients are ready. Employers and attorneys should give serious thought to the following affirmative steps.
To the extent not already in place, employers should adopt a cybersecurity disaster recovery plan. Any disaster recovery plan should start with reporting the incident to local and state law enforcement, the FBI, and the U.S. Department of Homeland Security.
From there, entities can activate their incident response team of employees and resources to manage the attack and minimize fallout. Any such plan should address the following concepts and issues.
Domestic and international bad actors are planning their next cyberattacks. Many are successful attacks. Don’t be held hostage. Work with qualified employment counsel to take preventative measures and build a strong defense for protecting employer data and networks from sabotage and seeing sensitive data become a bargaining chip in negotiations employers do not want to have.
— Larry Lee is an employment law attorney and a shareholder at Jones & Keller in Denver. Mr. Lee can be reached at llee@joneskeller.com.
— Christopher Johnson is a senior associate attorney at Armstrong Teasdale LLP in Denver. Mr. Johnson can be reached at crjohnson@atllp.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.