In an ideal world, your company has all its critical information and data comprehensively and securely backed up, employing strong defenses against hacking, phishing, and other cyberattacks.
In the event that your company is nonetheless the victim of a ransomware attack, this document provides steps to be taken as part of its response to such an incident.
This document is meant to be a helpful guide, but the best response will generally depend on different factors, including the scope and severity of the attack, availability of remediation measures, and business sensitivities.
Cyber response and business continuity plans should contain the following steps to address a ransomware situation:
* Conduct initial analysis of the ransomware. After detecting the ransomware or receiving a ransom demand, it is important to determine, in a timely manner, the original affected device, the scope of infected systems, and any vulnerabilities in the company’s systems that were exploited. Conducting such an initial analysis will be immensely helpful during subsequent stages of responding to the ransomware. It is important to conduct this exercise in a forensically sound manner that does not alter or obscure evidence of the attacker’s actions
* Determine whether the ransomed data, or any parts thereof, exist, and make sure they are properly secured. Assess whether the ransomed, encrypted data exists on unaffected devices, with backup systems, or unaffected servers.
* Consider what type of data and how much may have been affected or compromised. Knowing whether sensitive information, such as health or financial records, are impacted and how many customers’ records may be at issue is important. This information will inform the size of the team that needs to be mobilized in response, as well as the type of response, including breach notification, that may need to be taken.
* Take steps to prevent continued access by the attacker. It’s important to limit the attacker’s ability to take advantage of any vulnerability and to segregate unaffected systems and data.
* Report internally to the designated individuals to coordinate response. In appropriate cases, it may make sense to apprise senior business leaders, including the Board, who may need to make decisions about how to proceed.
* Keep contemporaneous records. In consultation with legal counsel, it may make sense to record relevant information about the ransomware attack and your response to it, including logging when the attack was first detected, what steps were taken in response, who was notified, and other important information. To the extent possible, this information should be obtained and recorded in a way that does not delete or modify relevant files.
Depending on the severity of the attack, and the size and capability of your existing IT and cybersecurity teams, it may be necessary to bring in additional help to manage the situation. Many companies specialize in incident response and forensics to supplement your internal team and determine what systems or information were compromised, analyze the available technical information, and identify weak points in the company’s systems and processes that should be improved.
Outside counsel with experience with ransomware attacks and other security breaches can provide additional legal expertise and leadership and can help preserve applicable privileges to allow confidentiality for full and frank communication during the ransomware incident and recovery process.
This step may already have been completed as part of the incident response plans discussed above, but it is worth noting its importance separately. Even in a widespread ransomware attack where so many companies are affected that even the authorities can seem overwhelmed, it’s still important to consider notifying law enforcement. Doing so could help the company if, for example, law enforcement has specific tips or techniques to minimize the damage from the attack. And it helps law enforcement get a full picture of what is happening to different victims of the attack. It also creates a record of steps to address the problem.
Of course, law enforcement may not be able to provide immediate help in terms of retrieving data or apprehending the criminals responsible for the attack, but they often can provide other resources and support. Ideally, the company will have previously established a point of contact with a particular law enforcement agency for this purpose. There should also be consideration to what extent and how the company provides information so as to maintain confidential information and applicable privileges.
In-house or outside counsel can help you determine whether and how to notify and work with law enforcement in the wake of a ransomware attack. Throughout the United States, companies can contact local field offices of the FBI and Secret Service, as well as the National Cybersecurity and Communications Integration Center, which is part of the Department of Homeland Security; in larger cities, the local police may also have a cybercrime unit.
If your company has cyber or some other type of comprehensive insurance, it may cover a ransomware event and provide coverage for remediation and restoration. The incident response team, in coordination with in-house or outside counsel, should make sure that it understands any requirements set forth in the insurance plan, including notification of the insurer, documentation of the event and damage, or using specific vendors. This may help avoid disputes with the insurance company regarding coverage or claims.
Ransomware can stop a company in its tracks by making business-critical data and information unavailable. If that information, including critical documents, has not been properly backed up, the first question asked is how to get the data back. Unfortunately, there are generally only three primary options, none of which is ideal:
* Hire an expert IT consulting firm or use significant internal resources to attempt to break the encryption. In some cases, it may be possible to find a way to break or otherwise circumvent the ransomware’s encryption. However, hackers are using increasingly sophisticated encryption techniques, so the odds of success are low.
* Work with your IT department or specialists to access data. If you and your customers have ample time and patience, another option may simply be for the company to meticulously attempt to find ways to access the ransomed data. This process may have two parts, though both may not always apply. First, you will want to see if there is any way to restore data, such as through partial backups or by patiently cleaning the system of all the ransomware, perhaps returning it to its state as of an earlier date. Second, to the extent that data is not available to be restored, you will want to seek access to it in some other way, such as through third parties with their own copies of the data, paper copies, or other sources. Unless a complete backup is available, though, these processes will likely not succeed in restoring all data.
* Understand the full implications and risks of paying the ransom. Giving in to the attackers’ demands is rarely a good idea, and should never be done without extensive internal discussion, especially with legal counsel. The Department of Justice, including the FBI, and other federal agencies, advise against paying the ransom, for various reasons. First, hackers may not provide the encryption key even when the ransom has been paid. Second, the key provided may not work to retrieve the data at all. Third, the key may only work partially, and the hackers will then demand more money before allowing access to the rest of the data. Fourth, paying the ransom also encourages attackers to keep using ransomware and marks the company as a good future target. However, if no data is backed up, and it’s essential to return to normal operations very quickly, companies have made the business-based decision to pay the ransom. The ransom is usually payable only in cryptocurrencies such as Bitcoin, so unless the company has a ready stockpile of such currency, it will need to obtain some for this purpose.
Depending on the severity of the attack, the type of company, and the type of information at issue, in-house or outside counsel can help you determine whether you need to notify customers, the board, auditors, and/or regulators about the event. Here are a few examples to consider:
* Per HHS Guidelines on HIPAA, the presence of ransomware on a covered entity’s systems constitutes a security incident and is presumed a breach of Personal Health Information (PHI).HHS guidelines state that when there is ransomware on a system, it is a security incident under the HIPAA Security Rule. A ransomware attack at a covered entity thus triggers HIPAA’s mandatory security incident response procedures. And when PHI is encrypted by ransomware, the presumption of a breach means that the covered entity must notify the individuals whose PHI was affected, as well as HHS and the media for larger breaches. A company can only avoid notification if it can show that there is a “. . . low probability that the PHI has been compromised,” after evaluating factors set forth in the HIPAA breach notification rules.
* For non-PHI, determine whether the hackers may have accessed or acquired Personal Information (PI) data. Some state data breach notification laws require notice if PI was merely “accessed” by an unauthorized individual, while other laws require notice only if the PI was “acquired” without authorization. Ransomware typically only involves unauthorized encryption of data, not theft, but a ransomware attack nonetheless could be viewed as “access” to the data, though no courts or regulators have yet taken a clear position on whether that would be the case. Depending on the attackers’ methods and motives, there could also have been acquisition of PI, so a careful investigation of the incident is vital to determine whether customers must be notified.
* Depending on industry and nature of breach, it may be necessary to notify regulators and, in some cases, other companies that may be affected or that provided the data.
* Depending on the magnitude of the ransomware’s effects on the business, notify external auditors. In worst-case scenarios, the ransomware may so impact your business that it is also necessary to notify the company’s external auditors. For instance, if the ransomware shuts down the business for any significant period of time, or if you decide to pay a significant sum of money either to the hackers or to outside advisors to retrieve the data, or if the incident is likely to lead to litigation, the effect on the company’s functioning and balance sheet may be such that the auditors must be notified.
Customers whose data was lost or exposed could file complaints in the days and weeks after learning of the ransomware attack. In addition, state and federal regulators, especially those in areas like health and financial services, are increasingly active enforcing cybersecurity regulations, and have the power to fine or seek injunctions against companies that do not have adequate policies and procedures related to cybersecurity, that make missteps in responding to an attack, or that do not notify customers properly.
It’s essential to work closely with experienced legal counsel to ensure that you are doing everything possible before, during, and after an attack to comply with laws and regulations and to communicate with customers or regulators in a way that may help to head off litigation or an enforcement action.
Once a company has been successfully targeted, chances are the same hackers or others will have the company in their sights again before too long. It’s essential that you update your company’s data privacy protocols and processes and its cybersecurity measures in general, in light of vulnerabilities exposed by the ransomware and uncovered in the incident response process.
Kiran Raj (firstname.lastname@example.org) is a partner in the Washington, D.C. office of O’Melveny & Myers, where he practices in the cybersecurity practice. He was formerly the Department of Homeland Security’s highest-ranking attorney focused on cybersecurity and technology. Mallory Jensen (email@example.com) is an associate in the firm’s San Francisco office.