Ransomware Planning and Response Best Practices
 

Ransomware Planning and Response Best Practices

Posted on 09-12-2018

By: Nolan Goldberg and Anisha Shenai-Khatkhate, Proskauer Rose LLP

Ransomware attacks have become a prevalent cybersecurity threat. These attacks pose significant legal and financial risks to both individuals and organizations. This article addresses steps to take to minimize the risk of a ransomware attack and reduce the harm that a successful attack can cause

What Is Ransomware?

Ransomware is a form of malicious software (malware) installed by a hacker that blocks access to files on an infected computer or network until the victim pays the hacker a fee or ransom. The malware often disables access using one of the following methods:

  • Encryption. The ransomware software encrypts whatever files it can access and informs the user that access will be restored in return for a demanded sum.
  • Lock-out. Another method involves locking victims out of their operating systems so that the victims cannot access anything on their computers.

Hackers typically demand payment in Bitcoin or other cryptocurrency because these forms of payment are difficult to trace. Hackers often impose a deadline for making payment, claiming that if a victim does not pay by a certain date, the hacker will permanently destroy the hijacked files or increase the amount of the demanded ransom. These time-sensitive tactics reinforce the importance of preemptively developing and training on a response and recovery plan as there may not be time to responsibly develop and execute a plan when an attack occurs.

Often hackers fraudulently use law enforcement images, messages, or symbols in a ransomware attack to make victims believe they are obligated to pay due to their own wrongdoing. For example, a hacker may display the FBI logo along with a false message that illegal download or file-sharing activity was detected on the computer, and the victim must pay a fee to regain access.

Each year, the frequency of these attacks increases. Some of the criminals behind these attacks are countries desperate for hard currency. For example, North Korea is widely believed to have been behind the worldwide WannaCry attacks in 2017. However, ransomware authoring tools are available on the internet. As a result, a relatively unskilled criminal can undertake a complex attack. In addition, the rise of anonymous cryptocurrencies makes it difficult to track the ransom payment to the criminal.

Key Ransomware Risks

While ransomware is difficult to prevent, recovering from a successful attack can be even more difficult. Typically, a ransomware attack’s sole purpose is to force its victim to give money to a hacker. Similar to any other criminal extortion scheme, the impact to victims can be far more severe than the actual cost of the demanded ransom.

A ransomware victim could permanently lose irreplaceable data and may suffer a disruption in the ability to conduct business. In extreme circumstances, that disruption can have severe consequences to the public. For example, in 2017, computers belonging to the National Health Service (NHS) in England and Scotland were paralyzed by a WannaCry ransomware attack. As a result, the NHS couldn’t access patient files, and its ability to provide patient care was disrupted. Even in less severe situations, when knowledge of the attack becomes public, the harm to consumer confidence and the resulting brand damage can be extreme.

Victims do not always regain access to their data after making the demanded payment. In many cases, hackers stop corresponding after a victim has paid the ransom, and the victim is never able to regain access to their files.

Legal Obligations

Given the foreseeability of ransomware attacks and the likelihood of severe consequences should an attack occur, companies may be legally required to include a formal ransomware prevention and response program in their cybersecurity risk management plans.

For example, the Federal Trade Commission (FTC) often acts against companies that it believes have not implemented reasonable measures to detect and prevent unauthorized access pursuant to its authority under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. In a speech on September 7, 2016, FTC Chairwoman Edith Ramirez confirmed that the prevention of ransomware fell within this obligation when she stated, “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”1

In addition, health care providers are subject to cybersecurity obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule requires various administrative, physical, and technological safeguards to protect the security of electronic protected health information.2 It is expressly up to individual organizations to decide what safeguards would be most reasonable and appropriate for their specific organizations.3 Like the FTC, the U.S. Department of Health and Human Services (HHS) has interpreted that these HIPAA regulations extend to ransomware, stating, “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware.”4

Similarly, certain states have enacted laws requiring businesses dealing with personal information to implement and maintain reasonable security measures to protect personal information from potential cyberattacks. In many cases, these laws also will likely impose obligations that encompass ransomware prevention.

Preventing a Ransomware Attack

A company risks being harmed twice when an attack occurs. First by the attack itself, and then by the litigation and regulatory consequences that may follow. However, these difficulties are not insurmountable. Companies can take affirmative steps to lower the risk of ransomware attacks occurring, mitigate the potential damage resulting from an attack, and meet their legal obligations to implement reasonable security measures discussed above, including:

  • Developing ransomware policies and procedures
  • Conducting ongoing training on preventing and responding to ransomware attacks
  • Utilizing technology to help detect and defend against attacks
  • Implementing business continuity processes to minimize the risk of disruption

Develop Policies and Procedures to Prevent Ransomware Attacks

A robust cybersecurity policy typically sets forth broad security requirements that apply throughout an organization, including:

  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party service provider management
  • Risk assessment procedures
  • Incident response (discussed below)

The policy should also describe the various types of data that might be stored by a company and identify the general measures the company should undertake to protect each type of data.

Detail the Specifications and Standards

Specifications and standards describe the specific procedures needed to implement the policy. For example, a security policy might require an organization to run scans for unpatched vulnerabilities once every quarter. The standard could provide that for a particular system, the company must use a certain tool to conduct the scan and follow specific instructions to correctly undertake the scan.

Set Appropriate Security Levels

Ensure that the security program sets out the appropriate level of security required to reasonably guard each type of data against cybersecurity threats. If the level of security is set too low for the types of data stored, then the entire security program may found to be unreasonable. If the level of security is set too high, then the security program may unnecessarily burden the organization financially and unreasonably interfere with the company’s core operations.

Consider Industry Standards

Most major industry security standards and specifications have already considered the ransomware threat, including those published by the Payment Card Industry (PCI) Security Standards Council and the National Institute of Standards and Technology (NIST). As a result, a company should benchmark the level of security required by its security policy against industry standards that apply to the types of data the organization is trying to protect.

The Policy Should be Practical

Drafting an appropriately calibrated security policy is not enough to provide reasonable security. The policy must be followed in practice. You should conduct regular internal or third-party audits of your organization’s compliance with the security policy and take appropriate corrective action to prevent future missteps. In addition, you should periodically revisit and revise your policy as security standards evolve over time.

Conduct Training

Companies should regularly educate and train employees who will have data security responsibilities on the threat of ransomware and the policies in place to help prevent ransomware attacks.

For example, emails with malicious links or attachments are among the most common methods on which hackers rely to infect computers with ransomware. As a result, companies typically implement the following basic training of proper email practices as a ransomware deterrent:

  • Avoid opening attachments and clicking on links in emails from unknown or suspicious senders
  • Delete emails from unfamiliar senders without opening any attachments and without clicking any links
  • If an email arrives from a known sender, but appears suspicious, verify that it is actually from the person it claims to be from before opening any attachments or clicking on any links
  • Be especially cautious about enabling macros if the email requests it

A company also should document its compliance with its training programs to use as a defense of its efforts to provide reasonable security in any future litigation.

Implement Detection and Security Technology

Early detection is essential to preventing ransomware from taking control of a system or network. Typically, however, standard anti-virus software cannot reliably detect ransomware. Anti-virus software generally searches for an exact match to the codes of particular known viruses. However, hackers can easily make small changes to the code to avoid detection by traditional pattern-matching methods.

As a result, companies often employ the following two detection techniques that are generally more effective against ransomware:

  • Behavioral analysis
  • Reputational analysis

Behavioral Analysis

Under the behavioral analysis method, detection software evaluates how specific software code behaves when it executes (i.e., operates). If the detection software identifies behavior typically associated with malware, it can block that code and flag it for closer analysis. For example, the detection software could look for encryption activity, which might be a symptom of executing ransomware. The software could then quickly block the execution of that code before it can fully encrypt the company’s data and reverse the relatively minor damage that the ransomware inflicted.

Alternatively, prior to executing the unknown code on a user’s computer, the detection software could instead first execute that code in a virtual environment called a sandbox. Using this technique, the detection software can observe behavior and identify malware before it harms the network or system.

One challenge with looking for known bad behavior is that the detection software will not always know how the suspected malware will behave and, as a result, will fail to recognize the presence of malicious code until it is too late. However, a different type of behavioral analysis can address that problem by observing how a system behaves during normal operations and then building a model of that expected behavior. When observed behavior diverges from that model, the detection software can presume that the code causing that divergence is malware and then block and flag it for further evaluation. This technique allows the behavioral analysis to detect new malware whose malicious behavior has not been previously modeled.

Reputational Analysis

Reputational analysis allows a company to leverage threat intelligence collected by a third-party security provider through its various intelligence channels (e.g., other customers and law enforcement). For example, detection software provided and updated by a particular security provider can use the provider’s reputational database that collects information from other customers that previously downloaded malware.

When another customer of that security provider downloads ransomware from a website, the URL of the malicious website can be flagged in the provider’s reputational database and given a reputational score. This score may change over time to reflect an increased risk as the security provider finds additional infections that are associated with that source. The security provider can then make this database of crowdsourced information available to all its customers. If an employee, unaware of the impending danger, attempts to download content from the malicious website, the detection software will first check the provider’s reputational database before allowing the download. When the software recognizes that the website has a low reputational score, it will block access to that site.

Installation Considerations

Consider where in the network the detection software should be installed. One common approach is to install software on the user’s computer itself (endpoint approach). The drawback of this approach is that the malicious software is allowed into the company’s network, and if the detection software misses it at the endpoint, there are no further opportunities to block it from running.

Alternatively, companies install security software or hardware between the endpoint and the internet (gateway approach). Using this technique, the malicious email can be detected before it arrives at the endpoint. And if the malware does evade detection, there is still a second chance to detect it if endpoint detection software is used in combination with the gateway software.

Network Design Considerations

Consider designing a network in a way that minimizes the harm an infection can cause if ransomware evades security safeguards. One useful approach is segmentation, where a single physical network is split up into many separate virtual networks and communications across these virtual networks are heavily restricted. If one network is compromised, the harm is minimized because the infection typically cannot reach the other networks.

Access Restrictions

Companies can restrict user permissions to the minimum necessary for specific employees to perform their jobs. If a user can access only certain databases and not others, then it is less likely that an infection of the user’s computer will impact the databases to which the user has no access. Limiting the applications that a user can install and use may also prevent the inadvertent execution of malicious code.

Business Continuity Measures

Companies and institutions should also consider ransomware when formulating incident response and business continuity plans. Such plans should consider, for example:

  • The internal methods for containing a ransomware attack
  • Implementation of alternative means of accessing crucial systems and data in case access to the primary systems is disrupted (e.g., database mirroring)
  • Conducting regular penetration tests and vulnerability assessments
  • Ensuring that data backups are separately secured from cybersecurity threats

Responding to a Ransomware Attack

Even with the best cybersecurity measures in place, ransomware attacks are not completely preventable. Responding to an incident is a critical part of a reasonable security effort and should be memorialized in a company’s incident response plan. A company’s response should consider:

  • Best practices for identifying, containing, and removing the infection, including whether to pay the demanded ransom
  • Whether the incident is a breach requiring notice to customers or regulators

Contain the Attack

You should deploy cybersecurity professionals as soon as possible to help identify, contain, and remove the infection, as well as attempt to recover impacted data. During this phase:

  • Identify the source and type of infection
  • Remove the ransomware from the network or system
  • To the extent possible, reverse the damage inflicted by the ransomware to restore access to the lost or compromised data
  • Where impacted data cannot be directly recovered, restore the data from available back-ups

Ensure the ransomware has not already infected the data backups. Sophisticated attackers sometimes lurk in the infected system for some time before taking any malicious action. Under this approach, backups may also become infected.

In many cases it is prudent to use third-party specialists rather than internal resources to assist in ransomware recovery, as these specialists generally have more familiarity with these types of attacks and have access to specialized tools.

Engage Legal Counsel

Given the need for attorneys to analyze relevant breach notification statutes (discussed below) and the possibility of regulatory inquiry, you should engage legal counsel immediately on learning of a ransomware attack.

Legal counsel should consider that these incident-response activities can be protected by privilege or work-product protections. While it is often necessary following an attack to understand if a company might have done something wrong to allow the attack to occur, care needs to be taken to avoid unnecessarily generating documents that could be later used by an adversary to support a liability claim.

Under the dual-purpose doctrine, where applicable, the existence of a business purpose does not prevent a lawyer’s analysis from receiving privilege or work-product protections. As a result, companies often desire to have counsel (including outside counsel) retain and supervise the work of third-party investigators. Similarly, the output of this analysis (e.g., privileged reports) should be appropriately marked and their use restricted. In certain cases, particularly where litigation is foreseeable, companies prefer taking a dual track approach where privileged and non-privileged investigations run side by side, each with an appropriately tailored scope.

Determine Whether to Pay the Ransom

When undoing the damage caused by a ransomware attack is not possible (e.g., unbreakable encryption, or no back-ups available) companies are forced to consider whether to pay the ransom. Even if recovery is theoretically possible, paying the ransom may seem an attractive option compared to the costs of restoring files from a backup, lost productivity, and the harm that could result should the incident become public.

While no court or legislature has specifically addressed the legality of paying the demanded ransom to a hacker, the FTC notes that law enforcement does not recommend paying the ransom.5 In addition, the hacker may not necessarily return access to the victim’s files upon receipt of the ransom payment as discussed above.

Contact Law Enforcement

Regardless of whether you decide to pay the ransom, you should contact law enforcement for assistance and take a screenshot or photograph of the ransom note for the police investigation. At a minimum, filing a police report creates an evidentiary record if you file a claim under an existing cybersecurity insurance policy

Consider Breach Notification Laws

Determine whether the incident is a breach that requires you to provide notice to affected customers or regulators. Fulfilling the notice requirement may turn a matter into a public incident, which can result in far more risk for an organization. The issue of whether ransomware requires public notice is not straightforward, as it falls into an area where the various sources of notice obligations appear to disagree.

The simplest case is where a notice statute defines breach as including mere access to personal information (PI) alone. For example, New Jersey’s data breach law defines a data breach as:

unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.6

It appears straightforward that ransomware accesses PI when it encrypts that data, and thus, notice likely must be provided.

Where the statute defines a breach in terms of data acquisition, the notice issue becomes more complex. While hackers typically do not view or take the PI, there appears to be some disagreement on whether a ransomware attack can be considered a data acquisition.

For example, Vermont’s data security law defines a data breach as the:

unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information maintained by the data collector.7

The statute describes several factors that can be considered when determining if data has been acquired:

  • Information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information
  • Information has been downloaded or copied
  • Information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported
  • Information has been made public, such as posting on a website

In light of this guidance, ransomware may not be considered a data acquisition under Vermont’s statute. However, guidance provided by the HHS in the context of HIPAA, which also relies on the data acquisition standard, advocates the opposite conclusion:

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “ . . . low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.8

Accordingly, organizations cannot rely on the data acquisition standard alone to conclude that notice is not required and must instead look to how that term has been construed in each particular context.

Other notice statutes define a data breach in terms of an access or acquisition, but also require some showing of specific harm to the public. For example, the EU’s General Data Protection Regulation (GDPR) imposes a 72-hour notification rule that applies to situations where personal data is accessed. The GDPR requires notification to local data protection authorities and to consumers. However, notification is only required where the breach resulted in a risk to the rights and freedoms of consumers. So, while the EU’s data regulations impose a breach notification requirement, whether any particular ransomware attack caused enough harm to trigger this notification is a factspecific inquiry.

Recently, regulators have expressed interest in amending existing data breach notification laws to expressly require notice of ransomware attacks. For example, North Carolina introduced a bill in January 2018 to amend its data breach notification laws to expressly cover ransomware:

Any incident of unauthorized access to or acquisition of someone’s personal information is a breach. The new definition will now include Ransomware attacks—these are when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the affected consumer(s) and the Attorney General’s office. This will empower the affected person and the Attorney General’s Office to determine the risk of harm— not the breached organization.9

Unlike in other types of data breaches, a company may not be able to identify with particularity the identity of the impacted data subjects while the data is inaccessible. Without access to the data, a company may not be able to determine with precision which particular breach notification statutes have been triggered. In these circumstances, a company may need to make good faith decisions to meet these obligations as best as it is able (e.g., provide substitute notice) and be prepared to defend its response before applicable regulators.

Finally, be aware of the increasing recognition that ransomware harms consumers.10 If regulators or courts accept this theory of consumer harm in connection with a ransomware attack and the harm is more easily quantifiable, an influx of ransomwarerelated class action lawsuits may result similar to other types of data breach-related lawsuits.

Ethical Obligations for Lawyers

Law firms, with large repositories of sensitive and valuable client data, are tempting targets for hackers and attacks of all types, including ransomware. As a result, lawyers are under an ethical obligation to take the necessary steps to protect client data from these types of attacks.

The ABA Standing Committee on Ethics and Professional Responsibility Opinion 477R (Revised May 22, 2017) imposes a fact-specific obligation on lawyers to undertake “reasonable efforts to prevent inadvertent or unauthorized access” to client information arising from cyberattacks. The reasonable efforts standard rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.11

The opinion also provides a list of factors to consider when determining the severity of the preventive measures that must be implemented to fulfill this obligation, including the:

  • Sensitivity of the information
  • Likelihood of inadvertent disclosure
  • Cost and difficulty of implementing safeguards
  • Extent to which the safeguard will impede the lawyer’s ability to represent their client

Given the foreseeability of ransomware threats, lawyers should interpret the ethical obligation to prepare for cyberattacks to include measures to defend against ransomware.


Nolan Goldberg is a litigator with Proskauer Rose LLP, whose practice focuses on matters that have complex computer technology-related issues, including cyberlaw, patent and trade secret litigation, and commercial disputes. In the context of data security, Nolan uses his electrical engineering background, coupled with a litigation and risk management-centric focus, to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants) and uses this intimacy with the facts to develop defenses and strategies that might otherwise be overlooked or less effective. And when it comes time to defend the company in litigation or before the regulators, Nolan uses this deep familiarity with the company and its systems to great effect. Nolan is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (CIPP) and a Certified Information Privacy Technologist (CIPT). Nolan is also frequent author and speaker on the intersection of technology and law. Anisha Shenai-Khatkhate is an associate in the Litigation Department at Proskauer Rose LLP. Her practice focuses on matters pertaining to intellectual property and privacy law.


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Practice Notes

Related Content

For information on planning for and responding to data breaches, see

> DATA BREACH PLANNING AND MANAGEMENT

RESEARCH PATH: Data Security & Privacy > Data Breaches > Planning > Practice Notes

For a list of steps to take to take to safeguard websites and IT systems against malicious attacks, see

> PREVENTING ATTACKS ON IT SYSTEMS AND WEBSITES CHECKLIST

RESEARCH PATH: Data Security & Privacy > Data Breaches > Planning > Checklists

For examples of internal policies regarding data security best practices, see

> CYBERSECURITY RESILIENCE IMPLEMENTATION PLAN AND WRITTEN INFORMATION SECURITY PLAN

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Forms

For a detailed discussion about the Federal Trade Commission’s (FTC) role in regulating and protecting consumer privacy, see

> FTC DATA SECURITY GUIDANCE AND ENFORCEMENT

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Practice Notes

For more guidance on state laws regarding data protection obligations, see

> DATA BREACH NOTIFICATION ENFORCEMENT AND PENALTIES STATE LAW SURVEY, IDENTITY THEFT STATE LAW SURVEY, PROTECTION OF PERSONAL INFORMATION IN GOVERNMENT RECORDS STATE LAW SURVEY, AND > THIRD-PARTY DISCLOSURE OF PERSONAL DATA STATE LAW SURVEY

RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > Privacy & Data Security State Law Surveys > Practice Notes

For additional information, see

> CYBERSECURITY INSURANCE INITIAL CONSIDERATIONS

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Practice Notes

For assistance in drafting a comprehensive data breach avoidance plan, see

> DATA BREACH AVOIDANCE AND RESPONSE PLAN CHECKLIST

RESEARCH PATH: Data Security & Privacy > Cybersecurity Risk Management > Checklist

For an overview of the General Data Protection Regulation, see

> GENERAL DATA PROTECTION REGULATION (GDPR) AND > MANAGING DATA SECURITY BREACHES UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Practice Notes

1. Opening Remarks of FTC Chairwoman Edith Ramirez, September 7, 2016, https://www.ftc.gov/system/files/documents/public_statements/983593/ramirez_-_ransomware_remarks_9-7-16.pdf. 2. See 45 C.F.R. §§ 160, 162, and 164. 3. 45 C.F.R. § 164.306(b). 4. Fact Sheet: Ransomware and HIPAA, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. 5. How to Defend Against Ransomware, https://www.consumer.ftc.gov/blog/2016/11/how-defend-against-ransomware. 6. N.J. Rev. Stat. § 56:8-161. Emphasis added. 7. 9 Vt. Stat. Ann. tit. 9, § 2430 Emphasis added. 8. FACT SHEET: Ransomware and HIPAA, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Emphasis added. 9. Act to Strengthen Identity Theft Protections, http://ncdoj.gov/CMSPages/GetFile.aspx?nodeguid=89988b8d-2bbe-4854-bc7f-a77cfc4b38b2&lang=en-US. 10. Ransomware: A Closer Look, https://www.ftc.gov/news-events/blogs/business-blog/2016/11/ransomware-closer-look). 11. Opinion 477R (Revised May 22, 2017), https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.authcheckdam.pdf.