Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Sunil Shenoi, Erica Williams, Brian Kavanaugh, Gianni Cutri, and Lauren Casazza, Kirkland & Ellis LLP
This article provides companies with key issues to consider before, during, and after a ransomware attack. Recently, there have been a number of ransomware attacks against our clients. Ransomware typically encrypts one or more IT systems, causing them to become inoperable unless a company pays a ransom (usually in Bitcoin or another cryptocurrency). In many instances, ransomware effectively shuts down all or a substantial portion of a company’s business. Because of the potential harm, companies should prepare for this type of attack as they would for any other potential disaster.
THIS ARTICLE IS DESIGNED TO PROVIDE COMPANIES (and their financial sponsors, if applicable) with key issues to consider before, during, and after a ransomware attack.
Companies should consider obtaining cyber liability insurance, which can cover the cost of responding to a ransomware attack (e.g., counsel, forensic IT firms) and remediating the IT environment, as well as fees or liability from lawsuits or claims resulting from an attack. Companies should also consider whether existing insurance policies (e.g., property or business interruption policies) cover cybersecurity incidents.
Incident Response Policy
Ransomware attacks often create a significant crisis for a company, which can face pressure from customers, business partners, investors, and employees to resume business operations as soon as possible. Establishing an incident response policy ahead of time can help companies respond to such attacks in a more expeditious and orderly manner, which can help minimize potential business disruption and damages from a ransomware attack. An incident response policy should consider:
Companies should consider making regular backups of their IT systems, key assets, and critical configurations. Once backups are made, they should be stored in a location that is not accessible from the company’s operating or production environment. Taking these actions might enable a company to avoid or minimize potential damage from a ransomware attack.
Emotet and Trickbot
Malware is constantly evolving, but two types that have been used in a number of recent ransomware attacks are called Emotet and Trickbot. The attacks often begin one to three weeks before systems become encrypted, so corporate IT teams should consider periodically checking for indications of whether these types of malware are operating on a company’s systems. If such activity is detected, even if quarantined by anti-virus or anti-malware software, then a potential ransomware attack could be forthcoming. Contact your legal counsel and a forensic IT specialist for more information about addressing these types of malware.
Whether to Pay the Ransom
Several factors should be considered in determining whether to pay the ransom demand. Although law enforcement discourages victim companies from paying a ransom, some companies have paid the ransom when the affected systems are not backed up or cannot be restored from backups, or when a company cannot afford the disruption from restoring or rebuilding its IT environment. Some studies indicate that in 50 to 70 percent of ransomware cases, companies pay the ransom. Even then, the decryption key is not guaranteed to work.
Before making a payment, companies need to consider whether doing so would violate U.S. law prohibiting payments to individuals or entities that are subject to U.S. economic sanctions or that are designated as terrorist organizations. While the odds of conclusively determining an attacker’s identity are low, companies and their counsel should nevertheless seek to conduct due diligence on the attacker’s identity (usually based on the attacker’s Bitcoin wallet) to determine whether such a payment would violate U.S. law.
Forensic IT Specialist
A forensic IT specialist can assist with investigating the ransomware attack, including determining the root cause and advising on potential remediation options. Determining the root cause is important to properly eradicate the ransomware and prevent reinfection. To facilitate a rapid response, companies should consider establishing a relationship with a forensic IT specialist in advance of a cybersecurity incident.
In addition to the issues described above, counsel can advise on potential legal issues arising from a ransomware attack, including whether public disclosures or notifications to investors, individuals, customers, business partners, lenders, and regulators are required. Securities and Exchange Commission guidance requires disclosure of material cybersecurity risks and incidents, and while the monetary impact is certainly not the only factor in determining materiality, it can be an important factor in disclosures related to ransomware attacks. In 2017 alone, Merck, FedEx, and Maersk disclosed estimated losses from ransomware attacks totaling $310 million, $300 million, and $200 million to $300 million, respectively.
If public disclosure is required per the above guidance, or to the extent that the issue is otherwise leaked, it can be helpful to engage crisis communications experts that can assist in mitigating any potential reputational effects as well as enhance the company’s legal strategy.
Companies that are victims of a ransomware attack should notify their cyber liability carriers, which can provide options for legal counsel, forensic IT specialists, and other consultants that can assist in responding to a data breach. Failure to follow procedures in the policy can preclude coverage for certain expenses, such as fees for legal counsel or forensic IT specialists.
Many forms of ransomware embed themselves deep in a company’s systems in order to launch future attacks. Even after paying a ransom and applying a decryption key, or after restoring the systems from backups, companies should consider monitoring their systems and network for potential reinfection attempts by the ransomware.
Review IT Security
To help prevent future attacks, companies should consider reviewing their IT security environment for other potential active threats, while also reviewing their security controls for potential enhancements. Many consultants can assist companies with performing an IT security assessment, which can include threat hunting and benchmarking a company’s security practices against those of its peers.
Legal counsel can advise on whether companies are required to notify employees, customers, investors, regulators, or others of the ransomware attack. Even if such notification is not legally required, companies should consider whether notification is nevertheless appropriate as a business matter.
Litigation and Enforcement
Companies that are victims of ransomware attacks typically have not been the subject of follow-on civil litigation or government enforcement actions. However, in 2018, a class action complaint was filed against Allscripts following a ransomware attack that crippled its operations for about a week. While that case is still pending, it is likely that, with ransomware attacks becoming more common, shareholders and other stakeholders will demand greater protection from companies if and when an incident occurs. As such, we anticipate that litigation and enforcement actions related to ransomware are likely to rise in the coming months and years.
Sunil Shenoi is a partner in the Government & Internal Investigations Group of Kirkland & Ellis LLP. He focuses his practice on advising private equity firms and their portfolio companies on international risk issues in cross-border transactions, including Foreign Corrupt Practices Act (FCPA), anti-money laundering, and economic sanctions issues. Erica Williams is a partner in the Government, Regulatory & Investigations Group of Kirkland & Ellis LLP. Erica focuses her practice on internal investigations and defense of companies and individuals accused by the government of involvement in securities law violations, white collar crime, and other major business litigation disputes and crises. Brian Kavanaugh represents clients in a wide range of complex litigation matters in arbitration and in state and federal courts throughout the United States. He has extensive experience both counseling clients and litigating disputes arising in the healthcare sector. Brian also co-leads Kirkland’s Data Security & Privacy Practice. Gianni Cutri is a partner focusing on high-tech IP and commercial litigation, postgrant review proceedings, and data protection and privacy matters. He regularly advises clients on significant security breaches, such as theft of trade secrets and source code, intrusions by suspected state actors, and extrusion of employee financial and tax data. Lauren Casazza is a litigation partner in Kirkland’s New York office. Lauren leads internal investigations for corporations on highly sensitive matters and advises clients on policies, procedures, and compliance issues, including with respect to unlawful harassment and other workplace misconduct matters.
To find this article in Lexis Practice Advisor, follow this research path:
RESEARCH PATH: Data Security & Privacy > Data Breaches > Response > Articles
For an explanation of the steps to take to minimize the risk of and reduce the harm from a ransomware attack, see
> RANSOMWARE PLANNING AND RESPONSE BEST PRACTICES
RESEARCH PATH: Data Security & Privacy > Data Breaches > Response > Practice Notes
For guidance on what should be included in plans for avoidance of and responding to a data breach, see
> DATA BREACH AVOIDANCE AND RESPONSE PLAN CHECKLIST
RESEARCH PATH: Data Security & Privacy > Data Breaches > Response > Checklists
For more information on how organizations should both plan for and manage a data breach, including best practices, see
> DATA BREACH PLANNING AND MANAGEMENT