Federal agencies (FBI, CISA, HHS, Treasury-FinCEN) issued ransomware attack warnings for financial institutions in October 2020, associated with money laundering activities, and launched a campaign on January 21, 2021 to reduce the risk of ransomware.
The Three Most Common Types of Ransomware
For ransomware to be activated, code must be installed on a system, and access must be expanded. Many systems are compromised because the software is not appropriately kept up to date, and security architecture is poorly designed. Ideally, a ransomware attack will be prevented. However, many organizations have not performed appropriate risk assessments to guide proper governance, technology and business investments.
Most IT risk assessment approaches are challenged by executives because they are based on qualitative risk versus quantitative. IT risk assessments based on maturity can provide a valid approach to risk management and should be based on established security standards for risk mitigation, such as CIS Top-20, formally SANS Top-20. A sound IT risk management program is the cornerstone for managing cybersecurity and minimizing attacks and an effective mechanism to provide risk metrics reporting to senior executives.
Many organizations are not properly logging and monitoring actions taken on their systems, which results in poor detection and response. Organizations must have logs of critical devices that feed anomaly and threat detection solutions. Log management is critical to an effective incident management program and is surprisingly affordable when using managed security services providers (MSSP).
In addition to having an incident management program, organizations should consider following and certifying with security standards such as the NIST Cyber Security Framework (CSF) to manage and track their program’s effectiveness.
The following minimum steps should be taken to prevent and respond to cyberattacks:
- Keep operating systems and applications up to date
- Automatically update antivirus software and run regular scans
- Back up data regularly and have a master backup in offline storage
- Establish a security information and event management (SIEM) solution with corresponding processes
- Have a cyberattack triage service and legal advisor on retainer
The State of Ransomware 2020 study sponsored by Sophos calculates that 73% of ransomware attacks were successful, with an average cost of $732,520 when a ransom was not paid, versus $1,448,458 for organizations that paid the ransom. When responding to a ransomware attack, organizations must understand the extent of the attack and legal ramifications. It is essential to have established a digital forensics and incident response provider (DFIR) on retainer that will assist with scope, containment, recovery, and remediation.
Legal guidance is critical when responding to ransomware attacks. As a preliminary matter, the ransomware victim must decide whether it wishes to conduct the response under attorney-client privilege through an outside law firm. Acting hastily, without legal counsel, can make it difficult to later apply the shield of privilege to acts taken as part of a ransomware response. According to the October FinCEN advisory, processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more money services businesses (MSB). Many ransomware schemes involve convertible virtual currency (CVC), the preferred payment method of ransomware perpetrators.
64% of organizations had appropriate ransomware insurance and, 94% of the time, the insurer paid the ransom. The victim then must consider the legal implications of its response to the ransomware demand. For example, the recent Department of Treasury Office of Foreign Assets Control (OFAC) guidance suggests that a ransomware payment can be unlawful if it is made to sanctioned persons or entities, even if the identity of the entity receiving the payment is unknown to the victim making the payment. Similarly, regulated entities such as financial institutions may be legally required to notify their regulator before making a ransomware payment. Even if not legally required, such notice is best practice for certain regulated industries.
There are also numerous related legal issues. For example, a victim must determine whether it was a data breach or only a denial of service. Often ransomware demands are based in part on losing control of customer data. This can create legal obligations to notify state attorneys general and customers.
These notice requirements vary between states and often have different deadlines and required information. There can also be data breach notification requirements to both state and federal regulators.
In addition to data breach notification requirements, some victims are subject to cybersecurity regulations with their notice requirements. This is particularly true for regulated financial institutions like banks and payments companies.
Some cybersecurity regulations also have certification requirements related to a cybersecurity breach. The potential impact of a breach on such certifications should be considered well before the certifications are due.
The event leading to the ransomware demand can also create legal issues arising from the victim’s contractual relationship with its customers. A victim should ensure that it complies with contractual requirements to notify its customers of data breaches. It should also take care to adhere to contractual requirements concerning the sharing of customer information in connection with a breach response.
Finally, a victim will need legal guidance concerning how it deals with any internal failures that led to the ransomware attack. This can include personnel matters ranging from reporting complicit employees to law enforcement, to taking punitive action against negligent employees. It often involves ensuring that reports are provided to senior management and the Board of Directors and that the response to any identified issues is properly documented.
Complying with these legal requirements can be relatively easy, but they are often overlooked. This can turn a relatively inexpensive compliance requirement into a costly mistake. If these legal issues are addressed up front, it makes things go much more smoothly when an attack happens. If you have reason to think that some of the legal issues discussed above may be implicated in a ransomware incident, you should include outside counsel in discussions concerning the response as early as possible.