As the Covid-19 virus wreaks havoc on the world’s economy, businesses continue to suffer from the relentless spread of a different kind of “virus”—ransomware attacks, which deploy malware to render IT systems inoperable or data inaccessible unless and until a ransom is paid.
According to the FBI, ransomware attacks are increasingly “targeted, sophisticated, and costly,” with one cybersecurity firm estimating that they will cause $20 billion in damages in 2021. And ransomware attacks can be particularly debilitating in today’s post-Covid world, when organizational reliance on IT systems is at an all-time high.
Hackers Are Capitalizing on the Crisis
Research from Microsoft has confirmed one of our worst cyber fears: cyber criminals are taking full advantage of the pandemic to target organizations when they are at their most vulnerable. For example, hackers have recently increased ransomware attacks on hospitals, health-care providers, and aid groups just when those organizations—and our society—most need their IT systems and data to save lives.
But if that headline wasn’t bad enough, there’s more disturbing news in the fine print. Not only are hackers cruelly targeting the world’s medical and aid lifelines, but they’re escalating the damages associated with each attack. According to Microsoft’s research, ransomware attackers are now infiltrating systems, exfiltrating data, and lying in wait before announcing their presence and demanding payment when targeted victims are at their most vulnerable—as the health-care industry is in today’s world.
From the hackers’ perspective, the extra patience is well worth the wait, as it empowers them to extort even more money from their increasingly desperate victims. And even when ransoms are paid, attackers are remaining in victims’ IT systems so that they can live to attack again.
Preventing Ransomware Attacks Before They Happen
What can be done? With recent data revealing that paying the ransom is an increasingly ineffective remediation tool, it can now truly be said that an ounce of ransomware prevention is worth a pound of cure. Before an attack, organizations of every shape and size should implement a program of preparatory steps critically important to staving off attacks.
Such a prophylactic program would include:
- Providing training on cyber hygiene to employees, from top executives to the rank-and-file, with a particular focus on the risks and threats associated with remote work;
- Redoubling efforts to identify and patch vulnerabilities, including an immediate assessment of vulnerabilities associated with the current remote work environment—think of the online meeting technologies employees have been downloading in recent weeks, to take just one example—as well as attention to the basic “blocking and tackling” of patch installation and operating system upgrades;
- Investing in intrusion detection capabilities, and ensuring that intrusion alerts are timely remediated;
- Updating system, vendor, and third-party risk assessments to address today’s increasingly remote workplace;
- Considering implementation of a vulnerability disclosure policy, to provide a framework for working with, and receiving reports from, third-party security researchers;
- Backing up IT systems and critical data to reduce ransomware exposure, and running tests as to the viability of those backup systems and data;
- Ensuring that cyber insurance covers costs associated with ransomware attacks; and
- Fostering pre-attack relationships with law enforcement to enable real-time access to resources, intelligence, and experience to assist investigation and remediation.
Effective Incident Response Can Make All the Difference
Just as importantly, companies should ensure that they have effective incident response plans that account for the unique challenges of ransomware attacks. the plan should deploy legal counsel in a leadership response role and engage forensic, technical, and other necessary advisers through counsel, to ensure that response efforts are confidential and protected by attorney-client privilege.
To increase crisis efficiency, companies should assess, in advance, potential disclosure obligations, including breach notification and data privacy laws and (for public companies) the SEC’s cybersecurity disclosure guidance, as well as industry-specific regulatory requirements.
Insurers may need to be notified promptly in the wake of an attack, and companies may have contractual obligations to vendors or customers, as well as potential reporting obligations to shareholders, to disclose cyber incidents that impact their data or systems. Identifying such notification requirements and preparing an execution strategy in advance of an attack will enable company leadership to focus its attention where it’s most needed: on crisis response and continuity of operations, rather than contract review and insurance policy analysis.
Exercising incident response plans can help companies troubleshoot gaps and develop muscle memory for crises. While the pandemic is likely not the time for a full-blown tabletop exercise, executives charged with incident response leadership should, at a minimum, give careful thought to the impact of today’s remote workplace on their company’s incident response capabilities and protocols.
Finally, the decision whether to pay a ransom should be approached with great caution. While law enforcement discourages such payments, the law does not generally prohibit them, though reasonable steps should be taken to ensure that the ransom recipient is not the subject of sanctions.
But beware: Before paying any ransom, companies should give careful consideration as to whether a payment would even prove effective—particularly given the findings of Microsoft’s recent research that hackers frequently remain in company systems post-payment, ready to strike again.
If our collective experience with the Covid-19 crisis has taught us anything, it’s that crisis preparation and effective incident response are of the utmost importance. Applying that lesson to combat ransomware could make all the difference.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Marshall L. Miller is a partner at Kaplan Hecker & Fink LLP, where he serves as head of the firm’s Washington, D.C., office. He advises corporations, board members, and senior executives with respect to internal investigations, criminal defense, cybersecurity, data privacy, regulatory compliance, and related civil litigation. He previously served as chief of the Criminal Division at the U.S. Attorney’s Office for the Eastern District of New York and, later, as principal deputy assistant attorney general and chief of staff for the Justice Department’s Criminal Division.