Help! My Data Is Held for Ransom!
Posted on 11/12/2019 at 11:20 AM by John Lande
What do you do at 4:30 p.m. on Friday when your data is encrypted and a message tells you it will take 500 Bitcoin to decrypt it? This scenario has become a routine occurrence across the United States for local governments, non-profit organizations, and for-profit companies. What should an organization do when it discovers its systems are locked?
Don’t Just Replicate, Backup
Hopefully the organization has a backup. Many organizations routinely create a copy of their data in real time or close to real time. While this type of backup may protect against power failures and natural disasters, it may not be effective at mitigating ransomware risk. In some cases, real-time copying of data will copy the malware onto the copied server. When the ransomware kicks in, it can encrypt both the copy and the live system.
Organizations should examine whether there is any interruption in the transfer of data to their backups that will help mitigate the risk of malware infecting both primary and backup systems. If an organization is fortunate enough to have a backup, then it can purge the ransomware without worrying about paying.
No Backup, Big Problem
If the organization does not have a backup, then it has to look at other options. The organization should contact knowledgeable counsel and a computer forensic team. The computer forensic team can begin an investigation to determine whether the data can be decrypted without paying the ransom. More urgent, however, will be to try to fence the encrypted computers off from the rest of the environment if the ransomware has not encrypted everything.
Counsel will help craft the scope of the forensic team’s inquiry. The organization can maintain attorney-client privilege and work product protection over certain communications and documents created during incident response. Organizations need to be able to respond to the incident, but at the same time they should make sure that they are not creating a discoverable paper trail that could later be used against the organization. The scope of the forensic team’s work can also influence whether the organization has to turn over the team’s work product in discovery. Legal counsel can help an organization define the scope of work to mitigate the risk of future disclosure.
The organization’s immediate concern should be responding to the ransomware incident. However, organizations should also be mindful of potential legal risks. Shareholders, customers, vendors, and insurance carriers may all be potential adverse litigants in the future, so the incident response should proceed with that risk in mind.
Notify Insurance Company
Fortunately, many organizations now have ransom insurance coverage. These policies often identify panel counsel and forensic investigators. Policies may allow organizations to hire their own, subject to approval by the carrier, or may require use of panel vendors. Ideally, the organization will have identified these professionals ahead of time. If not, and the policy provisions are encrypted, then the organization should proceed with retaining knowledgeable experts.
Initial counsel or forensic experts can transition to panel professionals if necessary. However, it is ill-advised to wait days to begin remediating until panel professionals can be identified. From a forensic standpoint, it is important to make sure that logs and data are being preserved.
It is also important to keep in mind that panel insurance counsel should not advise an insured on the scope of insurance coverage. If there is ever a dispute with the insurance company over whether coverage applies—and there often is—then the organization will need to retain its own counsel.
To Pay or Not to Pay
Many organizations struggle with the question of whether to pay a ransom. It is difficult to take a principled position not to negotiate with fraudsters when an organization’s data is encrypted. If the organization has ransom insurance, and the carrier is willing to pay then it may be difficult for the organization to justify not paying. On the other hand, if the organization does not have insurance then it needs to weigh the cost of recreating the data compared to the ransom demand.
Many organizations are also concerned about whether fraudsters will actually provide decryption keys if they do pay. Engaging trusted professionals, including an attorney and forensic investigator, can help an organization weigh the pros and cons of paying.
Organizations should think about what they will do in the event of a ransomware attack, so they are not left scrambling at 5 p.m. on a Friday trying to figure out what to do. Organizations should also review their insurance coverage to make sure they have the appropriate coverage, and identify knowledgeable professionals that can assist with incident response.
Categories: Cybersecurity Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.