Ransomware Dos and Don’ts

Posted by Mark Greisiger

A Q&A with John Mullen of Lewis Brisbois

In recent months, ransomware attacks have become more frequent, particularly in the healthcare space. While these attacks with their demand for payment give their victims few options for responding, companies can still prepare themselves to act quickly and effectively. Better yet, they can avoid ransom-seeking malware in the first place with sound security policies. I spoke with attorney John Mullen of Lewis Brisbois about best practices.

Please explain the ransom-based cyber-attacks we have been seeing. How are bad guy hackers able to conduct these attacks?
Ransomware is a type of malware that converts various types of files into encrypted files, making them inaccessible unless a decryption key is obtained. The most basic form of the malware encrypts files on the local machine where the malware is first installed, and from there can encrypt files on any shared folders that the local machine is mapped to (i.e., has permissions to access). Some seek credentials stored on the machines the malware touches to elevate permissions and allow the malware to spread to multiple shared folders or even other servers and workstations. The malware comes through malicious links or attachments on emails. Larger infections often occur when a hacker is able to infiltrate the network through traditional hacking (finding a vulnerability and using brute force credentials). Once inside the network, they can push out the malware to many or all servers and devices across it.

If the company doesn’t have good backups, it will have to pay the ransom or live without the encrypted data. Hackers understand this and have recently developed malware variants that delete backups in an attempt to force payment of the ransom.

Is this sort of attack generally covered under cyber liability policies?
There are coverage products available for costs related to legal and technical assistance when responding to a ransomware incident, for restoring systems to pre-attack condition, for public relations and response to regulator inquiries, and for the costs related to paying ransom to recover files.

Often, the perpetrator wants the ransom payment in Bitcoins. Can you speak to (a) how a client might negotiate with a bad guy and arrange to pay for the decryption key in order to unlock the data; and (b) the challenges of trying to set up a Bitcoin account in order to actually pay the ransom in a timely manner.
In our experience, there is no negotiation involved. The attacker requests the amount of Bitcoins they require and you can then pay and receive the keys or restore data from backup. Unfortunately, a company hit by ransomware only has those two choices. If the company doesn’t have good backups, it will have to pay the ransom or live without the encrypted data. Hackers understand this and have recently developed malware variants that delete backups in an attempt to force payment of the ransom.

For companies in this situation, there is a certain level of trust in believing that a criminal will stay true to his/her word and provide the keys upon payment of the ransom. Our clients are usually understandably worried that an attacker will not provide the keys upon provision of the Bitcoins. However, the hacker generally follows through. The hackers understand that it would be bad for business if they developed a reputation of cheating companies.

That being said, we have been involved with two incidents recently where the client supplied the amount of Bitcoins requested and the attacker has requested more. In both cases, the attacker stated they made a mistake when providing the original ransom amount. One client decided to pay the additional amount and received the keys without additional problems. The other client decided to ignore the additional request and successfully restored from backup.

Our clients have told us that one of the most difficult parts of a ransomware incident is obtaining the Bitcoins. However, there are options to make the process easier. Many cities with a young and technologically focused population have Bitcoin ATMs in bars and similar locations. You insert sufficient cash to obtain the amount of Bitcoin required and receive a receipt with a redemption code. You will then pass that code to the attacker, allowing them to obtain the Bitcoins. At least one forensic investigator we work with will obtain the Bitcoins on behalf of clients. In addition, we have developed a relationship with a Bitcoin vendor who has assisted several of our clients.

Once you obtain the keys, it’s still a resource-heavy process to decrypt the affected devices. Depending on the variant, each affected machine may require its own key. In addition, we have seen data stored locally on PCs deleted while the PC is undergoing the decryption process.

What are some of the defenses missing that can mitigate exposure to this threat?
There’s nothing new about how ransomware attacks occur so the usual defenses are available— education and training to recognize the malicious emails and websites where malware is inadvertently downloaded; vulnerability and penetration testing of internet-facing devices applications and firewalls; software patching, anti-virus updating and monitoring activity logs can all prevent or mitigate the effects of ransomware.

In summary…
We want to thank John Mullen for his insights gleaned from his team’s unique legal expertise, as they often help clients with two or three data breach cases per day (!). It’s all too easy for hackers to dupe an unsuspecting staffer into clicking on an innocent-looking email that is really camouflaged infected/malicious malware. This malware then robotically acts to encrypt their network while also displaying instructions for what to pay in order to get the decryption key in exchange for Bitcoins. Most clients dread the thought of dealing with this situation, not just for business interruption reasons but for moral reasons. That’s not even mentioning the logistical hassle of setting up a Bitcoin wallet in fast order—not so easy. Unfortunately, we must all prepare for this new reality and Mullen has helped us with that preparation.