What Can Be Done About Ransomware Attacks?

It was a typical, busy week for attorney Lisa J. Sotto. While putting out multimillion-dollar ransomware fires, she was navigating an onslaught of Bitcoin demands from a denial-of-service group that had launched a series of cybercriminal attacks to show how it could cripple businesses.

“It’s been bad for a few years,” she says. “It’s getting worse.”

A partner at Hunton Andrews Kurth, and a leader in data breach work since 2005, Sotto says she’s never seen a more malicious threat environment. “And while I know law enforcement is very active in this space,” she says, “it still seems we’re not quite keeping up with the threat actors. They’re staying one step ahead of us. It’s really frustrating. I would like to see arrests. And extradition.”

Until that happens, screens will continue to lock up and ransomware infection messages such as the following will continue to appear: We have taken control of your systems. Apologies.

And that’s when the race begins.

“Even if you don’t pay, it’s useful to start to negotiate as a delay tactic because you want to know if you can restore the system,” Sotto says. “You ask for proof of life—evidence they have your data and can decrypt it. They call themselves businesspeople, and they negotiate the way any legitimate business might. If you settle on a price, you need to transfer money over, exchange dollars for cryptocurrency. The choice of late is Monero. It’s a private currency, harder to trace.”

In Sotto’s experience, a small percentage of companies pay the ransomware threat. Reasons not to pay include the obvious moral ones, the risk that the decryptor might not work, and the fact that paying a party a ransom payment on the Office of Foreign Assets Control sanctions list puts the company at legal risk.

“Companies pay in two circumstances,” she says. “First, when they have no backups or backups that are corrupted and they are simply not able to get their systems up and running again, and they know they’ll turn to dust as a company if they don’t pay. The second circumstance is where ransomware is coupled with exfiltration of data. For some companies, the data is so sensitive that they’re willing to pay to buy some measure of peace.”

Barton’s Kenneth N. Rashbaum says that’s what happened with the Colonial Pipeline and JBS attacks. “For years, the FBI was advising people not to pay, but we saw the effect of locking down the systems was so dramatic on these companies,” he says. “Part of the calculus in paying was fear and uncertainty. We have our backups, but we don’t know what else is at risk. It’s a form of cyber terrorism.”

Rashbaum says far-sighted companies war-game the scenario. “They have a plan in place,” he says. “It’s written. It’s been tested. They know who the senior executive is who triggers the plan and their backup contact information and when to contact law enforcement. All this should be thought of in advance. The time to come up with the plan is not when you’ve seen the big red skull on your screen.”

Some safeguards against cyber threats Rashbaum recommends include frequent patches to malware defense antivirus software and backup systems that can come online quickly. He warns that the exposure for not planning properly is more than financial; it’s legal.

“There have been reports, particularly in the health care space, of agencies penalizing organizations following a cyberattack—not because they were attacked but for not having the plan in place, not having trained the staff, all of which are required by HIPAA and other regulations,” Rashbaum says. “All 50 states have data-breach notification laws, so a lot of what the lawyers do is advise on who to notify.”

Because navigating that 50-state patchwork of laws and their different notification triggers is so complicated, in-house technology attorney Liberty T. McAteer says lawyers in this space watch closely for new data privacy legislation and court interpretations.

“It’s only a matter of time before there starts to be mega litigation over this recent spate of hacks,” he says, adding that more than 200 companies were attacked in June 2021 alone. “Even five years ago, you could be a small mom-and-pop operator and not need to worry about having an information security program. Now, everyone is on notice. … There’s no door that can’t be broken down, no computer that can be 100 percent secure except for one left on the bottom of the ocean floor.

“If a person has to use it, it can be hacked.”