Preparing Your Company for Ransomware Attacks

Ransomware attacks are on the rise, and the tools being deployed by threat actors—people or groups who intentionally cause harm to digital devices or systems—are increasingly sophisticated.

As the techniques for deploying attacks continue to evolve, it becomes more and more important for a business to preemptively establish legal resources to support its response.

An Industry of Extortion

Megan Kayo, a cybersecurity attorney at Freshfields Bruckhaus Deringer in Redwood City, says ransomware can even be considered its own industry. “It’s become quite commoditized,” she says. “There’s ransomware as a service where there are different threat actor groups that really specialize in a particular part of that ecosystem.”

For example, one group might focus on finding vulnerabilities and infiltrating company systems, then selling access to another group that actually steals data or deploys ransomware. These specializations are making ransomware attacks more efficient.

New Strategies for Cybercriminals to Get a Ransom Payment

Kayo reports seeing shorter dwell times—that is, the amount of time that a threat actor is in a company’s system before deploying ransomware or stealing data. Plus, attackers are increasingly pursuing sensitive data. “When ransomware first was on the scene, it was really about encrypting data and the company would pay for that decryption key to be able to regain access to its data,” she says.

While these types of attacks still happen, she adds, so many businesses back up their data that they are unlikely to pay a ransom. Thus, threat actor groups are developing new ways to pressure companies to pay. This includes searching systems specifically for data such as Social Security numbers, credit card details or other sensitive customer information, then threatening to sell it on the dark web if companies don’t pay up.

Kayo has also seen these groups acting increasingly aggressively, even targeting executives via messaging systems like WhatsApp during an ongoing ransom negotiation. “They’re trying to make these executives feel a lot of pressure and fear, basically because they just want to get paid and get paid as quickly as possible,” she says.

Developing a Ransomware Protection and Mitigation Plan with an Experienced Attorney

While no business, regardless of size, is exempt from these threats, there are numerous ways to prepare a response plan.

Kayo recommends finding an attorney who specializes in cyberattack incident response—as opposed to one who does data breach litigation. This should be someone who has dealt with these kinds of threat actor groups, as well as law enforcement and forensic investigators, and knows how other companies have handled similar situations, she says. “That’s something that my clients are often interested in—how have other people dealt with it? Being able to provide that insight as the client is making their own decision is valuable.”

She also advises firms to keep an incident response lawyer on retainer. During a ransomware attack, which often results in litigation, communications are going to be very sensitive.

“You don’t want something that could have been protected by privilege, or documents that could have been protected by the attorney work-product doctrine, having to be produced in that litigation, which would be the case if a lawyer is not involved,” Kayo says.

Immediately Notify Insurance After a Ransomware Attack

An incident response plan needs to be created and regularly reviewed so everyone knows what to do if an attack occurs. “Don’t just write it up and file it away,” says Tyler Gerking, of Farella Braun + Martel in San Francisco. He is an insurance coverage attorney who works with policyholders before and after ransomware attacks.

His advice to businesses in this situation is to immediately notify their insurance company.

“They can really help in these situations,” he says, adding that the policyholder will often be required to get the insurer’s consent to hire vendors like lawyers, forensic investigators, and accountants for actual ransomware payments. Without prior consent from insurers, disputes could result. “Know who your team is before the event occurs and, if possible, get your insurance company’s preapproval for that team and write that team into your incident response plan.”

In the event a business hasn’t made these preparations, the insurance company should still be a first point of contact as it can offer resources and guidance. “Usually, a ransomware attack is a unique event for a company, and they may not really know how to most efficiently and effectively respond on their own,” Gerking says. “The insurance companies, on the other hand, deal with these all the time. They know they have to act fast in order to reduce their losses.”

Find Experienced Legal Help

Visit the Super Lawyers directory to find an experienced cybersecurity lawyer who can provide legal advice on developing cyber threat awareness training, risk management, a recovery plan, and business continuity in the event of a ransomware attack. To learn more about this area of law, see our content on data security and cyberattacks.