Strategies for Businesses To Prevent Ransomware Attacks

Ransomware is a malicious software, also called malware, designed to disable computer systems and capture sensitive data until the victim pays a ransom to recover access. Ransomware attacks are on the rise, and the tools deployed by threat actors — people or groups who intentionally cause harm to digital devices or systems — are increasingly sophisticated.

“Assume you’re going to get hit at some point,” says Jason Kravitz, head of the cybersecurity and privacy practice at Nixon Peabody in Boston. “Some people like to think it’s the equivalent of lightning striking, that it’s only going to happen to one in a million companies. It’s not.”

As the techniques for deploying attacks continue to evolve, it becomes more important for a business to preemptively establish legal resources to support its response. For more information about your legal options to avoid an attack or data breach, talk to a technology transactions attorney.

Understanding Ransomware Attacks on Companies

Few surprises cause more panic in the workplace than when a ransom note pops up on a computer, blocking access to critical files and threatening to publish sensitive data on the dark web unless the business owner pays up.

Attacks are on the upswing, says Brenda Sharton, global chair of privacy and cybersecurity at Dechert in Boston. Ransom amounts have soared, and, as was the case in 2021 when hackers brought Colonial Pipeline operations to a halt and created fuel shortages, they can stop customers in their tracks, too.

Sharton suggests a shift of focus from ransomware prevention to risk mitigation. “The short answer is that they can’t be prevented,” she says. “The question is: How do you reduce your cyber risk?”

Megan Kayo, a cybersecurity attorney at Freshfields US in San Francisco, says ransomware can even be considered its own industry. “It’s become quite commoditized,” she says. “There’s ransomware as a service where there are different threat actor groups that really specialize in a particular part of that ecosystem.”

For example, one group might focus on finding vulnerabilities and infiltrating company systems. They then sell access control to another group that actually steals data or deploys ransomware. These specializations are making ransomware attacks more efficient.

How Cyber Attacks Typically Begin

Attacks typically begin when threat actors gain access to a company’s network through phishing emails containing links that employees unwittingly click on.

After installing sophisticated malware, ransomers search files for sensitive information and encrypt at least some of the company’s servers. Holding the data hostage, they demand payment in exchange for the decryption key.

“Many companies have misconceptions and say, ‘I’m not a big organization’ or ‘If I get attacked, it’s not a big deal. I don’t have a lot of sensitive information.’ The problem is that the threat actors are attacking any and all organizations. If your systems are all shut down, and you can’t communicate or operate, it will severely disrupt your business,” says James J. Giszczak, co-president and co-chair of the Data Privacy and Cybersecurity Practice Group at McDonald Hopkins in Bloomfield Hills, Michigan.

Essential Ransomware Protection: From Incident Response Plans to Multifactor Authentication

No matter the size of your company, an incident response plan is crucial, says Kravitz. “Companies that don’t have them are going to be completely paralyzed from a business perspective. The basic communications we’ve all been spoiled by, whether it’s email or text or company messaging programs, are going to be offline if your company is hit with a ransomware attack.”

Create and print a hard copy of your response plan with a list of alternate email addresses and phone numbers for staff members and a good cybersecurity attorney. Never assume that you can just download your backup data if threat actors block your original files.

Review your vendors’ cybersecurity protocols since those vulnerabilities can affect you too. Change passwords on a regular basis and provide awareness training for employees on how to spot suspicious activity and quarantine malicious emails. Remote desktop protocol (RDP) with a virtual private network (VPN) can reduce security gaps.

If possible, install EDR (endpoint detection and response) software. While endpoint security is expensive, it offers a higher level of protection than standard antivirus programs. “The No. 1 thing a company can do to reduce risk is to have multifactor authentication (MFA) on all company accounts,” adds Sharton.

Finally, recognize that small businesses are targeted, too. “I’ve seen many of them get hit,” Kravitz says. “Sometimes the ransom may only be $5,000 or $10,000 as opposed to the multimillions asked of a Fortune 500 company, but the attacks can be just as debilitating.” Security awareness and implementing best practices are essential for companies of any size.

Some Cyber Threats Are Extremely Difficult To Control

Phishing is the use of scam emails to trick recipients into revealing confidential information. It’s a typical means of delivering ransomware to an operating system and is a prime example of an attack that is hard to control.

“You can’t guarantee against human error,” says Peter Quittmeyer, a partner specializing in computer law at Eversheds Sutherland in Atlanta. “Mistakes and breaches occur. When you have entire countries focused on finding and exploiting vulnerabilities, it’s really a race to the edge of current knowledge in technology.”

“Some of the biggest problems are right in front of us,” says Joe Whitley, who was the first general counsel for the U.S. Department of Homeland Security and is now with Womble Bond Dickinson in Atlanta. “Employees who bring their computers that might not be very secure to work, and you have individuals who walk away without turning their computers off. Also, the effects of social engineering have risen steadily.”

Acquiring Insurance Against Cyber Threats

“It’s important to have cyber insurance in place to be able to respond to some of the costs incurred as a result of the ransomware or other cyber incident,” says Daniel A. Cotter of Aronberg Goldgehn Davis & Garmisa in Chicago.

“Get the appropriate coverage,” Giszczak says. “Depending on the limits of your policy, they’re typically going to be picking up the costs associated with forensics, the legal firm, any notification of individuals, a class action lawsuit if there ends up being one. It’s really critical.”

Businesses should know what their policies do and do not cover, says Jena M. Valdetero, co-chair of Greenberg Traurig’s U.S. data privacy and cybersecurity practice. For example, a policy might require the utilization of preferred vendors.

“If you call your trusted external vendor and then find out two or three days later that your carrier isn’t going to approve the vendor’s bills because they’re not preapproved, you don’t want to have to switch horses in the middle of the race,” she says. “But you also don’t want to jeopardize coverage.”

What To Do if Your System Is Compromised by Malicious Software

If your system is hacked, contact your insurance company and cybersecurity attorney immediately. You’ll need the benefit of attorney-client privilege since there are legal consequences if scammers access medical, financial, or other client information.

Your lawyer can quarterback other facets, too, from dealing with regulators to coordinating an outside forensic investigation team. “There’s a ton of chaos in the aftermath of a cybersecurity attack,” Kravitz says. “I tend to bring a little bit of calm to the situation.”

“First and foremost, if you have the opportunity, definitely work with law enforcement — in this case, the FBI — and take advantage of their sophisticated resources,” says David Gevertz of Baker, Donelson, Bearman, Caldwell & Berkowitz in Atlanta. “Also, engage top-notch cybersecurity partners. Having the right vendor allowed us to unlock many systems and plug our holes. They also helped us proactively prepare in case there is a next time.”

Responding to Cyber Criminals’ Extortion

While there is some debate surrounding the best response to extortion, most companies pay the ransom, Sharton says. “The two biggest questions that we get are, ‘Is it legal to pay?’ And ‘Will they honor it?'”

In general, she says, the answers are “yes” and “probably.”

“I’ve been dealing with ransom attacks for over a decade, and I’ve not had a threat actor who’s reneged or not honored the deal,” Sharton says. “Their business model depends on honoring it because if it got out that they didn’t honor it, no one would ever pay again.”

Developing a Ransomware Protection and Remediation Plan

“The first 24 to 48 hours after a cyberattack are critical,” says John J. Rolecki, a data privacy and cybersecurity attorney at Varnum in Grand Rapids, Michigan.

“A ransomware plan will help you respond so much more effectively and efficiently. The last thing a business wants is to be caught flatfooted. Everyone knows phishing attacks are on the rise, so make the effort to form an incident response plan. And make it a management- or a board-level issue so that it has visibility throughout the organization. It will pay dividends.”

Among the primary objectives of the response and recovery process plan is to designate roles for company employees.

“It establishes accountability and visibility for the process,” Rolecki says. “Everyone in the company knows who the core team is, who has ownership of the situation. For example, so-and-so will contact the attorney; another person will contact the insurer if that’s relevant.”

Get an Attorney with Experience in Cyberattack Incident Response

Kayo recommends finding an attorney who specializes in cyberattack incident response. This should be someone who has dealt with these kinds of threat actor groups, as well as law enforcement and forensic investigators, and knows how other companies have handled similar situations.

“That’s something that my clients are often interested in: How have other people dealt with it? Being able to provide that insight as the client is making their own decision is valuable.”

She also advises firms to keep an incident response lawyer on retainer. During a ransomware attack, which often results in litigation, communications are going to be very sensitive. “You don’t want something that could have been protected by privilege, or documents that could have been protected by the attorney work-product doctrine, having to be produced in that litigation, which would be the case if a lawyer is not involved.”

Immediately Notify Insurance After a Ransomware Attack

An incident response plan needs to be regularly reviewed so everyone knows what to do if an attack occurs. “Don’t just write it up and file it away,” says Tyler Gerking, of Farella Braun + Martel in San Francisco. He is an insurance coverage attorney who works with policyholders before and after ransomware attacks.

His advice to businesses in this situation is to immediately notify their insurance company.

The insurance company should still be a first point of contact as it can offer resources and guidance. “Usually, a ransomware attack is a unique event for a company, and they may not really know how to most efficiently and effectively respond on their own,” Gerking says. “The insurance companies, on the other hand, deal with these all the time. They know they have to act fast in order to reduce their losses.”

Find an Experienced Cybersecurity Lawyer

“Working with an attorney to prepare for an incident can make a big difference in how you handle the situation,” says Liisa M. Thomas, leader of Sheppard, Mullin, Richter & Hampton’s privacy and cybersecurity team in Chicago.

“We work with our clients to assist them in evaluating, and, if necessary, ameliorating, their security measures, with an eye towards how those measures might be viewed by regulators or class action attorneys in the event of a data breach.”

To prepare your business against the threat of a ransomware attack, find an experienced cybersecurity lawyer in your area.