The practicalities of responding to a ransomware attack
This article first appeared in ALARM, April 2021
Ransomware attacks have become one of the biggest cyber threats to all organisations.
In 2020 and 2021 there have been a spate of attacks targeting councils. The consequences can be catastrophic: systems down for days or sometimes weeks, scrambled files, and employees unable to carry out duties.
Associated data breaches can also result in extensive reputational and financial damage.
Many attacks follow a similar pattern. Unusual network activity (such as security programs being disabled, unrecognised programs being run or spikes in network traffic) is often first recognised in the middle of the night.
The initial unauthorised access to the system will usually have been obtained days or weeks before the ransomware is deployed. In order to facilitate this, one of the most common techniques is to target key user login details via targeted phishing emails.
Once threat actors (cyber activists and criminals) have access, they undertake reconnaissance, utilise tools to harvest data and user credentials, and ultimately install malware to decrypt servers. Then they leave a ransom note with contact details to obtain a decryptor tool – at a price.
The first 24 hours following discovery of a ransomware attack can result in a great degree of alarm. However if the organisation has cyber insurance and/or a well-designed breach response plan, there will be help from a team of vendors including legal, IT and public relations support, among others.
Insurance policies often have a breach notification helpline, which will usually result in immediate access to a legal team who will act as a ‘breach coach’ to coordinate the response and engage additional vendors, including an IT Forensics specialist.
A specialist IT forensics team can assist in closing down vulnerabilities, support data restoration from backups (if available) and advise on the scope and root cause of the attack. Crucially, they can also search for evidence of deliberate and malicious extraction of personal data, which many ransomware groups routinely carry out to leverage their position in ransom negotiations.
In ransomware attacks, the main impact is usually the encryption of servers, rendering the data inaccessible. Where personal data cannot be accessed as a result of encryption, this may result in an “availability breach” which may put individuals at risk if their data cannot be processed. The presence of viable backup data is therefore critical in order to mitigate any ongoing impact from availability issues.
Additionally, the unauthorised access to and potential theft of personal data may result in a “confidentiality breach”. Depending upon the categories of personal data affected, this may result in a formal notification to affected individuals being required. Furthermore, there may be contractual requirements to notify other data controllers about the breach, and sometimes the time limits for contractual notice can be 24 hours after awareness of the breach.
Obtaining the decryptor tool
If backups are not available, and reconstitution of data is not possible, then often the only way organisations can recover their data is by obtaining a decryptor tool from the malicious actors.
The payment of ransom demands is a controversial topic, but for any organisation brought to its knees by a ransomware attack, the option to pay often needs to remain on the table until all other avenues for recovery are exhausted.
However, given that ransomware groups are criminal organisations, the legal team will need to provide guidance. Considerations include; the risk of international sanctions, public perception issues, the risk of re-extortion, the prospects of threat actor cooperation, and whether paying up invites further attacks.
Wider exposures and sanctions
Ransomware attacks can be extremely disruptive. It can leave victim organisations open to various wider exposures, including the risk of third-party, customer and employee claims, along with a possible increase in subject access requests.
One important consideration is whether the incident is reportable to regulators, including the UK’s Information Commissioner's Office (ICO). Under the General Data Protection Regulation 2018, it is mandatory to report data breaches to the ICO within 72 hours.
Whether or not an organisation has cyber insurance, there are also the costs of dealing with the attack to factor in, as well as wider business interruption losses to consider.
It is essential for any public service organisation to have a robust and tested data breach plan. This includes pre-assembling an internal core breach response team (including key decision makers from across the organisation), having draft communications ready, and ensuring copies of key documents are stored offline (if the ransomware encrypts the entire network, then we often find that contracts are not accessible).
Among other things, organisations should undergo regular network penetration testing and ensure data back-ups are segregated from the main network (with no access credential stored on the main network).
Unfortunately, no organisation is immune from ransomware attacks, but having a clear and tested system to fall back on will invariably lead to a more effective response and less painful consequences.
ALARM is a not-for-profit membership association that has supported risk management professionals for 30 years. They provide members with outstanding support including training, guidance and best practice, networking and industry recognition for excellence across risk management. For more information, visit alarmrisk.com.