What to Do After a Ransomware Attack

Anthony P. Valach


June 1, 2016

ransomware attack recovery

It is Monday morning and there is an unusual buzz in the office. After everyone has settled in and checked their email from the weekend, it seems that no one can access any of their files or documents. Instead, the same notice appears on every screen: “Your files are encrypted. To get the key to decrypt them, you must pay $500.” You are the latest victim of a crypto ransomware attack. What do you do now?

If your company had enough foresight to purchase a cyber liability insurance policy, the first step is to contact the insurer to notify them of a potential incident. The type of policy purchased will determine how the insurer will respond. Since both the company and the insurer have an interest in limiting exposure and loss, some insurers will take over the cyber incident response and obtain the technical and legal resources necessary to respond appropriately.

If your organization does not have cyber liability coverage, you will need to alert your IT resources so that they can help respond to the attack. In the worst-case scenario, IT will find that all of the local and shared files that are used on a regular basis are encrypted with a mathematically impossible-to-crack encryption key. Depending on the business, the productivity of the office staff may grind to a halt.

The quickest and easiest way to return to productivity is to restore the system from an uninfected local, offsite or cloud backup. Depending on the type of disaster recovery plan a company has implemented for this situation, as well as the complexity of the network, the volume of data that has to be restored and the backup platform itself, users could be back up in a few hours.

If a company does not have its system backed up or if the backup has also been encrypted, there may be little choice but to pay the ransom and hope the encryption key permits access to the impacted files. Even with all the current computing power available, it will be impossible to decrypt the files by using the “brute force” method of trying every possible key combination. This is why organizations that find themselves in this unfortunate situation are encouraged, even by the FBI, to pay the ransom. The hackers’ business model is to set the ransom in such a way as to encourage people to pay. Paying a hacker between $500 and $1,000, usually in the form of bitcoin, is worth the risk since, without the key, a company may be out of business or forced to incur the expense of restoring its network from scratch.

After a company decides to pay the ransom, it must then acquire enough bitcoin to do so. This is a lot easier in theory than in practice, however, since bitcoin cannot simply be obtained on the internet with a credit card. Even with a legitimate online service, it can take several days for the bitcoin to appear in a newly created account. By the time this happens, the ransom will often have increased or the files will have been destroyed. This leaves a ransomware victim with little choice but to find a bitcoin ATM or a dealer on Craigslist or another online forum. Since bitcoin is popular in the underground world of illegal transactions, a company may find itself in the rather uncomfortable position of exchanging a large amount of cash on the street for the digital currency.

Once the company has obtained enough bitcoin to pay the ransom and gotten the decryption key, the process of unlocking the files begins. If all of the local and shared files are encrypted, this can be a rather lengthy process, even when using an efficient file recovery program. But if everything goes as planned and all of the files are decrypted properly, a company can return to normal operations.

Once the files have been decrypted and operations have resumed, the next chapter begins. A company must now analyze how this attack occurred and how can it be prevented in the future. More than likely, an unsuspecting employee clicked on an attachment to a seemingly innocuous email several days before the attack manifested itself. Hackers may also have gained access to a company’s network through a recently added network printer with default login credentials outside of the firewall, or through many other tricks. Regardless of how the attack occurred, this is a good opportunity to refresh your employee training and to re-evaluate your network security.

The work is still not done, however. The company must now determine whether any personally identifiable information (PII) or personal health information (PHI) of employees or customers was compromised or stolen in the attack, then identify the state of residence for each individual whose PII or PHI the company maintains.

The company then needs to determine whether specific state data breach notification requirements were triggered by the incident. That could mean complying with the data breach notification laws of 47 different states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. If a company is fortunate enough to only have customers in Alabama, New Mexico or South Dakota, there is no reason to worry since those states do not yet have data breach notification laws.

There are many potential pitfalls when going through state data breach laws. In a majority of states, the data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. This would require evidence that the hackers were able to move the PII or PHI from the company’s network to their own. A company’s IT resources should be able to quickly determine if this was the case.

Thankfully, crypto ransomware is usually designed or intended to extort money from victims rather than steal personal or confidential information. But when the ransomware payload modifies the system’s registry files and installs itself on a victim’s computer, the program connects with the hackers’ command and control servers to transmit the public and private encryption keys, making the question of “acquisition” unclear in a majority of states. If a company’s IT team firmly believes that no PII was acquired by the hackers, a documented record of these findings should be kept by the company in case of an investigation by authorities or a private lawsuit.

Unlike in the majority of states, however, the data breach notification requirements in Connecticut, New Jersey and Puerto Rico are triggered when there is simply “unauthorized access” to personal information. This lower standard means customers must be notified of a data breach even when no PII is acquired by an unauthorized party. Companies that maintain PII of customers from these locales and are victims of crypto ransomware are in the unfortunate position of having to devote the time and resources necessary to comply with the data breach notification laws even when information is not acquired by a hacker.

Not being properly prepared for an inevitable data breach can lead to disastrous consequences for any company. Of course, there is the immediate problem of getting data restored so the company can return to normal business operations. This can be costly. When Hollywood Presbyterian Medical Center in California became the victim of a ransomware attack in February, staff was unable to access medical records and the hospital administration was forced to pay a $17,000 ransom for the encryption key to restore access to their electronic medical records.

The steps an organization takes to determine whether there is an obligation to notify parties whose information may have been compromised are also just as important in determining whether a company continues to operate after the attack. Making sure that a company has proper cyber liability coverage, an effective backup solution and disaster-recovery plan, and  a technical and legal team ready to respond to a data breach can help avoid lasting consequences.
Anthony P. Valach is a member of the Philadelphia office of Bennett Bricklin & Saltzburg LLC, where he focuses on privacy and data security and complex litigation.