Ransomware: What to Do When It Happens to You
In the event that your company is nonetheless the victim of a ransomware attack, this document provides steps to be taken as part of its response to such an incident.
October 26, 2017 at 12:41 PM
11 minute read
In an ideal world, your company has all its critical information and data comprehensively and securely backed up, employing strong defenses against hacking, phishing, and other cyberattacks. In the event that your company is nonetheless the victim of a ransomware attack, this document provides steps to be taken as part of its response to such an incident. This document is meant to be a helpful guide, but the best response will generally depend on different factors, including the scope and severity of the attack, availability of remediation measures, and business sensitivities.
Implement previously created security incident response and business continuity plans. Cyber response and business continuity plans should contain the following steps to address a ransomware situation:
- Conduct initial analysis of the ransomware. After detecting the ransomware or receiving a ransom demand, it is important to determine, in a timely manner, the original affected device, the scope of infected systems, and any vulnerabilities in the company's systems that were exploited. Conducting such an initial analysis will be immensely helpful during subsequent stages of responding to the ransomware. It is important to conduct this exercise in a forensically sound manner that does not alter or obscure evidence of the attacker's actions.
- Determine whether the ransomed data, or any parts thereof, exist, and make sure they are properly secured. Assess whether the ransomed, encrypted data exists on unaffected devices, with backup systems, or unaffected servers.
- Consider what type of data and how much may have been affected or compromised. Knowing whether sensitive information, such as health or financial records, are impacted and how many customers' records may be at issue is important. This information will inform the size of the team that needs to be mobilized in response, as well as the type of response, including breach notification, that may need to be taken.
- Take steps to prevent continued access by the attacker. It is important to limit the attacker's ability to take advantage of any vulnerability and to segregate unaffected systems and data.
- Report internally to the designated individuals to coordinate response. In appropriate cases, it may make sense to apprise senior business leaders, including the Board, who may need to make decisions about how to proceed.
- Keep contemporaneous records. In consultation with legal counsel, it may make sense to record relevant information about the ransomware attack and your response to it, including logging when the attack was first detected, what steps were taken in response, who was notified, and other important information. To the extent possible, this information should be obtained and recorded in a way that does not delete or modify relevant files.
Hire external forensic experts and legal counsel as needed. Depending on the severity of the attack, and the size and capability of your existing IT and cybersecurity teams, it may be necessary to bring in additional help to manage the situation. Many companies specialize in incident response and forensics to supplement your internal team and determine what systems or information were compromised, analyze the available technical information, and identify weak points in the company's systems and processes that should be improved. Outside counsel with experience with ransomware attacks and other security breaches can provide additional legal expertise and leadership and can help preserve applicable privileges to allow confidentiality for full and frank communication during the ransomware incident and recovery process.
Contact law enforcement. This step may already have been completed as part of the incident response plans discussed above, but it is worth noting its importance separately. Even in a widespread ransomware attack where so many companies are affected that even the authorities can seem overwhelmed, it is still important to consider notifying law enforcement. Doing so could help the company if, for example, law enforcement has specific tips or techniques to minimize the damage from the attack. And it helps law enforcement get a full picture of what is happening to different victims of the attack. It also creates a record of steps to address the problem. Of course, law enforcement may not be able to provide immediate help in terms of retrieving data or apprehending the criminals responsible for the attack, but they often can provide other resources and support. Ideally, the company will have previously established a point of contact with a particular law enforcement agency for this purpose. There should also be consideration to what extent and how the company provides information so as to maintain confidential information and applicable privileges. In-house or outside counsel can help you determine whether and how to notify and work with law enforcement in the wake of a ransomware attack. Throughout the United States, companies can contact local field offices of the FBI and Secret Service, as well as the National Cybersecurity and Communications Integration Center, which is part of the Department of Homeland Security; in larger cities, the local police may also have a cybercrime unit.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Trending Stories
- 1'I'm Staying Everything': Texas Bankruptcy Judge Halts Talc Trials Against J&J
- 2What We Know About the Kentucky Judge Killed in His Chambers
- 3Judge Blasts Authors' Lawyers in Key AI Suit, Says Case Doomed Without Upgraded Team
- 4Federal Judge Won't Stop Title IX Investigation Into Former GMU Law Professor
- 5Ex-Prosecutor and Judge Fatally Shot During Attempted Arrest on Federal Corruption Charges
Who Got The Work
Charles A. Weiss of Holland & Knight has entered an appearance for Rafael Badalov in a pending trademark infringement lawsuit. The suit, filed July 26 in New York Eastern District Court by Lee Law on behalf of Otter Products LLC, accuses the defendant of selling counterfeit phone cases and accessories bearing the plaintiff's 'OtterBox' trademark. The case, assigned to U.S. District Judge Nina R. Morrison, is 1:24-cv-05214, Otter Products, LLC v. Badalov et al.
Who Got The Work
Gibson, Dunn & Crutcher partners Benjamin Hershkowitz, Richard W. Mark and Casey J. McCracken and R. Scott Johnson, Thomas M. Patton and Cara S. Donels have entered appearances for Berkshire Hathaway Energy Co. and MidAmerican Energy Co., respectively, in a pending patent infringement lawsuit. The case, filed July 17 in Iowa Southern District Court by Nyemaster Goode PC and Caldwell Cassady & Curry on behalf of Midwest Energy Emissions Corp., asserts six patents related to sorbents for the oxidation and removal of mercury. The case, assigned to U.S. District Judge Stephen H. Locher, is 4:24-cv-00243, Midwest Energy Emissions Corp. v. Berkshire Hathaway Energy Company et al.
Who Got The Work
Michael J. Hickey and Michael L. Jente of Lewis Rice LLC have stepped in to represent Tidal Wave Management in a pending trademark infringement lawsuit. The case, filed July 18 in Missouri Western District Court by Husch Blackwell on behalf of Waterway Gas & Wash Co., accuses the defendant of using a mark that's confusingly similar to the plaintiff's 'Clean Car Club' mark. The case, assigned to U.S. District Judge Fernando J. Gaitan Jr., is 4:24-cv-00471, Waterway Gas & Wash Company v. Tidal Wave Management LLC.
Who Got The Work
Wachtell, Lipton, Rosen & Katz partners Lauren M. Kofke and William Savitt have stepped in to represent CVS Health and and its top officials in a pending shareholder derivative lawsuit. The complaint, filed Aug. 30 in New York Southern District Court by the Brown Law Firm on behalf of Chaya Sara Kaufmann, accuses the defendants of failing to disclose that they used misleading forecasts to set premium plans which overstated the profitability of the company's health care benefits segment. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06595, Kaufmann v. Lynch et al.
Who Got The Work
Robert L. Wallan from Pillsbury Winthrop Shaw Pittman has entered an appearance for Findlay Management Group in a pending complaint for declaratory judgment. The complaint, filed on Aug. 8 in Nevada District Court by Gordon Rees Scully Mansukhani and Skarzynski Marick & Black on behalf of Houston Casualty Co., seeks to declare that no insurance policy exists between Houston Casualty and Findlay due to there not being an adequate form of delivery and claims that if delivery was substantiated it is rescinded based on material omissions and misrepresentations. The case, assigned to U.S. District Judge Gloria M. Navarro, is 2:24-cv-01459, Houston Casualty Company v. Findlay Management Group.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
