Leman Cyber Update: Ransomware Explained
First, what is ransomware?
It is malware (i.e. malicious software). It encrypts data on a device or system making it unusable. The threat actor holds the data hostage until a ransom is paid. Depending on the access gained and the level of infiltration into the system, the threat actor may also threaten to destroy the data or threaten releasing it to the public if not paid. Ransomware is the most prominent cyber-attack. The Beazley Group, an Insurer, reported that this kind of attack increased by more than 130% this year. Time for some stats:
• 1 in 3,000 emails contain malware. Think about this for one minute as it is truly staggering. Think about your own emails and how many emails you receive in a day. Extrapolate from this how long it takes you to receive
3,000 emails. The average office worker receives 120 emails per day. Using this as a stat, an email will pass through your filters every 25 days. If you have 25 staff, this means your organisation will receive one every day.
• The average downtime after a ransomware attack is 19 days.
• It is estimated that in 2021, ransomware attacks against businesses will occur every 11 seconds.
• It is estimated that in 2021, the global cost associated with ransomware recovery will exceed $20 billion.
• The average ransom payment is $233,217.
• Over 60% of all ransomware is targeted at SMEs.
Why would you pay the ransom?
Let us consider what could have happened. The cyber breach may have shut down your business. If we accept the average downtime and although we have seen quicker turnarounds than the 19 days in the stats, that is usually where there are viable backups. If the cost of the ransom is lower than the cost to your business, you might consider it. The risk you have to balance is that you are trusting a criminal / criminal organisation to provide the encryption key. The threat of releasing information is a very concerning one and might sway an organisation to pay. Data encryption
coupled with data exfiltration is on the rise. The chief concern here is not trade secrets or intellectual property (although they may be in specific circumstances) but the consequences. What if the threat actor releases personal data? An organisation has to deal with possible fines from the relevant data protection organisation (DPC, ICO etc.) as well as the affected individuals and possible claims from those individuals. Remember that data subjects do not need to show loss and can sue for non-pecuniary loss (for example, stress and inconvenience).
Why should you not pay the ransom?
Cybercrime is organised crime. Payment of ransoms facilitate further and more sophisticated ransomware attacks. It also encourages further attacks. For the business that suffered the attack and paid the ransom, it generally means that subsequent security measures are focused on the vulnerability rather than the whole system and organisation’s practices. The other relevant factors are that the threat actor may not provide you with the encryption key or may ask you for more funds. Is it legal to pay? The short answer is yes. The correct answer is: it is not illegal to pay ransomware demands….yet. It really depends on you (your organisation) and the threat actor. In late 2020, the U.S. Treasury stated that facilitating ransomware payments to sanctioned hackers may be illegal. Any individual and legal entities within the EU must comply with the EU financial sanctions regime in force. It is a criminal offence to breach a financial sanction. In the UK, Section 17A of the Terrorism Act 2000 deals with insurance against payments made in response to terrorist demands. This prohibits Insurers from paying a ransom on behalf of an Insured where the funds will or may be used for terrorism consequences. Beyond the obvious obligations this puts on Insurers with respect to due diligence of the threat actor, this needs to be balanced against the risk of a claim for breach of contract by the Insured. This was seen in the case of Mamanochet Mining Ltd v Aegis Managing Agency Ltd ([2018] EWHC 2643). Insurers need to carefully consider the issue of the legality of such a payment if one is to be made. In the UK, a company and its directors and officers may also find itself liable under the Terrorism Act 2000 for a ransom payment where it is linked to terrorism. It is generally reasonable to assume that most cyber-attacks and specifically ransomware attacks are not linked to terrorism, but due diligence should still be carried out. In Ireland, the position is relatively vague. Thus far, there is only guidance that ransomware demands should not be paid. The legality of a payment will depend on the circumstances on the particular payment and should be assessed thoroughly.
What should you do?
• Backups, backups, yes, you guessed it: backups. It is most effective tool in dealing with ransomware. Make sure that all the most important files are regularly backed up. Make sure that you create offline backups.
Make sure that backups are scanned for malware before restoration. Talk to your IT consultants and / or IT providers about this.
• Prevention: This will include a mix of IT preventive measures including anti-malware prevention software, secure authentication, software updates, limiting application privileges and organisational measures
including training, protocols and policies.
• Preparation: Prepare an incident management plan. This will usually require a risk governance review and a technology and software review. The plan should also incorporate your legal obligations as well as notification and reporting obligations and the timing of this (this is critical). Identify the most important data and files and conduct an impact assessment if they are targeted in a ransomware attack. Develop your communications strategy (both internally and externally). The above is a very short version of the many actions you should take and is by no means exhaustive. There are free online resources available through many organisations such as the Data Protection Commission official website, the National Cyber Security Centre and the UK National Cyber Security Centre. If you suffer an attack speed is key.
• Disconnect infected devices from all network connections.
• Reset credentials whilst ensuring you are not locked out of systems required for recovery.
• Contact (as required) your solicitors, IT consultants and / or providers (including cloud hosting providers or other providers as appropriate), cyber insurers, cyber security experts, PR experts. Follow your plan (if you have on and it is effective) with respect to response. You will generally have multiple urgent matters running in parallel. The best way to describe this is by example. Our client suffered a ransomware attack. The following occurred:
• The in-house and external IT providers liaised with respect to shutting down infected devices and considering
what systems were affected. The resultant shut down resulted in a complete lack of access to any systems or information for five days. A workaround was implemented to allow a resumption of some business
activities. Backups were then utilised to resume normal business.
• As a result of having backups, there was no need to consider paying the ransom demand.
• At the same time of the above actions, cybersecurity experts conducted online monitoring to assess if any
personal data was released online as well as conducting a forensic report to identify the scope and cause of the cyber breach.
• PR experts were instructed with respect to our client’s communications to clients and stakeholders with respect to the cyber breach.
• We were instructed in relation to project management and legal and regulatory obligations and notifications. Project management incorporates calls with clients and all stakeholders and identification of appropriate experts, retainers and instruction. A precautionary notification was made to the Data Protection Commission and notifications made to a number of other bodies as required by our client. There were various responses to queries raised by these bodies and providing subsequent updates. Advices were also provided with respect to potential exposure and mitigation. Further advices were provided with respect to updating policies and procedure post cyber breach. This was a positive situation where there wasn’t a personal data breach (barring an access breach) and there was a full restoration of normal activities within 2-3 weeks. No funds were released or needed to be traced or information extracted. No regulatory action was taken by the appropriate bodies. Notwithstanding the very positive outcome, the above actions are extensive, time intensive and expensive and this does not even include the loss of business.
The majority (approximately 80%) of the work conducted occurred in the first three days. If you take anything from this, it is to have backups (yes again), prepare your plan and move very fast when you
become aware of a cyber breach.
The Cyber team at Leman Solicitors provide advice with respect to Cyber matters including pre-event management,
cyber incident response and post event matters. If you have any queries, please get in touch with Stephen
O’Connor at 01 6393000