July 6, 2022

Volume XII, Number 187

Advertisement
Advertisement

July 05, 2022

Subscribe to Latest Legal News and Analysis

FBI and CISA Warn Firms to be Vigilant About Ransomware Attacks

As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.

According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.

When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.

Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).

Minimize Risk

The joint cybersecurity advisory offers the following guidance to minimize attacks:

  • Establish a baseline understanding of the network architecture and routine activity;

  • Review data logs to compare standard performance to suspicious or anomalous activity;

  • Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;

  • Use intrusion prevention systems and automated security alerting systems;

  • Employ honeytokens to track data outside the network; and

  • Use cyber hygiene services.

Mitigation

The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:

  • Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;

  • Make an offline data backup;

  • Advise individuals to not click on suspicious links;

  • Secure and monitor RDP or other potentially risky services;

  • Update the organization’s operating system (OS) and software;

  • Scan for vulnerabilities;

  • Require strong passwords;

  • Use multifactor identification;

  • Secure network(s): implement segmentation, filter traffic, and scan ports;

  • Secure user accounts; and

  • Implement an incident response plan.

In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.

The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.

© 2022 Keller and Heckman LLPNational Law Review, Volume XI, Number 245
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Advertisement
Advertisement
Advertisement