June 26, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Ransomware on Rise - FBI Releases Alert and Guidance

Key Takeaways:

  • Implement and follow robust data security practices.

  • Train employees to be on the lookout for suspicious emails and websites.

  • Establish business continuity plans that include regular system backups.

  • Create and implement rigorous data retention policies to ensure that only necessary data is maintained, thus minimizing the amount of data subject to ransom.

Ransomware attacks, which employ a devious and malicious type of malware that encrypts or locks valuable digital files and then demand a ransom payment to release those files, are on the rise. Indeed, the May 2016 edition of the ABA Journal magazine reports that the number of detected ransomware variants has grown to nearly 3.8 million in 2015 (from 638,000 in 2014). Ransomware attacks hospitals, businesses, state and local governments, and other institutions where access to information is critical to the target’s operations. On April 29, 2016, the FBI’s Cyber division issued an alert and guidance

Ransomware generally enters the victim’s systems via (i) an established attack vector such as a user visiting a compromised website, (ii) the exploit of unpatched systems, or (iii) most commonly, via a social engineering or phishing attack which attempts to get an authorized employee to execute a malicious email or click a link to a compromised site. Once it is established, the malware begins encrypting files and folders on local drives, any attached drives, backup drives and in some instances any device connected to the same network. Victims are usually unaware of the infection until they can no longer access their data or until they begin to see ransom messages on their computer. The attackers then demand payment for the key code needed to unencrypt the locked files. While older variants of ransomware had flaws in their encryption implementations allowing some hope of recovering your data without the key, newer versions use very robust encryption for which cracking is currently infeasible.

The FBI does not recommend paying a ransom in response to a ransomware attack because, according to FBI Cyber Division Assistant Director James Trainor, (i) paying a ransom will not guarantee that an organization will get its data back, and (ii) the payment will only serve to encourage more cyber criminals to undertake additional ransomware attacks. This is hard advice for many organizations to take. Faced with the permanent loss of valuable data and a ransom demand that can sometimes be only hundreds of dollars, some organizations are tempted to pay the ransom and perpetuate the cycle. Accordingly, the FBI recommends that organizations focus on prevention, incident response, and remediation. 

While there can be no guarantee against becoming a ransomware victim, this alert recommends the following information governance and security practices to close off attack vectors and manage and recover from a ransomware attack:

Prevent:

  • Maintain current versions of operating systems and applications loaded on all devices with network access.

  • Ensure anti-virus solutions and all other defensive measures are set to update automatically.

  • Implement the principle of least privilege. Manage the use of sensitive accounts such that network users do not have privileges any higher than are needed to complete their respective tasks—for example, a user generally should not be able to write to a directory if they only need to view the files therein.

  • Disable any and all macro scripts from office files transmitted via email.

  • Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.

  • Allow systems to execute “whitelisted” programs only (i.e., those that are known and permitted by security policies).

  • Seek to separate networks and files based upon which parts of an organization need access to those resources.

  • Train users in the detection and prevention of social engineering and phishing attacks.

  • Deploy proxies and firewalls to block malicious or unknown sites and eliminate malware command and control channels.

Respond:

  • Create a standing incident response team and practice various response scenarios using table-top exercises and drills.  Make sure key functions such as IT, Legal, Finance, HR and senior business leadership are represented on the response team.

  • Create business continuity plans which allow the business to function in the event of loss of access to key data.

  • Create employee, customer and stakeholder communication plans to ensure that all key constituencies are properly informed.

Recover:

  • Back up data regularly, verify the integrity of those backups, and ensure they are secure and separate from broadly-accessible system locations. Remember, if a user can access a specific network location, so can the ransomware.

  • Implement good information governance practices so you know which data are critical to the operation of your business.

  • Ensure that your failover/disaster recovery sites are not accessible within the same user contexts as your production sites. Test your failover and disaster recovery capabilities for mission critical systems regularly.

  • Analyze any contractual or other liabilities you may have for losing access to customer or business partner data.

  • Conduct an after-action review to determine the root cause of the incident and develop, document and internalize lessons learned from the incident response process.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

202-230-5674
Jay Brudz, Litigation Attorney, Drinker Biddle
Partner

Jay Brudz builds and manages world class e-discovery operations, internal compliance and FCPA investigations and develops enterprise-level information governance best practices. He is co-chair of the Information Governance and eDiscovery Group. In that capacity he acts as e-discovery counsel on major complex litigation matters. Using his technical experience in digital forensics and network security, Jay assists clients with information security counselling, including breach response, policy development and cyber risk evaluations. He also serves as executive managing director of the firm’s e-discovery subsidiary, Tritura Information Governance LLC, which provides state of the art e-discovery technology and services to the firm's clients.

Jay previously served in several roles focusing on the intersection of applied technology and law, including as senior counsel for legal technology at General Electric where he created and led their corporate e-discovery center supporting more than 1,200 attorneys. In this role he was also responsible for all corporate technology initiatives within GE’s legal operation, including the successful implementation of legal hold, e-billing, insider trading compliance, intranet, and patent docketing systems.

202-230-5195
Kenneth Dort, Drinker Biddle Law Firm, Intellectual Property and Data Security Attorney, Chicago
Partner

Kenneth K. Dort counsels clients on information technology and intellectual property law issues—specifically, software development and licensing, systems development and integration, data security and privacy, trade secret protection and patent/copyright/trademark licensing and protection. He is chair of the firm’s Technology Committee.

Ken is CIPP/US, CIPP/E and CIPP/C certified and advises clients throughout the United States, the European Union and Canada on their data security and privacy practices and compliance needs...

312-569-1458
Anthony Glosson, Drinker Biddle, Privacy & Communications Lawyer
Associate

Anthony D. Glosson assists clients with a range of privacy, communications, and regulatory compliance matters. He is the author of several publications in the field of technology law, and has been selected as a keynote speaker for a Capitol Hill discussion on active cyber defense.

Prior to joining Drinker Biddle, Anthony worked on numerous privacy and communications matters while serving as a law clerk for FCC Commissioner Ajit Pai, technology advocacy group TechFreedom, and state policy forum American Legislative Exchange...

(202) 230-5131