Ransomware attacks have risen drastically in the past several years, and their costs — both in terms of damage to businesses and actual ransoms paid — are poised to continue to escalate. This form of cyberattack poses real risks to any organization that relies on computer systems for its essential operations. For many organizations, the loss of the use of such systems for days or even hours can be devastating. So being prepared in advance to handle such attacks is a prudent part of risk management.
Ransomware is malicious computer software used to render data unusable. In its most common form, ransomware encrypts files on a victim’s computer or computer systems. After a cybercriminal has infected a victim’s computer files, they will contact the victim and demand a ransom payment. In return for payment, the perpetrator promises to provide the victim a digital “key,” allowing them to decrypt their files, rendering them usable again. In some cases, the perpetrator may also make their own copy of the affected files and threaten to sell them or release them publicly unless their ransom demand is met.
This extortionate practice is one of the most profitable business models in cybercrime today, with a cumulative price tag in the billions of dollars. According to the FBI, there was a 225% increase in losses due to ransomware attacks from 2019 to 2020. Estimated ransomware attacks have continued to rise, with more than 300 million estimated global attacks in the first half of 2021. Some attacks make headline news, such as the Colonial Pipeline ransomware attack that caused fuel shortages along the East Coast in 2021, or the widely reported attacks on hospitals, which can place lives at risk. But many attacks target smaller organizations and may never be reported in the press. All in all, no organization that relies on computer systems to conduct its essential operations can afford to be complacent about the risk of ransomware attacks.
If your organization is targeted with a ransomware attack, being prepared to respond quickly is critical. It is prudent to plan your first steps in advance so as to make best use of time to mitigate the damage and facilitate a quick recovery.
Your first phone calls are likely to be to legal counsel and law enforcement. Ransomware attacks are a crime. In the U.S., they may fall within the jurisdiction of your local law enforcement, the FBI and the Secret Service. Legal counsel can guide you to appropriate law enforcement authorities for attacks occurring outside the U.S. It’s critical to notify and cooperate with them. The tools and resources available to law enforcement can significantly increase the likelihood of locating stolen or encrypted data, as well as identifying and apprehending the criminal, thus preventing further losses. Before doing that, however, you should consult with qualified counsel to make a plan for law enforcement engagement and make sure you handle the interaction effectively.
Another essential step is to evaluate your insurance coverage and contact any relevant insurer. Cyber insurance, covering malware attacks of all kinds, is increasingly popular. If you have purchased it, cyber insurance may cover the costs of the technical or legal professionals required to assist with the fallout of your attack, the costs of business disruptions stemming from the attack and possibly even the cost of paying the ransom itself. In addition, both your insurer and experienced legal counsel can be a valuable source of advice.
Many organizations provide guides for immediate technological steps to take to respond to a ransomware attack. Technical response details should be left to technical professionals, but it’s important that leaders have a general idea of what steps would need to be taken.
The ideal scenario is never to be subject to a ransomware attack in the first place. IT security best practices, such as maintaining offline backups of data, developing an incident response plan, regularly updating antivirus and anti-malware software, and periodic training of employees in security awareness may avoid or mitigate risk of attack — and also reduce the likelihood of any enforcement associated with ransomware payments.
In addition to IT security measures to prevent malware attacks at the outset, there are many measures you can take now, to put yourself in the best possible position to respond to a ransomware attack with the speed and agility needed. Acquiring cyber insurance is one move that must be made in advance to have any value. Responding to a ransomware attack requires immediate support from both legal and technical experts. Consider putting your team in place in advance, so you do not need to look for, evaluate and engage outside help at a time of huge stress. Knowing immediately who to call, and knowing that those technical and legal experts are already retained and will give you priority during a crisis, will give you peace of mind and speed your response time should the worst happen.