Back in January, I gave my list of essential issues for in-house counsel to pay attention to in 2021. One of the items I listed was “phishing.” Unfortunately, I was right to highlight it. Phishing has been a hot topic in 2021. More alarming, however, is that phishing’s good buddy ransomware has become an even bigger issue for in-house lawyers. In the first half of 2021, ransomware attacks are up over 148% (with more attacks than the last ten years combined!). The average ransom is now $200,000-$300,000 (with demands now exceeding $10,000,000.00) and businesses are down an average of 21 days whether they pay the ransom or not! I don’t know about you, but being down for three weeks and getting stuck with a $300,000 bill to access my data would be a real problem for most companies. To make matters worse, bad actors are getting more and more sophisticated, looking for new ways to gain access to corporate information systems. The good news is that there are things you can do now as in-house counsel to help your company prepare for and limit, or even prevent, a ransomware attack. Proactive in-house counsel is valuable in-house counsel, so taking steps now is an excellent way to demonstrate the value of the legal department. This edition of “Ten Things” walks you through some of the steps you can take to mitigate the damage of a ransomware attack:
1. What is a ransomware attack? A ransomware attack involves the installation of malware onto an individual’s computer or the computer systems of a business. The software provides the attacker with access and control of certain – or all – of the information in the system. The bad guys then encrypt the data so that it is inaccessible by users unless the business pays a ransom for the encryption key, usually in (allegedly) untraceable Bitcoin or other crypto-currency. In a fairly recent development, ransomware attacks now often involve the theft of sensitive data and a threat to release that information to the public unless a ransom is paid. To simplify, imagine everyone at your business logging on to their work email or document management tool tomorrow and finding a message that everything is unavailable until the attacker gets $1,000,000.00 within 48 hours. And if the ransom is not paid, the information will be destroyed or released. Yikes! Or as King Leonidas told his 300 Spartans at the Battle of Thermopylae, “We’re screwed boys!”
2. How do they get in? There are several ways that the ransomware attack software can get installed on your company’s systems and devices. Sometimes there are “holes” in software that the attacker can exploit unless they are quickly and consistently patched. Other times, the attacker uses social engineering and incredibly powerful computers to hack any employee’s account (usually because the employee had an easy to guess password and failed to use two-factor authentication). But, the most frequent and successful way to gain access is to simply trick an employee into clicking on a link in an ad or in email, where that link – once clicked – installs the malware that gives the bad guys the access they need. We have all seen these “phishing” emails and while some are laughably bad, others are incredibly hard to tell apart from the “real thing.” Here are some basics to watch out for:
- The email contains a link and demands instant action.
- The grammar is off and the “tone” of the email seems odd.
- The email is asking for action involving passwords or bank account information.
- There is an attachment that contains an odd extension, the worst one being “.exe” which means some type of program will run when you open it).
- The email address of the sender looks legitimate, but on closer inspection, you see that they are using numbers for letters or the extension is something odd, like “gmail.com” or “outlook.com.”
- If you hover your cursor over the sender’s email the true email address is revealed and you know it is a scam.
Once they get into your laptop or the company systems, all hell breaks loose behind the scenes. Unfortunately, the attackers can spend months inside your systems, making changes, giving themselves administrative access, and taking other nefarious actions all without detection until the time they shut everything down and make their demands. There is even “Ransomware-as-a-Service” where criminals can go for a one-stop shop to launch ransomware attacks. See, Ransomware Prevention, Detection, and Simulation.
3. Have a plan. Crisis planning is a critical skill that in-house lawyers bring to the table and taking the lead in preparing a plan to deal with a ransomware attack is an excellent way to exercise this muscle. You do not need to write a novel. Instead, you need a written plan that lays out the key actions the company must take in the event of an attack. It is a step-by-step checklist/action plan that guides the company’s actions and helps get the right things done at the right time and in the right order. Your plan should include a few basics:
- A set agenda for the team meetings so all critical areas are covered each and every time, e.g.,
- Current status
- Recovery/Mitigation update
- Insurance update
- Legal update
- Negotiations with attacker
- Engagement with law enforcement/regulators
- The names and contact information of the internal team you will bring together in the event of a ransomware attack (e.g., security, HR, legal, privacy, corporate communications, relevant leaders from the business, and so forth).
- The name and contact at your cyber-insurer.
- The names and contact information of the outside team, including outside counsel, forensic computer experts, public relations, etc.
- Contact information for law enforcement.
- A list of needed communications and templates for messaging to employees, the board of directors, outside media, etc. (and be sensitive to attorney-client privilege and work product issues).
- Shut down and isolate affected systems.
- Plan to review contractual obligations to customers and vendors.
- Plan to review and deal with any breach of personal data.
- Remediation and post-mortem review process (i.e., lessons learned from the incident and what to do differently to minimize problems going forward).
As with any crisis plan, it is important to test it at least once yearly via a tabletop exercise. Running through the plan in this manner reveals omissions, weak spots, gaps, and so forth. Hopefully, you are not experiencing a real ransomware attack the time you crack the seal on the plan.
4. Training is your best defense. Let’s face it, when it comes to cybersecurity your weakest point is your employee base. There are just too many ways the bad guys can trick virtually anyone into clicking on malware or giving up their passwords. Once this occurs, it’s off to the races and bad things are on the horizon. This means that training your employee base about cyber-risks and how to avoid them is your most effective and least costly way to avoid a ransomware attack. My recommendation is:
- Yearly online training on data privacy, data security, and preventing attacks.
- Training on what to do if they see a ransomware notice on their computer and who to contact to get help with determining if a link contains malware or not.
- Random “phishing” testing (where employees are sent fake phishing emails to test their compliance with policy and knowledge about suspicious emails).
- Regular messaging from the legal department discussing phishing and ransomware along with real-life examples of both and damage it does (real-life examples really help bring home the seriousness of the problem).
- Mentions by senior executives during town halls or other significant or all-employee meetings (as always, the tone at the top matters).
5. Insurance. Given the high cost of a successful ransomware attack, cyber-risk insurance that covers such attacks is a must. If you do nothing else in the next 30-days, make sure you have spoken with the right people about the company’s cyber-risk insurance and how it covers ransomware attacks. If you do not have a policy, start the process and be prepared for a very thorough review process that may reveal some significant weaknesses that will require immediate attention and dollars. The really helpful thing about ransomware insurance is that, besides paying for any ransom, the policy typically provides for the professionals with the expertise needed to deal with a ransomware attack. One call to your insurance broker/company launches a team of professionals with the experience and steady hand you need when it feels like the world is crashing down around you. As you review/plan your policy, look for the following:
- Ransomware coverage and payment of any ransom (and amounts). How does the payment fit into the overall limits of the policy? How broad is the definition of “ransomware?”
- Coverage for experts (forensic, etc.).
- Notice requirements
- Legal fees coverage and pre-approval of counsel and other experts (you should have everyone engaged and approved before there is a problem).
- Coverage (including cost) for hardware and software needed to get your systems back online.
- Credit monitoring and identity theft protection for customers and employees (if personal data is involved).
- Coverage for a help desk, sending required notices, etc.
6. Back it up! Ransomware attacks succeed, in part, because the victim has no access to their critical data or files. If you have a regular (and secure) backup of your systems or critical data, you remove one of the key bargaining chips in the hands of the bad guys. If an attack occurs, you root out the malware and then reinstall the backups. I don’t mean to suggest it is easy, but being down for a day or two while the system is restored vs. weeks or months while you negotiate the ransom is a significantly better deal. As part of your backup planning processes, you should work with the information security team to ensure that the backup data is separated from the main systems so that the malware does not infect the backups too. If it does, then your effort and expense are wasted. Likewise, if you can back on multiple systems and/or compartmentalize your backed-up data you can reduce your risk even further. Finally, the backup of company data should be part of a specific policy and the perfect task for the legal team. For more on backup strategy see Top Five Ways Backup Can Protect Against Ransomware.
7. Technology solutions. Ransomware is a technology problem, so there are, of course, technological solutions to help reduce the risk. Here is my list:
- Encryption. Encrypting data (at rest and in transit) can single-handedly defeat a ransomware attack because the data that is stolen is useless without the encryption key. The problem is that encryption is expensive. But, I would argue that depending on the value of the data, the cost may be well worth it (or at least worth exploring). For more on encryption options (at rest and in transit), see Data Encryption at Rest.
- VPN. A virtual private network (VPN) is a cost-effective way to prevent the theft of your data. A VPN creates a “tunnel” for your data whereby your IP address is hidden and a secure and encrypted connection is created. If you are interested in VPN, be sure you skip the “free” VPN tools (those may actually be traps) and stick with well-known brands, such as Norton or use a reliable rating service like CNET’s Best VPNs for 2021.
- Multi-Factor Authentication. MFA can save the day if the bad guys hack or guess you’re a password. With MFA, not only must you know the password, but you must have a second item that only you have access to complete the login. Most people use their mobile phone as the second item, i.e., the MFA will send a code in a text message to your phone and you must enter that code to complete the login. Unfortunately, the bad guys are starting to find ways to hack smartphone numbers or trick users into revealing the texted code. An even better tool is an authentication app, like Microsoft Authenticator or Authy (see the NYT’s Wirecutter review of authenticator apps here).
- Label Emails from Outside the Organization. If you use Outlook, there is a way to add a label to all incoming emails that will identify them as coming from outside the organization. Turn it on! If you see this label, but the email purports to be from someone at the company, you know you have a reason to be suspicious.
- Anti-Malware Software/Patches. Pretty basic stuff, but incredibly effective in fighting malware. All businesses should have industrial-quality anti-malware software installed on their information systems and on the laptops of all employees. If the company is allowing employees to use their own devices then part of that program needs to include the installation of the company-approved anti-malware. Likewise, as patches are released to fix problems in software, businesses need a systematic way to force updates onto the devices used by employees. The lawyers in the legal department should be leaders in this area, always ensuring their own devices are up-to-date.
- Password Hygiene. To start, anyone can create strong passwords by simply making them long and a mix of numbers, symbols, and letters. The longer your password, the harder it is to hack. A mix of letters, numbers, and symbols only makes hacking more improbable. Nonsensical phrases that are easy to remember but difficult to guess are the most effective, e.g., “FrootkaKe38%!” is tough to crack but easy to remember (fruitcake 38 % !). A company policy that requires long passwords with such a mix is a must. Similarly, companies should require that all passwords for company systems be changed every 60 to 90 days. Is it a pain in the ass? Yes, but it can be critical to stopping hacking. Because we all have dozens and dozens of passwords, a password manager is another great idea, i.e., you have one master password (that is long and difficult to guess) and it generates passwords for all of your sites. These tools, such as X, Y, Z, are easy to use and highly effective at preventing password hacks. For ratings of password managers see CNET Best Password Manager to Use for 2021.
- Testing. Your information security team should engage in monitoring and regular penetration and other testing on a weekly basis to make determinations whether someone has gotten into your information systems. The worst damage is done when the attacker has months and months of undetected time in your systems, i.e.., early detection can limit the harm of an attack.
8. Government action. Remember way, way back when I wrote about the importance of having a government relations department or plan. Well, the growing dangers presented by ransomware are the perfect target for just such a campaign. Governments around the world, and especially in the U.S., are waking up to the full extent of the risk presented by ransomware attacks. The Biden administration is already taking action (including through the DOJ, NSA, SEC, FinSen, Treasury, and other departments). But, more is needed and bi-partisan support for new laws and funding (even in this political environment) is critical. In the U.S., I would start with my senators and the members of congress that represent where my headquarters sit or any state where the business has a significant presence. I would engage both as a separate company and as a member of a coalition or trade association. Next, I would identify the right people within the administration and ask them how best the company can support their efforts on ransomware (i.e., sometimes the most effective lobbying is asking how you can help them vs. asking how they can help you). Lastly, I would look to influence foreign governments to step up and take action. A trade association is a great vehicle to engage for this one. For example, see the efforts of the U.S. Chamber of Commerce and President Biden’s thirty-nation summit on ransomware cooperation.
9. Law Enforcement. One of the most difficult decisions to make when faced with a ransomware attack is whether to involve law enforcement. In the U.S., this would most likely mean the FBI and/or its Internet Crime Complaint Center (“IC3”). One reason this decision is so tough is that law enforcement will officially encourage you not to pay the ransom. The problem with this position is that while not paying ransoms to bad guys is a better policy for businesses overall it does not solve the immediate problem of your business being cratered because you cannot access your data. It poses a true dilemma. I think on balance that the smarter move is to involve law enforcement if your insurance company and professional team think it is the right move under the circumstances. Another important aspect of law enforcement to consider when it comes to ransomware is the Office of Foreign Asset Control (“OFAC”). OFAC is the USG agency that enforces sanctions (e.g., Cuba) including the Specially Designated Nationals and Blocked Persons List (the “SDN” list), a list of individuals and companies American businesses cannot do business with. Many of the groups engaging in ransomware are on this list. OFAC recently came out with guidance about potential fines for businesses that pay ransoms to individuals or organizations on the SDN list. This means paying off criminals can result in a large fine from OFAC. As a result, it is very important to work with your outside counsel and other experts to determine whether there are any OFAC ramifications if you were to pay a ransom. Yep, it just gets worse.
10. Stay informed. There is a lot going on when it comes to ransomware. Unfortunately, it is a problem that is not going away any time soon. Instead, it is likely to get much worse before it gets better. As in-house counsel, you need to stay up-to-date on the latest developments in this area. If you are in a large department, appoint one or two people to be in charge of ransomware planning (better yet, raise your hand and volunteer for the role). Here are some resources to take a look at and keep handy:
- The Ransomware Survival Guide (Proofpoint)
- Stop Ransomeware.gov (U.S. government one-stop-shop)
- New York Department of Financial Services Ransomware Guidance
- FBI Ransomware Guidance
- NIST Ransomware homepage
- Avast Ransomware Blog
- Ransomware Recovery Blog
- Cybersecurity & Infrastructure Security Agency (CISA) Ransomware Guide (2020)
- The Ultimate Guide to Ransomware Attacks (e-book from NETSPI)
I don’t mean to scare you… wait. Strike that. Actually, I do mean to scare you. This is an incredibly scary problem and the absolute worse thing you can do as in-house counsel is put your head in the sand and hope it doesn’t happen to your company. Hope is not a strategy. Regardless of whether you sit in the USA or elsewhere, now is the time to either start developing your plans for how the company would respond to a ransomware attack or, if there is a plan in place already, revisit it and ensure it is up-to-date and ready to go in the event of a problem. As always, loop in others from the business as dealing with ransomware is a not a solo job for the legal team. While legal can always be the leaders, sometimes being a good follower is just as impactful. Whatever role the business needs you to play, get moving. Lastly, if you and/or the legal department are pushing the company forward on this critical issue make sure the business knows that its lawyers are being strategic and proactive. If no one knows about the value you add, did you really add any?
November 30, 2021
My fifth book, Showing the Value of the Legal Department: More Than Just a Cost Center will be available this week or next! Stay tuned for an announcement when it is available to purchase via ABA publishing.
Two of my books, Ten Things You Need to Know as In-House Counsel – Practical Advice and Successful Strategies and Ten (More) Things You Need to Know as In-House Counsel – Practical Advice and Successful Strategies Volume 2, are on sale now at the ABA website (including as e-books). If you are having trouble finding it or buying it, let me know.
“Ten Things” is not legal advice, nor legal opinion and represents my views only. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. If you have questions or comments, ideas for a post, please contact me at firstname.lastname@example.org or, if you would like a CLE for your team on this or any topic in the blog, contact me at email@example.com.
 For more see How to Find Ransomware Cyber Insurance Coverage in 2021.
 Sure you do! See Ten Things: How to Run a Government Affairs Campaign.
 See Should Companies Cooperate with Law Enforcement During Ransomware Attacks (concluding “yes”).