Ransomware attacks are an increasingly common and serious risk for Canadian organizations of all kinds and sizes. The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2023-2024 warns: "... ransomware is almost certainly the most disruptive form of cybercrime facing Canadians". This bulletin provides practical suggestions, based on real-world experience, for responding to a ransomware attack.
Ransomware attacks
Ransomware is malicious software that prevents access to or use of an infected information technology system or device (an "IT Resource") or related data, and demands (typically through an on-screen ransom note) a ransom for a decryption key to restore the infected IT Resource or data. There are two basic kinds of ransomware – "locker" ransomware (which prevents use of an IT Resource by locking the user interface) and "crypto" ransomware (which encrypts specific files or data so they cannot be used without the required decryption key).
Ransomware is often installed on an IT Resource through fraudulent techniques, such as a deceptive email or text message with a malicious attachment or link (known as "phishing" or "spear-phishing"). Sophisticated ransomware can spread throughout a computer network (including to data stored in cloud services) to install other kinds of malware before the ransomware activates encryption.
A ransomware attack can cause significant economic loss and other harm to the victim organization, including: (1) temporary or permanent loss of data; (2) business disruption loss; (3) costs of restoring infected IT Resources and data (if possible) and otherwise responding to the ransomware attack (e.g., complying with legal reporting/notification obligations); (4) costs and liabilities arising from regulatory investigations and legal claims/proceedings by affected individuals and organizations; and (5) harm to the organization's reputation and relations with customers, employees, stakeholders, and business partners. Ransomware can also cause significant economic loss and harm to the victim organization's customers who depend on the organization's services and products.
Organizations can mitigate the risks of traditional ransomware attacks by creating and maintaining secure and current data backups that can be used to restore affected IT Resources and data without the need to pay a ransom for decryption keys. However, in response to those countermeasures, ransomware criminals have evolved their approach to include "triple-threat" ransom attacks – stealing data before encrypting IT Resources and data and then demanding a ransom payment from the victim organization by threatening to: (1) sell or publish the stolen data on the dark web for use by cybercriminals or the organization's business competitors; (2) use the stolen data to attack or demand ransom from the victim organization's customers, stakeholders, and business partners; and (3) perpetrate additional attacks on the victim organization's IT Resources and internet access.
Canadian and U.S. cybersecurity agencies have issued guidance for preventing and responding to ransomware attacks. For example, see Canadian Centre for Cyber Security's Ransomware Playbook and Ransomware: How to prevent and recover, Australian Cyber Security Centre's Ransomware Prevention Guide and Ransomware Emergency Response Guide, U.K. National Cyber Security Centre's Mitigating Malware and Ransomware Attacks, and the U.S. CISA-MS-ISAC Joint Ransomware Guide. The National Association of Corporate Directors' 2023 Director's Handbook on Cyber-Risk Oversight provides a list of questions corporate directors should ask senior management to assess their organization's readiness to respond to a ransomware attack.
Law enforcement and cybersecurity agencies have warned that paying a ransom is risky because there is no guarantee that ransomware criminals will keep their promises to deliver effective decryption keys or delete stolen data, and the ransom payment might encourage additional attacks against the victim organization. There are also moral or ethical considerations because paying a ransom will reward and encourage cybercrime, and the ransom might be used to support other criminal activities. Nevertheless, for several reasons, ransomware victims often choose to accept those risks and pay a ransom for decryption keys or data deletion.
Tips from the trenches
Timely advice and guidance from experienced incident response legal counsel can make a ransomware attack response easier and more successful. BLG bulletin Cybersecurity incident response – Tips from the trenches provides practical suggestions, based on real-world experience, for responding to cybersecurity incidents, including ransomware attacks. Following are some additional comments and suggestions for responding to a ransomware attack:
- Starting the clock. Ransomware criminals often
try to create negotiation pressure by starting a negotiation clock
when the victim organization responds to a ransom note (e.g.,
clicks a link in the ransom note) or otherwise contacts the
criminals. For that reason, a victim organization should generally
not respond to a ransom note or contact the ransomware criminals
until the organization has completed initial incident response
steps (e.g., engaging legal counsel and technical advisors).
- Are you covered? As soon as possible, the
victim organization should determine whether it has potential
insurance coverage for the ransomware attack, including coverage
for ransom payments, and give written notice to relevant
insurers.
- Invoke the incident response plan. The victim
organization should invoke its ransomware attack response plan
(including pre-approved guidelines for deciding whether to pay a
ransom) and engage its designated incident response team (with
applicable insurer approvals).
- Legal privilege. Ransomware attack response
activities should include measures to establish and maintain legal
privilege, where appropriate, over legal advice and related
communications (including with external consultants and advisors)
about incident response activities and negotiations with the
ransomware criminals.
- Designate a decision-maker. To help a victim
organization make timely and consistent decisions throughout the
ransomware attack response, the organization should designate a
senior individual with authority to make or coordinate critical
risk-based business decisions and instruct technical advisors and
legal counsel.
- Engage a ransomware negotiator/payment
facilitator. A victim organization should engage (through
legal counsel) an expert ransomware negotiator to provide threat
intelligence and negotiation advice, communicate with the
ransomware criminals, conduct clearance searches for compliance
with anti-money laundering, terrorist financing and economic
sanctions laws (discussed below), and facilitate the ransom payment
(if any).
- Engage a digital forensics incident response
firm. In most circumstances, a victim organization should
engage (through legal counsel) an expert digital forensics incident
response firm to help with incident response activities, including
identifying the ransomware variant, assessing the scope and
severity of the ransomware attack (including the duration of the
attack and the data accessed and exfiltrated), searching for
publicly available decryption keys, and providing technical
information and assistance to legal counsel.
- Information from ransomware criminals. There
are many reasons why a victim organization's forensic
consultants might not be able to determine the scope and severity
of the ransomware attack (including the data accessed and
exfiltrated by the ransomware criminals). In those circumstances, a
victim organization might engage with the ransomware criminals,
even if the organization has no intention to pay a ransom, to
obtain essential information about the ransomware attack (e.g., a
list of exfiltrated files and sample proof of exfiltration) the
organization can use to make business and legal compliance
decisions.
- Prevent follow-on attacks. Ransomware
criminals might reattack a victim organization (e.g., re-entering
the organization's IT Resources using compromised credentials
or back-door malware, incident-related email spoofing, or a
distributed denial-of-service attack) if the organization refuses
to negotiate or pay a ransom or even after a ransom is paid.
Consequently, as part of the incident response process, a victim
organization should secure its IT Resources and implement measures
to protect against and detect follow-on attacks by the ransomware
criminals (e.g., searching for malware and other indicators of
compromise, implementing email hygiene and endpoint detection and
response solutions, resetting credentials, and vigilance warnings
to personnel and stakeholders).
- Validate/test backups and the decryption key.
A victim organization might pay a ransom to obtain a decryption key
if the organization does not have viable and reasonably current
backups or if the decryption key will help accelerate restoration
of IT Resources and data. To make an informed decision, a victim
organization should: (1) validate its backups, perform test
restorations, and assess data gaps; and (2) validate the decryption
key held by the ransomware criminals (e.g., by providing sample
encrypted files to the ransomware criminals for free decryption to
prove that the decryption key works).
- Assess stolen data risks. A victim
organization might pay a ransom in exchange for the ransomware
criminals' promise to delete and not publish/sell stolen data.
To make an informed decision, a victim organization should identify
the kinds of stolen data (i.e., regulated personal information,
third parties' confidential information, or the
organization's own commercially sensitive or proprietary
information), the organization's legal obligations and
potential liabilities regarding the stolen data, the kinds of harm
that might result if the stolen data were published/ sold by the
ransomware criminals, and the potential business benefits of
obtaining the ransomware criminals' data deletion
promise.
- Monitor the dark web. During the incident
response process (and possibly afterwards as well), a victim
organization should monitor the ransomware criminals' dark web
sites and public information sharing forums for published
information about the ransomware attack or the publishing/sale of
data stolen from the organization.
- Payment process. Ransomware criminals usually
demand ransom payments in cryptocurrency to a designated crypto
wallet, which might impose additional fees/charges (e.g., costs of
buying cryptocurrency) on the victim organization. A victim
organization might have to fund a ransom payment even if the
payment will be reimbursed under an insurance policy, which might
present a cash flow challenge and require senior management or
board approval. If a ransom payment might be covered by a victim
organization's insurance, the organization should obtain the
insurer's written prior approval of the payment to avoid
coverage disputes.
- Legal compliance. Paying a ransom is not
unlawful under Canadian law, provided the payment does not violate
proceeds of crime, money laundering, terrorist financing and
economic sanctions laws. For those reasons, a victim organization
that intends to make a ransom payment should first obtain legal
compliance clearance reports (based on searches of the ransomware
criminals and their crypto wallet in accordance with regulatory
guidance) from qualified service providers. Victim organizations
with international operations should verify compliance with all
applicable non-Canadian laws.
- Reports and notices. Ransomware attacks often
trigger legal requirements (statutory, contractual, and
common/civil law) for reports to regulators (e.g., privacy
commissioners and industry regulators) and notices to affected
individuals and organizations (e.g., customers, employees,
stakeholders, business partners, payment card providers and
financial institutions). Privacy commissioners have expressed the
view that a victim organization's payment of ransom for
deletion of stolen personal information does not avoid the
organization's statutory duty under personal information
protection laws to report or give notice that the ransomware
criminals stole personal information from the organization. For
example, see PIPEDA Findings #2022-004 (Canada), P2018-ND-030 (Alberta), and 07 July 2022 letter (U.K.).
- Get ahead of the curve. A victim organization
should consider giving proactive notices of a ransomware attack to
the organization's customers, employees, stakeholders, business
partners and other individuals and organizations before they learn
of the incident from the media (based on routine searches of the
dark web for information about data security incidents) or they are
contacted by the ransomware criminals.
- Mitigation services for individuals. Canadian personal information protection laws do not expressly require a victim organization to offer pre-paid credit monitoring/fraud prevention services to individuals affected by a privacy breach (including a ransomware attack). Nevertheless, the Office of the Privacy Commissioner of Canada has explained its view that victim organizations should do so. As a practical matter, in some circumstances offering pre-paid credit monitoring/fraud prevention services to individuals affected by a privacy breach can provide benefits to both the individuals and the victim organization.
Responding to a ransomware attack can be a high-stress, high-stakes event. The comments and suggestions in this bulletin and BLG bulletin Cybersecurity incident response – Tips from the trenches, when combined with the advice of expert technical advisors and experienced incident response legal counsel, can help a victim organization avoid costly mistakes and achieve incident response success.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.