Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/16/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Ransomware from Your Lawyer's Perspective

Three good reasons why your incident response team's first call after a data breach should be to outside counsel.

Many cyber operations teams are surprised that as outside counsel, I fret about ransomware. They ask questions like: Why would counsel care that our systems are locked in place? And, why would we need to give notice to consumers or employees in a ransomware event?

The reason is because data breach statutes do not distinguish based on the types of cyber events, and I am often left trying to piece together whether notice is legally required based on scant evidence of what may or may not have left the network. Not only that, but additional liability can arise depending on the industry. As a lawyer, my job is to navigate and mitigate those risks on behalf of the client. Here's what I've learned:

1. What happens in the first few hours after discovering ransomware is mission critical to my legal analysis. When the call comes to me, the first question I always ask is: Have we preserved the logs? Whether there is a log aggregator in place or not, it is incredibly important to begin pulling log information from every location so that it can be analyzed for malicious traffic. This traffic analysis — whether data left the network — is critical to the legal analysis determining whether or not the company must give notice to consumers, employees, or regulators.

If personal identifying information left the system, the company is obligated under a myriad of state statutes to give notice to affected individuals. That notice clock is 72 hours to make certain notifications in Europe under the General Data Protection Regulation. The definition of personal identifying information varies wildly based on the state or regulation affected. As counsel, my first questions center on whether data left the network. If it did, my next questions in the next few hours begin revolving around how we piece together what data left or whether data was accessed on the network. But the first step is making certain we have the evidence in place to make that legal analysis. Without logs, I am left with circumstantial evidence — a fancy legal phrase meaning inferences — to make the call as to whether notice must be given. It's not ideal and requires a lot of legal experience to get to a defensible conclusion.

2. Do we negotiate with the cyber terrorists? Even with a backup, sometimes the event is so catastrophic that the timeline to restore from backup is not ideal. Or maybe you learn that the backup that you thought was being made was not actually being made. In a ransomware event, inevitably the conversation will shift to consideration of engaging with the attackers and potentially paying a ransom. I have found as outside cyber counsel that you should never say never to any scenario, although to date I have not paid a ransom. But having a bitcoin wallet prepared in the event you needed to pay a ransom is always a good idea. At least then you are not wasting precious days waiting on the KYC (know your customer) analysis in order to fund the wallet and make a payment.

Based on my experience, law enforcement will not encourage or discourage engagement with cybercriminals. That is a question left to the company or municipality alone. Also, the ransoms are getting larger — not 3 Bitcoin, but 30. With a discount offered for speedy payment, even criminals are suffering in a global pandemic and ensuing economic crisis. Whatever the case, engagement with cybercriminals needs to be done delicately and with counsel's involvement.

3. Be ready to work with law enforcement and to know whom to engage. I've had the pleasure of engaging with a number of federal agencies, federal investigators, and state investigators. In some cases, based on your industry, you may not get the choice as to whether you engage with law enforcement or not. In others, that's a call you should let your outside counsel make. Even in ransomware events, it can be beneficial to work with law enforcement, but you need to know which entity to call. Placing a call to your local FBI field office can be beneficial — but directly engaging with the FBI cybercrimes unit can expedite your getting in touch with the FBI office in charge of fielding ransomware inquiries based on that variant. I recently worked on the first case of the Pysa in the United States as outside counsel. Knowing the rules of engagement with law enforcement and who to reach out to can help you find out whether there are known decryption tools in place for that particular variant.

Like any cyber event, with ransomware, your incident response team's first call should be to outside counsel. As counsel, our job is to help bring order to the chaos but mostly to work through the legal liabilities and risks associated with the cyber event.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.