A Legalweek West panel offered quick solutions to mitigate the ransomware dilemma and explored the 'should I pay' question.

Since the aptly named WannaCry ransomware locked down data on over 300,000 machines across Europe and the United States, IT professionals have started more closely at how ransomware may affect their organizations . And while security experts maintain that cybersecurity is a companywide effort, attorneys often leave cyber concerns to the technical support teams.

A panel at this week's Legalweek West conference, “The Emergence of Ransomware and Other Targeted Exploits: Prevention & Effective Response,” pushed legal practitioners to understand and take some responsibility for ransomware. David Bustle, director of information technology (IT) at Buchalter Nemer; Jeewon Kim Serrato, counsel and head of the global privacy and data protection group at Shearman & Sterling; and Roy Zur, CEO of Cybint Solutions, teamed up to offer a primer on the ransomware landscape and what organizations can do to head off the potential risks it poses.

|

What Is Ransomware?

Ransomware is not technologically much different than a standard computer virus, but it is used for a slightly different goal. “It's really designed to extort money from you. That's really all it is,” Bustle explained.

Cyberattackers have developed and used two main types of ransomware: locker attacks, which prevent users from getting access to their data, and crypto attacks, which can alter or move data from its original location. These attacks often inform users that their data has been encrypted, and can be retrieved only by sending a payment, often in Bitcoin.

In 2013, a file-encrypting ransomware attack dubbed “CryptoLocker” set off a whole new wave of ransomware, engendering copycat attacks like the CryptoWall and TeslaCrypt hacks that took in tens of thousands of dollars in ransom fees. Most recently, the WannaCry attack infected over 300,000 machines across Europe and the United States. Cybersecurity experts managed to shut it down fairly quickly, but some researchers believe that the attack may have been more of an experiment than a full-force attack.

|

Why Should I Care?

Zur said legal professionals tend to skimp on learning about ransomware because it feels like the purview of a more technical department. “The lack of awareness is not just, 'I don't know what it is,' but, 'I don't care. This is not my job,'” he said. Unfortunately, most ransomware attacks are waged through exploiting human error rather than aggressive computer attacks, making staff outside the IT department far more likely to be targeted.

According to Bustle, attacks are on the rise, and the price of ransom has increased over time. He indicated that attorneys could be especially at risk, given the value of the data they produce and its potential ease of access.

“The most common way that these are spread is through email attachment. If you're a lawyer or a partner, what do you do all day? You sit at your desk and open email attachments from people,” Bustle said.

|

What Little Things Can I Do to Avoid Problems?

Double-check your Wi-Fi network : Zur explained that one of the easiest ways to make yourself vulnerable to attack is to get online via an unsecured or, even worse, intentionally misleading network. He posed a hypothetical of changing the name of his phone hotspot Wi-Fi network to “Legalweek West” as a way to entice conference-goers to use a network that he could then use to access their data.

If you get a surprising or suspect email, do some digging : Email is another extremely common means of attack. Phishing emails tend to look fairly suspicious, often coming to a whole database of people with a general request or download. Generally, Zur said a quick Google search of the subject line can tell you if other people have been sent similar emails.

Spearphishing attacks tend to be a little more targeted, often posing as a person or organization that users may know and otherwise trust. “The first thing I do is check the metadata. If it's Gmail, I can just say 'show original,'” to tip you off about the email sender's real identity, Zur suggested.

Be vigilant about your phone, too : Phone phishing attacks are becoming increasingly common, given the value of data kept on users' phones. Shortlinks sent via SMS messaging are a little more difficult to verify, making them an easy means of access. Additionally, apps posing as battery saving or flashlight tools can cover for ransomware attackers, meaning that users who download them are also inviting attackers into their data.

Update your software : Attackers can also get access to machines through vulnerabilities identified in older software, which many companies feel like they need to keep around to run legacy software that may no longer be supported by vendors. The WannaCry attack especially exposed this vulnerability, as the ransomware attack especially hit Windows XP systems.

“Sometimes people don't do the software updates and say 'not now' for a month. Some software updates are actually security updates,” Zur cautioned.

Do phishing testing : Some organizations have begun testing their employees to ensure that they are ready and able to deal with suspicious emails. Serrato noted that these tests have identified repeat offenders within organizations, allowing companies to train these employees to step up their vigilance.

Back up your data : With regular, even hourly backups of data, companies can potentially sidestep any data lockdowns and simply restore their systems to an older version of data. While this may seem like an easy step, storing regular backups of this much data can be extremely costly and unwieldy, given the amount of storage it requires. Additionally, backups stored online or in cloud-based systems can potentially be compromised by ransomware attacks. “You have to do it in advance,” Zur said.

|

What Should I Do If It Happens?

While the prevalence of these attacks can make users want to toss all their technology in the trash, Serrato acknowledged that this isn't really an option. Instead, organizations need to have a plan they can quickly put into action. “Once you learn you've been the victim of a ransomware attack, you need to kick off and activate a crisis response plan,” she said.

IT professionals first want to isolate the machine where ransomware has been identified. “The first thing you have to do is disconnect computers from the network,” Zur said, adding that ransomware can spread through an organization this way.

On the operations side, Serrato suggested that setting a chain of command and a list of action items can be most effective in moments of cyber crisis. “The first day of a ransomware attack is like watching a football game with 5-year-olds,” she said. “Everyone is going to start reaching for the ball, and the whole lineup and strategy goes out the window. That's what it often feels like.”

As part of your crisis response strategy, Serrato suggested that companies may want to consider setting a policy ahead of time about whether or not they would be willing to pay ransom fees. The U.S. Department of Justice has taken the position that organizations should never pay ransom fees, but Zur and Bustle both referenced some organizations they know of who paid ransom fees and successfully recovered data.

However, there are some significant drawbacks to payment. There's no guarantee that your data will be retrieved as it was. Additionally, ransomware attackers may keep track of the organizations who've paid ransom fees and target those organizations for further attack. “Once you pay, you're in a list of companies who pay. You don't want to be on this list,” Zur said.

Audience members asked panelists whether they were any potential legal liabilities to failing to pay, especially where clients may suffer financial or physical harm. Serrato noted that while there isn't much guidance from litigation at this point, there may be more soon.

“I think we're going to start seeing that kind of litigation come up. I'm not aware of any litigation in that exact scenario, but those are the kind of things you need to consider in putting together a ransomware policy,” she said.

Copyright Legaltech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.