What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.
FBI Public Service Announcement
In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.
Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more.
How and What to Report
What is most helpful to law enforcement is attacker tools, signatures, and profile identity information. The announcement lays out categories of information that companies should consider providing to local FBI contacts or through the Internet Crime Complaint Center (IC3) portal, an automated reporting system that companies can leverage to report an attack easily and quickly:
- Date of Infection
- Ransomware variant (identified on the ransom page or by the encrypted file extension)
- Victim company information (industry type, business size, etc.)
- How the infection occurred (link in e-mail, browsing the Internet, etc.)
- Requested ransom amount
- Actor’s Bitcoin wallet address (may be listed on the ransom page)
- Ransom amount paid (if any)
- Overall losses associated with a ransomware infection (including the ransom amount)
- Victim impact statement
Don’t Pay Ransom Demands
“The FBI does not support paying ransom demands.” According to the FBI, some companies never get a decryption key, even after payment. And, every payment “emboldens the adversary to target other victims for profit,” incentivizing similar conduct by other criminals seeking financial gain.
That said, the FBI acknowledges that executives must act to protect shareholders, employees and customers where ransomware seriously threatens core operations and services. To assist companies in this regard, the announcement lays out a number of proactive risk mitigation measures.
- Regulators are pressing companies to proactively address ransomware. For example, the Department of Health and Human Services recently stated that ransomware attacks can constitute notifiable breaches under the HIPAA/HiTech regime. The head of the Federal Trade Commission has recently warned that a failure to patch vulnerabilities known to be exploited by ransomware may violate Section 5 of the FTC Act. Given this regulatory climate, companies who fail to engage with law enforcement may be scrutinized. Indeed, an FTC Assistant Director explained in a blog post last year that the agency will look at whether the company “cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion,” and that a cooperating company will be viewed “more favorably than a company that hasn’t cooperated.” Companies should pay particular attention to the recommendations made by the FBI, and should anticipate that regulators will consider whether, and to what extent, companies have followed the FBI’s recommendations in their own enforcement investigations/proceedings.
- Will you pay, and under what circumstances? The decision to pay a ransom demand depends heavily on the circumstances. Companies should carefully consider who within the incident response team, as well as among the executive and business teams, will be involved in making this decision. The availability of database back-ups and the operational impact of unavailability should be understood today, so that decisions can be made quickly and efficiently, with risk mitigation in mind. And bear in mind that executives have a fiduciary duty of care to the company, and must consider how they fulfill those obligations to keep the company operational while preserving its assets.
- Companies should decide how they will engage with law enforcement now, establishing thresholds that will dictate when to reach out, who will reach out, what information will be shared and in what format. There are many reasons – more than those cited by the FBI – why a company may be reluctant to reach out to law enforcement: cooperation increases the risk that a breach becomes public, that privilege or work product protections over certain information may be lost, that reporting may incite retribution by the attackers, or that the scope of law enforcement’s investigation may expand beyond the breach. Executive leadership should be prepped on the protocols for law enforcement engagement. Pre-approved sign off processes and authority should be identified now, so that companies can move quickly at the onset of an incident.