With the recent shutdown of Colonial Pipeline, which distributes much of the fuel consumed on the East Coast, cybersecurity attorneys have few words of comfort for businesses that become victims of ransomware attacks, seeing a road ahead fraught with uncertainty.
“There are no good options,” says Adam J. Bookbinder of Boston’s Choate, Hall & Stewart. “There’s the practical operational question of what it is they’ve lost access to and how critical is it for their business that they get that back.”
Mark E. Schreiber, of McDermott, Will & Emery in Boston, says upgrading a company’s cybersecurity before a crisis occurs is the best course for clients.
“Whatever you can do in terms of additional training, phishing exercises, imposing multi-factor authentication — the entire gamut of cybersecurity prophylactics — ought to be engaged in,” Schreiber advises.
According to Providence attorney John E. Ottaviani, once attacked, plotting a strategy forward largely depends on how well the client has prepared in advance to meet the cyber threat.
“Speed usually matters. These people usually want their money quickly, and if you don’t meet their deadline the ransom continues to go up,” says Ottaviani, who co-chairs the cyberliability and data security practice group at Partridge, Snow & Hahn.
“There are some situations where businesses have backup of their data that aren’t affected by the ransomware,” adds Bookbinder, who co-chairs the Privacy, Cybersecurity & Digital Law Committee of the Boston Bar Association. “Where it’s possible to restore their systems from those backups and continue operating without tremendous disruption, then they don’t have to pay [the ransom].”
Because time is of the essence, Ottaviani agrees that the first step when a client comes to him is to find out whether the company already has a recovery plan in place.
“Do they have an IT forensic consultant either on staff or on retainer who can investigate and figure out what type of ransomware it is and what systems have been compromised?” he says.
Determining what information has been compromised tells the lawyer and the client whether there’s an obligation to disclose to individuals, customers or the government the loss of information, Ottaviani adds.
“You also want to contact your cyber insurance carrier,” Ottaviani says. “Of course, you want to put them on notice [of a claim], but they may also have resources to pay for this and get things moving quickly.”
Schreiber points out that the client’s cybersecurity insurance carrier can also be helpful in identifying third-party consultants who can negotiate the ransom should it be necessary.
After taking the necessary preliminary steps, Ottaviani says how to respond to a hacker’s demands becomes a business decision.
“Do you have to pay it either because you can’t rebuild [your systems] or don’t have backups? If the amount is low enough so that it only has a nuisance value, then you just may want to pay it to keep going.”
But paying is not without its own risks. While generally it is not illegal to pay a ransom, Bookbinder says a company could expose itself to fines by violating regulations that prohibit paying money to certain organizations under sanction by the U.S. government.
The Office of Foreign Assets Control of the U.S. Department of the Treasury administers and enforces economic and trade sanctions. So-called “OFAC lists” describe entities subject to prohibited transactions.
“The FBI suggests that you report the attack to law enforcement first,” Schreiber says. “That at least gives you some credibility. To the extent that with a forensic vendor you can [identify] the groups involved, you may be able to avoid the OFAC fine issues, particularly if you report it to OFAC.”
Ottaviani says he’s unaware of any victim ever being charged criminally for paying a ransom.
“The feds are more concerned about who’s doing the hacking and where the money’s going,” he says.
Of course, no guarantees come with the payment of a ransom.
“It’s an unpredictable, insecure outcome,” Schreiber says. “Maybe you get the keys [to restore your system], but in a certain percentage of cases you don’t or the keys don’t work.”
Bookbinder says he would advise clients that intend to pay a ransom to hire a security company that has cryptocurrency accounts set up to handle the transactions required by the hackers.
“Those security companies usually have Bitcoin wallets that they can use to make ransom payments,” Bookbinder says. “That can make things a lot easier than if an attorney or victim company tries to set up the payment themselves.”
The threat of ransomware attacks has all business leaders on edge, particularly with the recent Colonial Pipeline shutdown. In order to resume operations, the Georgia-based company reportedly paid $5 million to a group linked to DarkSide, an Eastern European digital extortion ring.
“It’s a wakeup call to all companies,” Ottaviani says.
According to Bookbinder, ransomware is the single most serious and most likely cybersecurity threat facing companies today.
“There are all kinds of other threats, but most of them can be handled at a much lower level,” Bookbinder says. “Ransomware is almost always a serious problem if it hits you.”