Ransomware and Ransomware Incident Response
Ransomware attacks are grabbing headlines and growing in frequency. Hackers exploit security weaknesses to steal or lock data and hold it hostage until a payment is made. In 2021 alone, high profile ransomware attacks against Colonial Pipeline, JBS Foods (world’s largest meatpacker), and other companies have grabbed the attention of the media and consumers alike. And the demand for ransom has climbed into the tens of millions of dollars.
Ransomware is malware that gains access to a system by unwittingly opening an attachment, clicking on a malicious URL, or through other attack vectors like exploit kits. Once ransomware is on a machine, it begins encrypting critical files on the victim’s PC and attached file shares. Victims are often notified of the encryption by a message that appears on their screen and instructs them to pay a fee to unlock their data. The attackers often promise to provide a decryption key once paid, although multiple sources have reported that paying a ransom does not guarantee successful recovery.
Once the encryptor is in place, it will begin to spread to additional systems and attached storage. To prevent the spread, disconnect all non-essential machines and limiting wireless access is recommended.
Immediately following an attack, companies should execute their written incident response plan and contact their cyber insurance carrier to determine whether the threat is covered by a policy. They should also consider reaching out to their attorney at the outset of an investigation, as they may be able to help identify legal protections such as the work product doctrine or attorney client privilege.