On demand 1h 9m 50s Basic

Ransomware Part I—How to Prevent an Attack

5.0 out of 5 Excellent(23 reviews)
View all credits2 approved jurisdictions
Play video
  • Credit information
  • Related courses

Ransomware Part I—How to Prevent an Attack

Ransomware permeates the news. But what do you really know about it? Well, if you watch this three-part series, the answer will be a lot. We will talk about ransomware, how to respond, how to report, and how to take steps to minimize the impact of an attack. In Part 1, we will talk about ransomware and how to respond to an attack.

Transcript

Kamran Salour - Hello and welcome to ransomware practical steps to minimize its probability and impact. My name is Kamran Salour and I will be leading you today through a three part series that discusses ransomware, its impact and practical steps to avoid a ransomware event from occurring but short of that practical steps to take should a ransomware event occur to help minimize the impact of the attack, both on the organization and the organization's employees and customers.

So we're gonna divide this presentation into three parts and part one, we're gonna focus first on what is ransomware. I know there's a lot that has been talked about ransomware in the news and it's often a concern of many businesses, but many people don't necessarily know what ransomware is, how it works, and how it operates. And so before we can go into steps to respond to a ransomware attack and steps to try to prevent or minimize a ransomware event from occurring, it's very important to first focus on understanding what a ransomware event is and the types of ransomware events that are generally seen to occur and impact organizations. So once we talk about ransomware, we're gonna talk about responding to a ransomware attack. That's gonna be the main focus of part one. And as this presentation proceeds into parts two and parts three, we're gonna talk about other aspects of ransomware and other aspects of the incident response process.

So let's start with the critical question, ransomware, what is it? Well, in its simplest way of looking at ransomware, it's really a form of malware. And malware, most of you should be very familiar with because malware is pretty pervasive on, you know, on the internet and on computer. Sometimes you may download something you shouldn't have downloaded and your computer will be impacted with a virus. That's really what ransomware is in a sense now the difference between ransomware and these other types of malware that you're probably more familiar with is that ransomware is used as a means to extort money from the victim. Just like you would consider in a kidnapping scenario where somebody takes an individual and holds that individual for ransom and usually under general terms will say, hey, if you pay us a certain ransom amount, we will return the kidnapped individual. That is generally speaking the same sort of process by which ransomware attackers, which I like to term threat actors, that's the same process that these threat actors sort of employ. And so there's really two main types of ransomware that comes across. The first, I've sort of called here classic ransomware. And this is sort of the more traditional ransomware event in which a threat actor installs ransomware on your network and that ransomware encrypts your files and locks your access to those files. Now, what do I mean when I say encrypt? Now sometimes some of you may be familiar with encryption from encrypting emails when you're trying to send a sensitive document that encryption essentially scrambles the contents of the document that you're sending, and the recipient has a key that unlocks or unscrambles the contents of the email that you have sent. So the recipient is only the person that can see the contents of the email.

So ransomware works in a similar aspect or a similar fashion, except in this instance, the key, it's only held by the threat actor. And the threat actor has that key and you, as the individual organization that has been impacted by the ransomware attack, cannot access your files or the folders in which those files are contained without obtaining a key from the threat actor. Now there's a second type of ransomware which I've sort of dubbed here as exfiltration ransomware. You may have heard of this as double dipping ransomware or double extortion ransomware. And it works really in two phases. Now the first phase of exfiltration ransomware is very similar to the classic ransomware approach where in stage one, the threat actor has encrypted your files and therefore your access to your files. And you would therefore need a key in theory, to be able to regain access to your files and folders.

Now in exfiltration ransomware, the threat actor does a step just before encrypting your files and that step is exfiltrating or removing or stealing from the environment files and folders and removing them from the environment right before doing the encryption. Now we'll talk a little bit. Now we will talk a little bit more about the two stages of an exfiltration ransomware attack, but the thought process behind the exfiltration ransomware attack is this, right? So always important to remember throughout this entire process, the threat actors primary motivation in this entire process is to obtain money. And so through the classic ransomware attack, they have one potential avenue to obtain money. That is by the impacted organization purchasing a decrypter key to decrypt the encrypted files. Now in the exfiltration ransomware scenario, the threat actor has two chances to obtain money. The first opportunity is if the impacted organization needs to purchase a decrypter key from the threat actor, and in that situation, the impacted organization will pay the threat actor a ransom in exchange for that key. Now, some organizations are in a position where either they have backups, which they can then use to sort of recreate the encrypted information or, for whatever reason, the ransomware attack was not pervasive and only encrypted a small number of files that the organization can do without.

There could be a number of reasons why an organization decides to not pay to purchase or obtain a decrypter key. And so because of that, the threat actors became wise and learned, hey, let's come up with a second means to obtain money from the threat actor. And that second means is through the exfiltration. And the process there with the exfiltration of course, is taking a number of documents from the environment with the hope that the impacted organization will pay the threat actor a certain amount or a ransom amount in exchange for the threat actor, either returning the documents that were taken, destroying the documents were taken, or some combination there of. And of course, as I'm sure you can sort of, coming to your mind right now, well, how do we trust that this is actually gonna take place?

And so we're gonna talk about sort of the ransomware negotiation process in more detail in part two of this presentation, but for the purposes now it's important to just remember, we're talking really about two main types of ransomware, the classic or only extortion ransomware method, and then the exfiltration ransomware method, which is the, let me rephrase that. It's important here that we talk about, so in the subsequent parts of this presentation, we're gonna talk about the ransomware negotiation process and some of the concerns that an organization or an individual that's been impacted by ransomware generally has in those situations. But for purposes now, it's important to just remember that we're talking about two types of ransomware. The classic or encryption only ransomware attack, and then exfiltration, or the encryption plus theft of information ransomware attack. And so let's focus a little bit more on the classic ransomware attack. And that really takes place in about five stages. And of course this summary here is obviously a generalized overview of the ransomware process and of the classic ransomware process.

And so there are situations, of course, where the threat actor will not follow this exact pattern, but generally speaking, the five steps are as follows right?

Step one is there is unauthorized access to the network. And that basically means that the threat actor has entered into your environment somehow. That could be through a phishing email, that could be through having stolen credentials like a username and password from a completely unrelated situation. That could be, you may have an exposed network access. So in other words, you may have an open remote desktop protocol connection that a threat actor can use to enter into your environment. You may have some vulnerabilities from not patching software in a timely manner, and a threat actor can take advantage of those vulnerabilities. There are a number of ways that the threat actor can get into your environment, but of course, step one is a threat actor must in fact be in your environment. Now, step two, generally once in your environment, the threat actor tries to do some reconnaissance. And that is really to try to look through and assess what the environment is. And there's really a couple of reasons for this. One is to sort of figure out what the universe or the lay of the land is. The other aspect here of course, is for the threat actor to try to increase its access to various parts of your environment. Now, a lot of that will of course depend on how your network or your environment is structured, but often the threat actor will have obtained some credentials to get into the environment, but then needs to obtain administrative credentials to give them access to more areas of the environment.

And so in step two, the threat actor will often conduct reconnaissance to try to obtain additional access through administration credentials, and also to survey to see the scope of the environment. The number of servers, the number points from which to, or across which to deploy the ransomware. Now, step three is the actual execution of the ransomware. And of course, that ransomware execution is what is going to encrypt the impacted servers and workstations. Now that's really the very, you know, simplified version of a classic ransomware event. Now, once the threat actor has encrypted your systems, the threat actor is gonna typically leave a ransomware note. Sometimes that note will identify the organization. Sometimes it will only provide instructions on how contact a threat actor. It will vary based on the threat actor group. But typically the note will provide instructions on what to do next. And usually that next instruction is, you should contact us unless you want, you know, if you want to get your access to your data back, you need to contact us and you need to pay a certain ransomware number. And then once the threat actor, you know, leaves that note, the threat actor's gonna delete the ransomware. Of course, so there's no chance that the impacted organization can somehow use that ransomware to then sort of reverse engineer, if you will, the process and get the ability to unencrypt the impacted systems without need for a key. Now, we're gonna talk about the extortion ransomware methodology and you're gonna see that is very similar to the classic ransomware.

Now, the main difference here is really step three, but again, step one, the threat actor is gonna obtain some unauthorized access to your network. Step two, the threat actor is gonna conduct reconnaissance of the network. Now in step two, in an exfiltration ransomware scenario, the threat actor is also gonna conduct reconnaissance, not only to try to obtain higher administrative privileges, but also to do a survey of the files and folders that you have, that the organization has in its environment. Now, the threat actor isn't generally gonna take the time to go through individual files and pull out personal information or company sensitive information. But the threat actor is gonna look for files that might say, you know, personnel files, because the threat actor knows that those files typically contain social security numbers. The threat actor may look for, you know, accounting files or servers that are devoted to accounting. So the threat actor is gonna make some educated guesses based on the file and folders set up and the names of those files and folders as part of the reconnaissance process. Now, the key difference in the exfiltration ransomware process is now in step three, what the threat actor is doing is really stealing or exfiltrating a subset of documents from the environment. Then step four, five and six are generally gonna be the same where now that the documents are exfiltrated from the environment, the threat actor is going to now encrypt the environment. So I know I've talked to you about ransomware and I'm asking you to sort of take my word for what ransomware is, and you might be wondering why should I even do that? Who is this guy talking to me?

 And so this is me, my name is Kamran Salour. I am a data privacy and cybersecurity attorney here at Troutman Pepper. I specialize in responding or helping companies respond to all types of data security incidents. It could be something as simple as an employee leaving a laptop in an Uber and determining what the company needs to do in a response to a situation like that. It could be as complicated as having a ransomware event or ransomware attack. Encrypt hundreds of servers across multiple offices throughout the United States. And that process will of course include figuring out how to respond to the ransomware event. And that includes getting the company back operational. That includes determining how the ransomware event happened to helping the organization take steps to reduce the likelihood of that event happening again. It also includes an assessment of legal obligations, right? Sometimes, and we'll talk about this a little bit more in the subsequent parts of this presentation, but there's really, you know, a couple of things that an organization that's been hit with a ransomware attack needs to consider. And some of, so I'll divide it into two categories.

Category one would be the business side of things, that is sort of how to resume operations. And part of that operation resumption process is regaining access to encrypted files and encrypted systems and making sure that from a customer standpoint, you have access to your customer systems and your customers have access to your systems. And then the other component is assessing your legal obligations. And now those obligations typically will stem from data breach notification statutes, but they can also go beyond that. Sometimes an organization will have contractual obligations where they have to conduct certain steps, including notifying customers if there is a data incident. They could also have some regulatory obligations depending on the type of industry that the organization is in. And so my role is really twofold in this process and one is making sure that the company reduces or minimizes its impact on business. And the second aspect of course, is taking steps to help the company reduce or minimize the legal impact that the ransomware attack could have on its operations.

 So enough about me. Let's really delve into part one of this presentation and part one again, is really gonna be, how do we respond to an attack? And so we've talked so far about the two types of attacks, and we've talked a little bit about how the threat actor can get in and what the threat actor does once in. And so really I wanna start this presentation from the standpoint of, you know, as an organization, you've been impacted or you've been attacked by a threat actor. So what do you do?

Well, I'm gonna divide this into five things that you should definitely do, and four things that you should definitely not do. And I'm gonna talk about each of these because I wanna emphasize the importance of doing these things.

So the first thing that you wanna do when you are aware that you've been impacted with a ransomware attack is to disconnect your systems from your network. And that includes turning off, you know, that's also, you know, hardwires, if you have like an ethernet connection, but also turning off your Wi-Fi connection as well. Because the key component, or the key reason why you wanna disconnect is because you want to prevent the further spread of the ransomware. So as soon as you detect it, you wanna unconnect both physically and wirelessly from the network. That's really the first thing that you wanna do. 'Cause that's going to stop the ransomware from spreading further.

Now, the next thing you wanna do is you wanna contact your cyber insurance provider. And there's a couple of good reasons why we wanna do that. The first is, you know, and again, this is of course, assuming that you have cyber insurance, but it's obviously important for making a claim under your cyber insurance. You're obviously gonna have to contact the insurance company, but that's not the real reason why I recommend contacting your insurance company as really one of the first things that you do. The reason why I make that recommendation is because most organizations that have been hit with a ransomware attack, this is the first time that they're going through it. They don't know what to do. They don't know who to call. And if you contact your cyber insurance company, they know what to do. They know who to call. And they can help put you in touch with the appropriate people that will guide you through the incident response process. And it's very important in a type of situation like this that you don't do things on your own without talking to cyber professionals because this cyber professionals deal with this on a regular basis, on a daily basis, and so they know what to do, what not to do. And so it's very important to reach out to your cyber carrier because they can put you in touch with those cyber experts. Now, another thing that you should definitely do, and in a perfect world, you will have done this or an incident as part of an incident response plan, but that's often not the case that people have an incident response plan.

And so one of the other things you should definitely do is create out of band communications. And what do I mean by out of band communications? Well, if you recall, when we talked about step one of a ransomware attack, is the threat actor gets into the environment. And there are a number of ways in which the threat actor gets into the environment. And once in your environment, the threat actor could put certain malware on your system that gives them the ability to, you know, they're called persistent mechanisms, which essentially means there are ways for the threat actor to stay undetected in your environment. And so if you continue to use, let's say your work email to have discussions about the ransomware attack and response to the ransomware attack, there is a chance that the threat actor is in fact able to see those emails because they still may have access to your email environment. Now I've heard horror stories where, you know, organizations that have been impacted by a ransomware attack have been on calls with forensic firms and legal counsel and, you know, before that call, there was an email or an invite sent through the work email. And guess who else appeared on that call? It was the threat actor. And I've heard that happen in, you know, a few times.

So it's something that is possible to happen and obviously something that you don't wanna have happen because you don't want the threat actor to know that you have legal counsel involved. You don't want the threat actor to know that you have a forensic firm involved. You don't want the threat actor to know that you have insurance involved. And of course you don't want the threat actor to know that you are, you know, what you're doing in terms of trying to stop the threat actor. So it's very important to have an out of band email. I always recommend, you know, just creating a Gmail account. That's something very specific to this incident because if for whatever reason, this incident results into litigation and as part of that litigation, you know, the plaintiff wants to take discovery and as part of that discovery wants all, you know, messages that you sent in response to this incident, they're gonna look at your email account and the last thing I would suggest is for your personal Gmail account to be part of that discovery response where the attorney's responding to that discovery are gonna go through. Your personal Gmail account to find out, you know, to pluck out the correspondence related to the incident. So it's always much cleaner for a number of reasons to create a separate and specific Gmail account for responding to the ransomware attack. Now, another thing you ne definitely should do, now the next thing that you wanna do is you wanna identify your key decision makers.

Now, of course, this is something that ideally will have been done before an incident occurs as part of an incident response plan. But essentially your key decision makers should include somebody in your IT department that has technical knowledge and expertise about how your systems work. It should include somebody in the C-suite that can make decisions on behalf of the company. And those decisions, at least at the outset, are going to include retaining outside counsel, retaining a forensic firm. And also somebody that can authorize financial decisions in terms of whether to pay a ransom. And if so, how much? And so your key decision makers obviously are gonna vary depending on the type of organization you have and the makeup of that organization, but you definitely don't want only IT people or only, you know, C-suite people. You do want a mix of people, not only that have decision making authority, but also have onsite experience and expertise about the company that can help in the incident response process.

And the last thing that you should do as part of the five immediate steps is to reset all of your passwords. Again, at this stage, it's probably unknown how the threat actor got in. They may have compromised credentials to get in. They may not have, but, you know, the fact remains generally at this stage is you don't know. And so it's always recommended to do a password reset in the event that the threat actor does have compromised credentials that the threat actor cannot reenter your environment by using a compromised password. So those are, you know, really sort of the five things that you wanna do when you've initially identified that you are the victim of an attack.

Now, conversely, there's four things that I see happen on a regular basis, which I wish would not be done. And the first thing is turning off your systems, right? Now, this is a little bit different than disconnecting. We wanna disconnect because we wanna stop the spread of the ransomware. But we don't wanna turn off these impacted systems because that may lead to some data loss if we try to turn systems back on. Sometimes depending on how the encryption event occurs, if you turn off a system, you can't turn it back on. And so that's something we wanna avoid.

 The other thing that we wanna avoid, and this happens quite often is having somebody wipe the system. And when I say wipe, they basically are going to reformat the system and sort of get it back online. And that could be a server, that could be a workstation or both. And I certainly understand the desire to do this, right? As a business and if you cannot operate without, you know, having computers, you need computers, you need servers and so I absolutely understand the instinct to wanna wipe the system and get back up in operational as soon as possible. But by wiping, you have destroyed the forensic artifacts on the system or the computer or the server that you have wiped. And so if you wipe without first preserving a forensic artifact by making a copy of the impacted workstation, then you've lost that forensic evidence. And without that forensic evidence, you may not be able to answer certain questions relating to the ransomware attack, such as how did the threat actor get into your environment? Where did the threat actor go once in your environment? Is there evidence from a forensic standpoint of the threat actor actually taking documents from your environment? So if you do need to get back up and running immediately, it's very important that you make a copy of the impacted systems, preserve those copies and then proceed with wiping the system.

The other thing that that happens quite often, and this is again, somewhat related to the sort of the premature wiping aspect, and that is premature hiring aspect. And this also dovetails with the five immediate steps and that is contacting your cyber insurance provider is you want experts that know how to respond to a ransomware event. It's a different skillset than someone that is savvy just on the IT side of things. This is a forensic evaluation and investigation. And so if you go ahead and hire somebody, you may be hiring somebody that while skilled on the IT side is inexperienced on the forensic side. And so you're not hiring the appropriate person for the task. Additionally, from a cost standpoint, and this is mostly a concern if you have cyber insurance, but from a cost standpoint, the rate that the vendor that you hire, that that vendor charges may be higher than what your insurance covers. And so you may be out of pocket unnecessarily by going with a vendor that's not approved by your insurance company. So that's another concern.

The financial side is less of the concern in this instant. It's more of the fact that you may not know the experienced person to hire. And then the last thing that happens often is, you know, we talked about these stages of a ransomware attack where a threat actor leaves a ransom note and in that ransom note, invariably, there is some way to contact the threat actor. And it's usually through a tour browser, which is a type of browser that basically makes it difficult to identify who that person is from that browser standpoint. And contacting the threat actor can do a couple of things. Number one, it may trigger a clock. So some threat actor groups will have a clock whether it's a 72 hours, 96 hours, what have you, where if you don't sort of pay the ransom by that time, then maybe the ransom amount will double. Or if it's a exfiltration type of ransomware attack, they will publish some of the information they took. And so you don't wanna start that clock by contacting the threat actor too soon. And again, this goes also to making sure you have the experts in place. And the experts that handle this type of situation handle it on a routine basis, on a regular basis. They have lots of intelligence on these threat actor groups, they know how to communicate with these threat actor groups, they know what to say, maybe more importantly, they know what not to say. And so you don't want to start that threat actor process without having the on board, having the experts carry out that process. And so those are sort of, you know, at a very high level, it's sort of the five things that you wanna make sure you do and the four things that you want to avoid doing when you've initially been a victim of a ransomware attack.

Now let's talk about the stages of a ransomware response. I like to group it into six stages.

 The first stage is engaging the vendors. And when I say engaging the vendors, you want to engage outside council and you wanna have outside council engage a forensic firm on your behalf. And typically if you have cyber insurance, you will use vendors that your cyber insurance company has already vetted, or that are on your cyber insurance company's panel. But it's important for not only for privileged purposes to have outside council and to have outside council engage the forensic vendor, but again, it's also very important just from an efficiency and knowledge standpoint, the vendors that respond to somewhere events for the most part, do this on a regular basis. And therefore they have experience and expertise in the response process. And their experience and expertise can maximize the efficiency of their response, minimize the impact that the attack has on you as an organization. Now that's, you know, first and foremost is you need the vendors in place.

So we go to stage two, which is containment. Now, candidly part of the containment process is going to begin when you unplug your network from the internet or from of internet access, whether that's from a wire standpoint or a wireless standpoint. That's gonna stop the attack, but the next thing you wanna do is really focus on containment and that is to make sure that you have isolated the impacted systems, you've stopped the spread of the ransomware, and you are taking steps to make sure that the ransomware is not spreading any further. And we'll talk a little bit more about that in some detail. But that's really, you know, it's fairly intuitive that if you have an attack, you wanna stop the attack and you wanna contain it to the smallest area possible.

Now, the next thing we wanna do is we wanna focus on restoration or remediation, and that's essentially, you know, it's gonna depend in part on the type of the attack, but part of that is basically recovering from the attack. And so once we've contained, we wanna focus in recovery. And that means restoring our systems, that means taking data that was lost from backups or from other sources and repurposing it to replace the lost data or the encrypted data. And so that is really what is going to be a part of the restoration and remediation stage. The stage four and, you know, stage three and stage four are often going to occur in parallel.

Stage four is gonna be data collection. And that is really going to be gathering evidence, forensic evidence for the forensic investigator. And that could vary based on the type of the attack, but it's typically going to include the impacted servers and works stations. And when I say impacted are the ones that have been encrypted. You may not need to have all of them examined, but you may wanna start with the more critical ones and conduct some sort of triage analysis. Now often what these forensic vendors can do is they can conduct triage analysis remotely. And from that triage analysis, identify the most important work stations to then examine more fully at a later time.

So now once you've you sort of, you know, here we have the appropriate people in place, we've contained the incident, we're starting that restoration process while we are gathering the information. And while we're gathering that information, our forensic vendor is conducting a forensic investigation. Now in a perfect world that forensic investigation will tell you how the threat actor got into your environment, when the threat actor got into your environment, where the threat actor went once in your environment, what data the threat actor took from your environment, and when the threat actor deployed the ransomware. So from that you'll know how long the threat actor was in your environment. But of course, you know, we don't live in a perfect world so you may not have all of those answers in every forensic investigation. But that is really the goal of the forensic investigation. And that forensic investigation is important for at least three reasons.

Number one, if you know how the threat actor got into the environment, then you have a better chance of reducing the likelihood of the threat actor getting into your environment again. So for instance, if the threat actor got in because you had not patched a certain security vulnerability now you've patched that security vulnerability and so the threat actor is less likely to get in that same way. And now, conversely, if the threat actor got in through a phishing, successful phishing attempt, that may be harder to prevent a recurrence because phishing attempts or successful phishing attempts often depend on a human component and it's always as much as you train individuals on identifying on ways to identify phishing attempts and to not click on links that you don't know, you know, what those links are, it happens. And so, you know, that's another, that's really why it's important from a forensic standpoint, to know how the threat actor got in for prevention. Now, I said there's three reasons why that's important. So that was reason one, it's prevention.

Reason two is in your messaging of the incident. And we're gonna talk more fully about messaging at a later time, but messaging is gonna be important, not only to customers, not only to employees, but often to other organizations that you do business with. Those organizations, especially if you are sharing access to the network those organizations are gonna wanna know how the threat actor got in because they wanna make sure at least have the confidence that the organization that has been impacted has taken steps to reduce that likelihood. So if you don't get from your forensic investigation, the answer to how the threat actor got in, that can put some pressure on your relationships with these other companies, because they may not feel comfortable in reconnecting with your environment or redoing business with you because they don't really know how the threat got in and therefore they don't know that the organization has taken steps to reduce the likelihood of that.

Now the other, the third reason why that forensic investigation is important is for assessing your legal obligations. And when we talk about legal obligations, we are primarily gonna be concerned with identifying if there is any unauthorized access or unauthorized acquisition or exfiltration of personal information. And so really from the forensic investigation, what the legal side needs to know is what information the threat actor was able to access, what information the threat actor was able to obtain, and then the attorneys, in connection with the impacted organization, will conduct an analysis of that impacted information to determine if in fact the organization has to notify any impacted individuals because of that unauthorized access or acquisition.

So those are really the main sort of six phases of a ransomware response. Now there's some other phases that we're gonna talk about later on that are related to this process and they really don't fall under an exact timeframe 'cause they're kind of overarching and they run the course of the response process. And that's really, we'll talk first about messaging. Messaging is gonna take place really from the outset and it's gonna happen all the way through the assessment of your legal notification obligations.

Now, messaging may come in multiple forms. It may be a PR message to, you know, on your social media or on your website about the incident. It may be messaging to employees, it may be messaging to a local media, it may be messaging to customers, it may be none of those things. It really is gonna depend on the type of incident and really who your audience is. Some people sometimes messaging is very important and sometimes it's more important to not message the incident. And that's another area where legal counsel can really be helpful in that process.

Stage seven is sort of reporting to law enforcement. And again, this is a stage that can really, I've marked it here as stage seven but it can really happen at any time. There is a benefit to reporting to law enforcement. There's an optic benefit where if you are in fact notifying individuals that a breach has in fact occurred in that notification, if you are able to tell those individuals that yes, the FBI or law enforcement is involved, that provides a level of comfort to some individuals and better appreciation from individuals that yes, the organization is in fact a victim here too. So I tend to recommend reporting to the FBI in a situation where we are gonna have to notify individuals. There's a couple of other reasons why notifying the FBI is important. If we're talking about insurance reasons and paying a ransom, sometimes the insurance companies will require as a condition of agreeing to fund the ransom amount that the impacted organization report the payment to law enforcement. And then the third reason would be, there's something called OFAC, which is essentially the organization that wants to make sure that nobody's making payments to known terrorist groups. And there's always the concern when you are paying a threat actor is you don't necessarily know where they from or who they are. And although you do conduct what's called an OFAC check, which is before paying the threat actor, you run a report that basically confirms that the threat actor's name and the threat actor's Bitcoin wallet is not on the prohibited OFAC list. Nonetheless, if in fact, you end up making a payment to somebody that's on that list, if you did report the payment to the FBI, that helps reduce your likelihood of being fined by OFAC. And so that is another more practical reason for notifying law enforcement.

And then stage eight and nine are often related and a lot of that will depend on the type of incident, but notification is obviously gonna be the outcome of stage six, assessing your legal obligations. You may have to notify, you may not have to notify. You may have to notify some but not all. You may elect to notify, even though you don't have a legal obligation to. You may elect to do some sort of a goodwill or non-legal type of notification. All of that will really depend on the incident and what evidence you have of the information that was taken and the type of information was taken and the type of industry you're in and the potential impact of that taken information could have on individuals. And then sort of related to the notification of course, is dealing with third parties. And again, you know, these stages of really one, you know, the messaging reporting to law enforcement and dealing with third parties, they do sort of cover the entire response process and dealing with third parties can again, come into play when we're talking about messaging at the outset could also come into play with notification. Sometimes an organization that's impacted discovers that information that they house belonging to third parties has been exfiltrated. And therefore you have to coordinate with those third parties on notification, which entity of the data owner, or the data licensee is gonna be responsible for notification. And so that's where dealing with third parties comes into play as well. But as a whole, you can see that this entire process is while there are sort of articulated stages and steps to the response process, there is a lot of variance within these steps, and that will, the variance is due in pertinent part to the type of incident that occurs and the potential impact that the incident could have on your organization and employees and customers and vendors of that organization. So let me talk a little bit more about each of these steps.

So, you know, stage one is engaging vendors. And the first thing that we wanna do when we're engaging vendors is make sure that we have people to help the organizations that are familiar with the process. And that are familiar with the threat actors. And that's, you know, usually the forensic firm is gonna be the one that's familiar with the threat actors. And this comes in handy quite often. I've been on many cases where, you know, I thought, okay, we can, you know, let's say we had an initial ransom demand of, let's say a million dollars and we've been able to negotiate and we're down to $300,000. And the desire is hey, let's make that $300,000 payment. It's important the organization needs the decrypter key, we wanna get back up and running. 300,000 is, you know, that's a good discount. Let's go ahead and make the payment. And I've had situations where if you're working with very skilled threat actor negotiators they can say, you know what? I know how this threat actor group operates from past experience. I know that we can get this at down to 150, let's say, and I know exactly what to say to get it there and sure enough, they do it and they get the demand down even further. And so that's another great resource to have at your disposal is experience threat actors. And really, you know, I think the most common notion of why you should engage a vendor is privileged purposes. And essentially the thought process there is if an attorney is engaged guiding the organization through the response process, the communications with the attorney of course are privilege but then if the attorney in turn engages the forensic firm on behalf of the organization, then the forensic findings and determinations, legal determinations based on those forensic findings is also privileged.

Now I know there is some case law there that has held that forensic reports are not privileged in certain contexts. Obviously we're not gonna go delve deep into a privileged discussion for purposes of this presentation. But it's important to note that, you know, engaging outside council, the sole reason for engaging outside council should not be to preserve privilege. Not only because there's can be questions of whether privilege exists in certain situations under that scenario, but also that's not gaining the full value of having outside council involved. They are very skilled and experienced in the process can really add a lot of value to the process.

So let's talk a little bit more now about containment. We've talked a little bit about it and really, you know, the goal of containment is to stop the spread of the attack. And how are we gonna do this?

Well, first thing is we are going to unplug and we are going to then identify isolate threats, right? We wanna make sure that we are not having continued evidence of unauthorized access into our environment. And really the traditional way that this is done is with the forensic firm deploys an EDR tool. And an EDR tool is essentially an endpoint detection and response tool. And what an EDR tool does is able to identify unauthorized activity. That unauthorized activity could be the form of some malware in your environment, but it can also be in the form of atypical behavior. So for instance, let's assume that somebody is trying to log in from Eastern Europe and you shouldn't have anybody logging in from Eastern Europe. And so the endpoint detection and response tool will flag that a login from Eastern Europe is suspicious, and that will alert whoever's watching that endpoint detection and response monitoring process to then decide, okay, let's go ahead and let's stop the attempt to enter into our system based on this location. And so it's obviously a very simplified example of how an endpoint detection and response tool operates, but essentially the goal is to not have any more alerts from the EDR tool. And that's sort of when you have a good understanding of when containment is reached. Now I'm oversimplifying the process here for purposes of this discussion, but there's more, a little bit more to containment, but that's generally a good indicator that the incident has been contained.

So when we go to stage three or step three, we're talking about restoration and remediation. And really what we wanna do is you're out a number of questions as we're going through that process, right? We wanna know the scope, right? How many servers and workstations have been encrypted from those encrypted servers and workstations? Do we have data stored on them? If so, what kind of data is it? Is it company sensitive data? Is it HR data? Is it accounting data? Is it data that frankly we could do without it or is it data that's very critical that we need? If it's critical data, well, can we obtain that data from another source? Whether do we have backups offsite that we can use, or are we able to recreate the encrypted data from other systems that have not been encrypted? And then has any of the data been stolen? And what are the contents of the data that have been stolen? These are all the things that you have to ask yourself as you are going through your remediation and restoration plan, because whether you are going to obtain a decrypter key from the threat actor, whether you're going to pay the threat actor to return or destroy stolen data, a lot of those decision points are going to depend on answers to these types of questions.

So these are questions that are very important to consider in that process. Now, as we continue to talk about restoration or remediation you know, let's say we decide that we need a decrypter key. What do we do? Well, we're gonna have to reach out to the threat actor. And so, you know, the threat actor, we reach out to the threat actor through the ransomware note. And we're gonna talk more about this process, but one of the concerns that always comes up is when we reach to the threat actor for decrypter key is, well, how do we know, what guarantee do we have that the threat actor is going to, in fact, provide the key. And often a client will say, well, can we have them give us the key and then if the key works, we will go ahead and pay them. And unfortunately we can't do that because the threat actor has all of the leverage and the threat actor is not going to give us the key without any sort of payment upfront.

But one thing that we always do in this process is we provide the threat actor with a handful of files that have been encrypted that are, you know, innocuous files that don't have any, you know, personal information on them that don't have any company sensitive information on them and we provided to the threat actor and ask the threat actor to unencrypt those five files or so and that gives us some level of confidence that yes, the threat actor in fact, does have the decrypter key and that the decrypter key does in fact work successfully. The other point I wanna talk about here, and we'll talk about this more in part two is, in terms of the threat actor following through on its delivery of the decrypter key, it's always important again to remember the threat actor in terms of the threat actor's motivation. And that motivation is money.

Remember ransomware at bottom is a means to extort money from an organization. And so if the threat actor operates in a manner where they are obtaining money in exchange for a key, but not delivering that key, the likelihood of the next victim paying is reduced. And therefore the threat actor's motivation, prime motivation, which is to obtain money is also reduced. And so it's important to not think of the threat actor in terms of being honorable and, you know, following through on his or her promises. It's really, again, selfish from the threat actor that the threat actor is going to provide the key because what does the threat actor want? The threat actor wants money. Not only for this attack, but for subsequent attacks. And so that's a very important point to remember. We'll talk a more about that in part two. So, you know, at the beginning of this process, we talked about sort of the classic ransomware pattern, and that's where your environment is encrypted and you need to reach out to the threat actor to obtain a decrypter key and you pay a ransom and exchange for that key. And then we also talked about the other type of ransomware, which is the extortion type of ransomware. And that is again, a situation where not only has a threat actor, well, not always, but mostly a situation where the threat actor has encrypted your data, but a threat actor has also taken sensitive data from your environment. And so it's very important when you are talking about this extortion portion of the ransomware process is a couple of things you need to keep in mind.

One is, do you in fact have proof that the threat actor has taken data? Sometimes in the ransom note the threat actor will say, we have taken, you know, 300 gigabytes of your data when in fact they haven't taken any data. Or when in fact they've only taken a subset of that data. So there's lots of posturing by threat actors in these types of situations. So you do wanna obtain proof that the threat actor has in fact taken data. Now, sometimes you can get that proof through these forensic investigation, but you can also get that proof by communicating directly with the threat actor. And one of the things you do is you ask the threat actor to provide samples of a handful of files.

Now, sometimes the threat actor will, as proof when you reach out to the threat actor, as proof of the fact that they took the files, they will provide you with file trees. The file trees themselves is not proof that they in fact took data from your environment. It's just proof that they have a file tree of the data on your environment. But what you can do and what we typically do in those types of situations is we pick a handful of files random, right? That sort of convey or traverse a large scope of the network, right? Cross multiple servers and workstations, things of that nature. We don't wanna tip our hand to the threat actor and focus on one server because the threat actor will then get the impression that that server is critical and that may change the price of the ransom. But we also wanna make sure we understand the scope of the exfiltration and so that's another reason why we don't wanna pinpoint, you know, one server necessarily, but we pick a handful of files scattered across the environment and ask the threat actor provide proof of those files.

 And then you have to make an assumption, but a reasonable one that if the threat actor can provide samples of, you know, five files across the environment, five random files across the environment, then yeah, the odds are that the threat actor does in fact have these documents. And so once you have established the threat actor has documents, you wanna take a internal evaluation to determine, okay, are these documents valuable to us from a organization standpoint? If these documents are sort of in the wrong hands on the dark web, is this gonna cause harm to our organization? What type of harm? Is it gonna be critical company sensitive information that if it's out there, it's gonna put us at a competitive disadvantage? Is it going to reveal certain information that we rely on us as a trade secret in our operations? Is it, you know, be basically catastrophic for the company? Or is it gonna be, you know, sometimes it could be information that while it has personal information and it may have social security numbers or bank account information of employees, is that information that you want out there on the dark web? Of course not. But are you willing to pay a ransom to prevent that information from being out there? And that will obviously vary on the situation, the type of information. Now, sometimes there is an optic value in just paying the threat actor to delete the data. And when I say delete the data, you know, the threat actors will, the proof of deletion will vary. Sometimes a threat actor will say, yes, we deleted the data.

Sometimes a threat actor will provide you with a deletion log. Sometimes the director will provide you a video showing the threat actor deleting the data from his or her side. Of course, nothing, none of those situations creates an environment where the threat actor could not have already made a copy of the information. So there is of course, no guarantee that the data has been deleted, but there's often an optic value in making that payment because when we're talking about notification letters and notification materials, also making a statement that you have taken steps to ensure that the data that was taken has not been disseminated has some optic value as well. It may even have more value if you're talking about information, belonging to customers, customers, or can be very sensitive about the type of information of theirs that's out there and exposed, and that may have some great business value for you. And so there may be a business reason for making that type of payment. Now, when we're talking about data collection, you know, it's often goes, or it's often forgotten to have extra data capacity on hand before an incident occurs, right? Have extra hard drives. And the reason why I say that is a couple of reasons.

One, we talked about wiping at the beginning, but making a copy of the impacted data before wiping, sometimes people will just make the decision, well, I don't have time to go to a store and get drives. I'm just gonna go ahead and wipe it. So if you have the drives there, that makes that decision a little bit easier, but also when we're talking about just speed of the response process, you know, either in a city situation where you don't have data, excuse me, extra drives on hand, you're gonna have to go purchase them, or you're gonna have to wait for the forensic firm to provide that to you via mail. And so that can slow down the response process. Not, you know, super critical. It's sort of a small hurdle that's easy and enough to overcome, but it's something that you should consider that often goes overlooked in that response process.

Now we're gonna stage five as the forensic investigation. We talked a little bit about this earlier, but really we want the threat actor or excuse me, we want the forensic investigation to determine sort of the who, what, when, where, why, how. Who got in, how they got in, when they got in, what did they do once they were in, what did they take once they were in, if anything, and what steps can we take ultimately, to reduce the likelihood of them getting back in to our environment. And that's really what the focus of the forensic investigation is.

Now, of course, there's optic value with the forensic investigation also, because again, if you are notifying, whether it's, when I say notifying, whether we're doing it from a legal standpoint with a consumer notification letter, we're doing it more casually messaging to employees, or whether we are doing it with, you know, let's say we have a very important client or customer whose data we store, often, those clients are gonna want to know a, that a forensic investigation was done, but b they're gonna wanna know the result of that investigation. And so having a good forensic investigation done by a third party that's recognized in the field has a lot of value because it gives a lot of comfort to the customers, third parties that have been impacted by the incident to know that the impacted organization that has been, you know, the victim of the ransomware attack has in fact taken the appropriate steps in response to this type of attack.

Now, while every forensic investigation tries to answer those main questions, there are often situations where we don't have the answers to all those questions. Sometimes it's a situation of logging where the logs on our systems only go back a certain number of days, you know, sometimes for instance, a firewall logs, those usually only go back a very short amount of time. And if you don't have procedures in place where those logs are retained, or sometimes you don't even have logging enabled, a situation can arise where a threat actor got in and the logs don't go far back enough for you to determine at what time the threat actor got in. And if you don't know when the threat actor got in, typically you don't know the threat actor got in. And so having your logs enabled is very important in this process.

But also there are times again, now, maybe you've already gone ahead and wiped the information before you had the forensic investigation conducted, so you've lost certain information, that's another way where you could lose valuable forensic evidence, but sometimes these threat actors conduct what I call anti-forensic activity, where they will go ahead and make certain deletions of logs and other forensic artifacts that impedes the forensic firm's ability to answer all of those questions. Now we wanna, again, you know, while from a legal standpoint, it's very important to know what the threat actor accessed or acquired. That is not the only thing that we wanna focus on in a forensic investigation.

Focusing on, you know, how the threat actor got in it's critical because that will help reduce the likelihood of that happening again through the same channel but it's also very important information that third parties always wanna know that are there's third parties that have been impacted by the investigation. When I'm assisting clients who as part of the attack have third parties that are impacted, those parties bring their, you know, security experts on their council on and the first question is, invariably, well, how did they get in? And if you say, well, we don't know, they're gonna say, well, how do we know that this won't happen again? And of course you never know that this won't happen again, because you cannot prevent 100% any sort word of incident. What you can do, of course, is put procedures in place that reduce the likelihood but the answer to that question is always we can't regardless. But that's always something that the third parties tend to focus on. And so that's an area of important information to try to figure out. Now, you know, once the forensic investigation is complete we can really focus on our legal obligations. And, you know, we've talked a little bit already about, you know, how important the forensic investigation is in terms of notification, excuse me, in terms of messaging, in terms of being able to answer to those third parties and to your employees, how they got in, how the threat actor got in, what the threat actor did, once they were in there, did they take it in for information?

If so, what? Those are all very important for messaging purposes. Those are of course very important for legal purposes as well because your legal obligations, if any, are going to depend on if personal information was acquired or accessed by the threat actor as a result of the incident. And so, you know, we've talked a about part one, which is really sort of identifying at first what ransomware is, and then talking about how to respond to a ransomware attack. And I think, you know, it's very important to remember what the goal of this process is. And I know often people will think of, okay, well, I just need to know if I have legal obligations as a result. But really there should be two focuses. The first should be on the business. And when I say the business, it really depends on getting the business back operational. It depends on maintaining or reducing any damaged goodwill or reputation to the business and that really happens based on the type of messaging you do, the type of forensic investigation you do, the thoroughness of it, the answers that you can provide and how you sort of just handle that process from a business standpoint.

And then of course, there's the legal side of things where you have to assess if you, in fact, do have legal notification obligations, if you do have regulatory obligations, but really the focus of the investigation should always be on making sure that you're minimizing the impact on the business and on the businesses customer relationships. And really the best way to do that is to gauge experience vendors both from a legal council standpoint, as well as from a forensic investigation standpoint and threat actor or ransom negotiator standpoint. Because without those experts in place, the likelihood of you being able to minimize the impact is going to be reduced.

So that's really what we wanted to focus on here on part one. Now, in part two, we're gonna talk in much more detail about messaging and how critical messaging is in the ransomware response. So I hope you will join me for part two.


Presenter(s)

KS
Kamran Salour
Partner, Co-Chair of Data Privacy & Cybersecurity Practice
Lewis Brisbois

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
  • 1.0 general
Unavailable
Alaska
  • 1.0 voluntary
Pending
Arizona
  • 1.0 general
Pending
Arkansas
  • 1.0 general
Pending
California
  • 1.0 general
Pending
Colorado
  • 1.0 general
Pending
Connecticut
  • 1.0 general
Pending
Delaware
    Not Offered
    Florida
    • 1.5 technology
    Pending
    Georgia
    • 1.0 general
    Unavailable
    Guam
    • 1.0 general
    Pending
    Hawaii
    • 1.0 general
    Pending
    Idaho
      Not Offered
      Illinois
      • 1.0 general
      Pending
      Indiana
        Not Offered
        Iowa
          Not Offered
          Kansas
            Not Offered
            Kentucky
              Not Offered
              Louisiana
                Not Offered
                Maine
                • 1.0 general
                Pending
                Minnesota
                • 1.0 general
                Pending
                Mississippi
                  Not Offered
                  Missouri
                  • 1.0 general
                  Pending
                  Montana
                    Not Offered
                    Nebraska
                      Not Offered
                      Nevada
                        Not Offered
                        New Hampshire
                        • 1.0 general
                        Pending
                        New Jersey
                        • 1.4 general
                        Pending
                        New Mexico
                          Not Offered
                          New York
                          • 1.0 cybersecurity - general
                          Pending
                          North Carolina
                          • 1.0 technology
                          Unavailable
                          North Dakota
                          • 1.0 general
                          Pending
                          Ohio
                          • 1.0 general
                          Unavailable
                          Oklahoma
                            Not Offered
                            Oregon
                            • 1.0 general
                            March 30, 2025 at 11:59PM HST Approved
                            Pennsylvania
                              Not Offered
                              Puerto Rico
                                Not Offered
                                Rhode Island
                                  Not Offered
                                  South Carolina
                                    Not Offered
                                    Tennessee
                                    • 1.15 general
                                    Pending
                                    Texas
                                      Not Offered
                                      Utah
                                      • 1.0 general
                                      Unavailable
                                      Vermont
                                      • 1.0 general
                                      Pending
                                      Virginia
                                        Not Offered
                                        Virgin Islands
                                        • 1.0 technology
                                        Pending
                                        Washington
                                        • 1.0 office management
                                        March 30, 2026 at 11:59PM HST Approved
                                        West Virginia
                                          Not Offered
                                          Wisconsin
                                            Not Offered
                                            Wyoming
                                              Not Offered
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Unavailable
                                              Credits
                                              • 1.0 voluntary
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                                Available until
                                                Status
                                                Not Offered
                                                Credits
                                                • 1.5 technology
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                • 1.0 general
                                                Available until
                                                Status
                                                Unavailable
                                                Credits
                                                • 1.0 general
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                • 1.0 general
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                  Available until
                                                  Status
                                                  Not Offered
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                    Available until
                                                    Status
                                                    Not Offered
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                        Available until
                                                        Status
                                                        Not Offered
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                            • 1.0 general
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                            • 1.0 general
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                              • 1.0 general
                                                              Available until
                                                              Status
                                                              Pending
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                    • 1.0 general
                                                                    Available until
                                                                    Status
                                                                    Pending
                                                                    Credits
                                                                    • 1.4 general
                                                                    Available until
                                                                    Status
                                                                    Pending
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                      • 1.0 cybersecurity - general
                                                                      Available until
                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                      • 1.0 technology
                                                                      Available until
                                                                      Status
                                                                      Unavailable
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until
                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until
                                                                      Status
                                                                      Unavailable
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Not Offered
                                                                        Credits
                                                                        • 1.0 general
                                                                        Available until

                                                                        March 30, 2025 at 11:59PM HST

                                                                        Status
                                                                        Approved
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Not Offered
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Not Offered
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Not Offered
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Not Offered
                                                                                Credits
                                                                                • 1.15 general
                                                                                Available until
                                                                                Status
                                                                                Pending
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Not Offered
                                                                                  Credits
                                                                                  • 1.0 general
                                                                                  Available until
                                                                                  Status
                                                                                  Unavailable
                                                                                  Credits
                                                                                  • 1.0 general
                                                                                  Available until
                                                                                  Status
                                                                                  Pending
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Not Offered
                                                                                    Credits
                                                                                    • 1.0 technology
                                                                                    Available until
                                                                                    Status
                                                                                    Pending
                                                                                    Credits
                                                                                    • 1.0 office management
                                                                                    Available until

                                                                                    March 30, 2026 at 11:59PM HST

                                                                                    Status
                                                                                    Approved
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Not Offered
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Not Offered
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Not Offered

                                                                                          Become a Quimbee CLE presenter

                                                                                          Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                          Become a Quimbee CLE presenter image