Kamran Salour - Hello and welcome to ransomware practical steps to
minimize its probability and impact. My name is Kamran Salour and I will
be leading you today through a three part series that discusses
ransomware, its impact and practical steps to avoid a ransomware event
from occurring but short of that practical steps to take should a
ransomware event occur to help minimize the impact of the attack, both
on the organization and the organization's employees and customers.
So
we're gonna divide this presentation into three parts and part one,
we're gonna focus first on what is ransomware. I know there's a lot that
has been talked about ransomware in the news and it's often a concern
of many businesses, but many people don't necessarily know what
ransomware is, how it works, and how it operates. And so before we can
go into steps to respond to a ransomware attack and steps to try to
prevent or minimize a ransomware event from occurring, it's very
important to first focus on understanding what a ransomware event is and
the types of ransomware events that are generally seen to occur and
impact organizations. So once we talk about ransomware, we're gonna talk
about responding to a ransomware attack. That's gonna be the main focus
of part one. And as this presentation proceeds into parts two and parts
three, we're gonna talk about other aspects of ransomware and other
aspects of the incident response process.
So let's start with
the critical question, ransomware, what is it? Well, in its simplest way
of looking at ransomware, it's really a form of malware. And malware,
most of you should be very familiar with because malware is pretty
pervasive on, you know, on the internet and on computer. Sometimes you
may download something you shouldn't have downloaded and your computer
will be impacted with a virus. That's really what ransomware is in a
sense now the difference between ransomware and these other types of
malware that you're probably more familiar with is that ransomware is
used as a means to extort money from the victim. Just like you would
consider in a kidnapping scenario where somebody takes an individual and
holds that individual for ransom and usually under general terms will
say, hey, if you pay us a certain ransom amount, we will return the
kidnapped individual. That is generally speaking the same sort of
process by which ransomware attackers, which I like to term threat
actors, that's the same process that these threat actors sort of employ.
And so there's really two main types of ransomware that comes across.
The first, I've sort of called here classic ransomware. And this is sort
of the more traditional ransomware event in which a threat actor
installs ransomware on your network and that ransomware encrypts your
files and locks your access to those files. Now, what do I mean when I
say encrypt? Now sometimes some of you may be familiar with encryption
from encrypting emails when you're trying to send a sensitive document
that encryption essentially scrambles the contents of the document that
you're sending, and the recipient has a key that unlocks or unscrambles
the contents of the email that you have sent. So the recipient is only
the person that can see the contents of the email.
So ransomware
works in a similar aspect or a similar fashion, except in this
instance, the key, it's only held by the threat actor. And the threat
actor has that key and you, as the individual organization that has been
impacted by the ransomware attack, cannot access your files or the
folders in which those files are contained without obtaining a key from
the threat actor. Now there's a second type of ransomware which I've
sort of dubbed here as exfiltration ransomware. You may have heard of
this as double dipping ransomware or double extortion ransomware. And it
works really in two phases. Now the first phase of exfiltration
ransomware is very similar to the classic ransomware approach where in
stage one, the threat actor has encrypted your files and therefore your
access to your files. And you would therefore need a key in theory, to
be able to regain access to your files and folders.
Now in
exfiltration ransomware, the threat actor does a step just before
encrypting your files and that step is exfiltrating or removing or
stealing from the environment files and folders and removing them from
the environment right before doing the encryption. Now we'll talk a
little bit. Now we will talk a little bit more about the two stages of
an exfiltration ransomware attack, but the thought process behind the
exfiltration ransomware attack is this, right? So always important to
remember throughout this entire process, the threat actors primary
motivation in this entire process is to obtain money. And so through the
classic ransomware attack, they have one potential avenue to obtain
money. That is by the impacted organization purchasing a decrypter key
to decrypt the encrypted files. Now in the exfiltration ransomware
scenario, the threat actor has two chances to obtain money. The first
opportunity is if the impacted organization needs to purchase a
decrypter key from the threat actor, and in that situation, the impacted
organization will pay the threat actor a ransom in exchange for that
key. Now, some organizations are in a position where either they have
backups, which they can then use to sort of recreate the encrypted
information or, for whatever reason, the ransomware attack was not
pervasive and only encrypted a small number of files that the
organization can do without.
There could be a number of reasons
why an organization decides to not pay to purchase or obtain a decrypter
key. And so because of that, the threat actors became wise and learned,
hey, let's come up with a second means to obtain money from the threat
actor. And that second means is through the exfiltration. And the
process there with the exfiltration of course, is taking a number of
documents from the environment with the hope that the impacted
organization will pay the threat actor a certain amount or a ransom
amount in exchange for the threat actor, either returning the documents
that were taken, destroying the documents were taken, or some
combination there of. And of course, as I'm sure you can sort of, coming
to your mind right now, well, how do we trust that this is actually
gonna take place?
And so we're gonna talk about sort of the
ransomware negotiation process in more detail in part two of this
presentation, but for the purposes now it's important to just remember,
we're talking really about two main types of ransomware, the classic or
only extortion ransomware method, and then the exfiltration ransomware
method, which is the, let me rephrase that. It's important here that we
talk about, so in the subsequent parts of this presentation, we're gonna
talk about the ransomware negotiation process and some of the concerns
that an organization or an individual that's been impacted by ransomware
generally has in those situations. But for purposes now, it's important
to just remember that we're talking about two types of ransomware. The
classic or encryption only ransomware attack, and then exfiltration, or
the encryption plus theft of information ransomware attack. And so let's
focus a little bit more on the classic ransomware attack. And that
really takes place in about five stages. And of course this summary here
is obviously a generalized overview of the ransomware process and of
the classic ransomware process.
And so there are situations, of
course, where the threat actor will not follow this exact pattern, but
generally speaking, the five steps are as follows right?
Step
one is there is unauthorized access to the network. And that basically
means that the threat actor has entered into your environment somehow.
That could be through a phishing email, that could be through having
stolen credentials like a username and password from a completely
unrelated situation. That could be, you may have an exposed network
access. So in other words, you may have an open remote desktop protocol
connection that a threat actor can use to enter into your environment.
You may have some vulnerabilities from not patching software in a timely
manner, and a threat actor can take advantage of those vulnerabilities.
There are a number of ways that the threat actor can get into your
environment, but of course, step one is a threat actor must in fact be
in your environment. Now, step two, generally once in your environment,
the threat actor tries to do some reconnaissance. And that is really to
try to look through and assess what the environment is. And there's
really a couple of reasons for this. One is to sort of figure out what
the universe or the lay of the land is. The other aspect here of course,
is for the threat actor to try to increase its access to various parts
of your environment. Now, a lot of that will of course depend on how
your network or your environment is structured, but often the threat
actor will have obtained some credentials to get into the environment,
but then needs to obtain administrative credentials to give them access
to more areas of the environment.
And so in step two, the threat
actor will often conduct reconnaissance to try to obtain additional
access through administration credentials, and also to survey to see the
scope of the environment. The number of servers, the number points from
which to, or across which to deploy the ransomware. Now, step three is
the actual execution of the ransomware. And of course, that ransomware
execution is what is going to encrypt the impacted servers and
workstations. Now that's really the very, you know, simplified version
of a classic ransomware event. Now, once the threat actor has encrypted
your systems, the threat actor is gonna typically leave a ransomware
note. Sometimes that note will identify the organization. Sometimes it
will only provide instructions on how contact a threat actor. It will
vary based on the threat actor group. But typically the note will
provide instructions on what to do next. And usually that next
instruction is, you should contact us unless you want, you know, if you
want to get your access to your data back, you need to contact us and
you need to pay a certain ransomware number. And then once the threat
actor, you know, leaves that note, the threat actor's gonna delete the
ransomware. Of course, so there's no chance that the impacted
organization can somehow use that ransomware to then sort of reverse
engineer, if you will, the process and get the ability to unencrypt the
impacted systems without need for a key. Now, we're gonna talk about the
extortion ransomware methodology and you're gonna see that is very
similar to the classic ransomware.
Now, the main difference here
is really step three, but again, step one, the threat actor is gonna
obtain some unauthorized access to your network. Step two, the threat
actor is gonna conduct reconnaissance of the network. Now in step two,
in an exfiltration ransomware scenario, the threat actor is also gonna
conduct reconnaissance, not only to try to obtain higher administrative
privileges, but also to do a survey of the files and folders that you
have, that the organization has in its environment. Now, the threat
actor isn't generally gonna take the time to go through individual files
and pull out personal information or company sensitive information. But
the threat actor is gonna look for files that might say, you know,
personnel files, because the threat actor knows that those files
typically contain social security numbers. The threat actor may look
for, you know, accounting files or servers that are devoted to
accounting. So the threat actor is gonna make some educated guesses
based on the file and folders set up and the names of those files and
folders as part of the reconnaissance process. Now, the key difference
in the exfiltration ransomware process is now in step three, what the
threat actor is doing is really stealing or exfiltrating a subset of
documents from the environment. Then step four, five and six are
generally gonna be the same where now that the documents are exfiltrated
from the environment, the threat actor is going to now encrypt the
environment. So I know I've talked to you about ransomware and I'm
asking you to sort of take my word for what ransomware is, and you might
be wondering why should I even do that? Who is this guy talking to me?
And
so this is me, my name is Kamran Salour. I am a data privacy and
cybersecurity attorney here at Troutman Pepper. I specialize in
responding or helping companies respond to all types of data security
incidents. It could be something as simple as an employee leaving a
laptop in an Uber and determining what the company needs to do in a
response to a situation like that. It could be as complicated as having a
ransomware event or ransomware attack. Encrypt hundreds of servers
across multiple offices throughout the United States. And that process
will of course include figuring out how to respond to the ransomware
event. And that includes getting the company back operational. That
includes determining how the ransomware event happened to helping the
organization take steps to reduce the likelihood of that event happening
again. It also includes an assessment of legal obligations, right?
Sometimes, and we'll talk about this a little bit more in the subsequent
parts of this presentation, but there's really, you know, a couple of
things that an organization that's been hit with a ransomware attack
needs to consider. And some of, so I'll divide it into two categories.
Category
one would be the business side of things, that is sort of how to resume
operations. And part of that operation resumption process is regaining
access to encrypted files and encrypted systems and making sure that
from a customer standpoint, you have access to your customer systems and
your customers have access to your systems. And then the other
component is assessing your legal obligations. And now those obligations
typically will stem from data breach notification statutes, but they
can also go beyond that. Sometimes an organization will have contractual
obligations where they have to conduct certain steps, including
notifying customers if there is a data incident. They could also have
some regulatory obligations depending on the type of industry that the
organization is in. And so my role is really twofold in this process and
one is making sure that the company reduces or minimizes its impact on
business. And the second aspect of course, is taking steps to help the
company reduce or minimize the legal impact that the ransomware attack
could have on its operations.
So enough about me. Let's really
delve into part one of this presentation and part one again, is really
gonna be, how do we respond to an attack? And so we've talked so far
about the two types of attacks, and we've talked a little bit about how
the threat actor can get in and what the threat actor does once in. And
so really I wanna start this presentation from the standpoint of, you
know, as an organization, you've been impacted or you've been attacked
by a threat actor. So what do you do?
Well, I'm gonna divide
this into five things that you should definitely do, and four things
that you should definitely not do. And I'm gonna talk about each of
these because I wanna emphasize the importance of doing these things.
So
the first thing that you wanna do when you are aware that you've been
impacted with a ransomware attack is to disconnect your systems from
your network. And that includes turning off, you know, that's also, you
know, hardwires, if you have like an ethernet connection, but also
turning off your Wi-Fi connection as well. Because the key component, or
the key reason why you wanna disconnect is because you want to prevent
the further spread of the ransomware. So as soon as you detect it, you
wanna unconnect both physically and wirelessly from the network. That's
really the first thing that you wanna do. 'Cause that's going to stop
the ransomware from spreading further.
Now, the next thing you
wanna do is you wanna contact your cyber insurance provider. And there's
a couple of good reasons why we wanna do that. The first is, you know,
and again, this is of course, assuming that you have cyber insurance,
but it's obviously important for making a claim under your cyber
insurance. You're obviously gonna have to contact the insurance company,
but that's not the real reason why I recommend contacting your
insurance company as really one of the first things that you do. The
reason why I make that recommendation is because most organizations that
have been hit with a ransomware attack, this is the first time that
they're going through it. They don't know what to do. They don't know
who to call. And if you contact your cyber insurance company, they know
what to do. They know who to call. And they can help put you in touch
with the appropriate people that will guide you through the incident
response process. And it's very important in a type of situation like
this that you don't do things on your own without talking to cyber
professionals because this cyber professionals deal with this on a
regular basis, on a daily basis, and so they know what to do, what not
to do. And so it's very important to reach out to your cyber carrier
because they can put you in touch with those cyber experts. Now, another
thing that you should definitely do, and in a perfect world, you will
have done this or an incident as part of an incident response plan, but
that's often not the case that people have an incident response plan.
And
so one of the other things you should definitely do is create out of
band communications. And what do I mean by out of band communications?
Well, if you recall, when we talked about step one of a ransomware
attack, is the threat actor gets into the environment. And there are a
number of ways in which the threat actor gets into the environment. And
once in your environment, the threat actor could put certain malware on
your system that gives them the ability to, you know, they're called
persistent mechanisms, which essentially means there are ways for the
threat actor to stay undetected in your environment. And so if you
continue to use, let's say your work email to have discussions about the
ransomware attack and response to the ransomware attack, there is a
chance that the threat actor is in fact able to see those emails because
they still may have access to your email environment. Now I've heard
horror stories where, you know, organizations that have been impacted by
a ransomware attack have been on calls with forensic firms and legal
counsel and, you know, before that call, there was an email or an invite
sent through the work email. And guess who else appeared on that call?
It was the threat actor. And I've heard that happen in, you know, a few
times.
So it's something that is possible to happen and obviously
something that you don't wanna have happen because you don't want the
threat actor to know that you have legal counsel involved. You don't
want the threat actor to know that you have a forensic firm involved.
You don't want the threat actor to know that you have insurance
involved. And of course you don't want the threat actor to know that you
are, you know, what you're doing in terms of trying to stop the threat
actor. So it's very important to have an out of band email. I always
recommend, you know, just creating a Gmail account. That's something
very specific to this incident because if for whatever reason, this
incident results into litigation and as part of that litigation, you
know, the plaintiff wants to take discovery and as part of that
discovery wants all, you know, messages that you sent in response to
this incident, they're gonna look at your email account and the last
thing I would suggest is for your personal Gmail account to be part of
that discovery response where the attorney's responding to that
discovery are gonna go through. Your personal Gmail account to find out,
you know, to pluck out the correspondence related to the incident. So
it's always much cleaner for a number of reasons to create a separate
and specific Gmail account for responding to the ransomware attack. Now,
another thing you ne definitely should do, now the next thing that you
wanna do is you wanna identify your key decision makers.
Now, of
course, this is something that ideally will have been done before an
incident occurs as part of an incident response plan. But essentially
your key decision makers should include somebody in your IT department
that has technical knowledge and expertise about how your systems work.
It should include somebody in the C-suite that can make decisions on
behalf of the company. And those decisions, at least at the outset, are
going to include retaining outside counsel, retaining a forensic firm.
And also somebody that can authorize financial decisions in terms of
whether to pay a ransom. And if so, how much? And so your key decision
makers obviously are gonna vary depending on the type of organization
you have and the makeup of that organization, but you definitely don't
want only IT people or only, you know, C-suite people. You do want a mix
of people, not only that have decision making authority, but also have
onsite experience and expertise about the company that can help in the
incident response process.
And the last thing that you should do
as part of the five immediate steps is to reset all of your passwords.
Again, at this stage, it's probably unknown how the threat actor got in.
They may have compromised credentials to get in. They may not have,
but, you know, the fact remains generally at this stage is you don't
know. And so it's always recommended to do a password reset in the event
that the threat actor does have compromised credentials that the threat
actor cannot reenter your environment by using a compromised password.
So those are, you know, really sort of the five things that you wanna do
when you've initially identified that you are the victim of an attack.
Now,
conversely, there's four things that I see happen on a regular basis,
which I wish would not be done. And the first thing is turning off your
systems, right? Now, this is a little bit different than disconnecting.
We wanna disconnect because we wanna stop the spread of the ransomware.
But we don't wanna turn off these impacted systems because that may lead
to some data loss if we try to turn systems back on. Sometimes
depending on how the encryption event occurs, if you turn off a system,
you can't turn it back on. And so that's something we wanna avoid.
The
other thing that we wanna avoid, and this happens quite often is having
somebody wipe the system. And when I say wipe, they basically are going
to reformat the system and sort of get it back online. And that could
be a server, that could be a workstation or both. And I certainly
understand the desire to do this, right? As a business and if you cannot
operate without, you know, having computers, you need computers, you
need servers and so I absolutely understand the instinct to wanna wipe
the system and get back up in operational as soon as possible. But by
wiping, you have destroyed the forensic artifacts on the system or the
computer or the server that you have wiped. And so if you wipe without
first preserving a forensic artifact by making a copy of the impacted
workstation, then you've lost that forensic evidence. And without that
forensic evidence, you may not be able to answer certain questions
relating to the ransomware attack, such as how did the threat actor get
into your environment? Where did the threat actor go once in your
environment? Is there evidence from a forensic standpoint of the threat
actor actually taking documents from your environment? So if you do need
to get back up and running immediately, it's very important that you
make a copy of the impacted systems, preserve those copies and then
proceed with wiping the system.
The other thing that that
happens quite often, and this is again, somewhat related to the sort of
the premature wiping aspect, and that is premature hiring aspect. And
this also dovetails with the five immediate steps and that is contacting
your cyber insurance provider is you want experts that know how to
respond to a ransomware event. It's a different skillset than someone
that is savvy just on the IT side of things. This is a forensic
evaluation and investigation. And so if you go ahead and hire somebody,
you may be hiring somebody that while skilled on the IT side is
inexperienced on the forensic side. And so you're not hiring the
appropriate person for the task. Additionally, from a cost standpoint,
and this is mostly a concern if you have cyber insurance, but from a
cost standpoint, the rate that the vendor that you hire, that that
vendor charges may be higher than what your insurance covers. And so you
may be out of pocket unnecessarily by going with a vendor that's not
approved by your insurance company. So that's another concern.
The
financial side is less of the concern in this instant. It's more of the
fact that you may not know the experienced person to hire. And then the
last thing that happens often is, you know, we talked about these
stages of a ransomware attack where a threat actor leaves a ransom note
and in that ransom note, invariably, there is some way to contact the
threat actor. And it's usually through a tour browser, which is a type
of browser that basically makes it difficult to identify who that person
is from that browser standpoint. And contacting the threat actor can do
a couple of things. Number one, it may trigger a clock. So some threat
actor groups will have a clock whether it's a 72 hours, 96 hours, what
have you, where if you don't sort of pay the ransom by that time, then
maybe the ransom amount will double. Or if it's a exfiltration type of
ransomware attack, they will publish some of the information they took.
And so you don't wanna start that clock by contacting the threat actor
too soon. And again, this goes also to making sure you have the experts
in place. And the experts that handle this type of situation handle it
on a routine basis, on a regular basis. They have lots of intelligence
on these threat actor groups, they know how to communicate with these
threat actor groups, they know what to say, maybe more importantly, they
know what not to say. And so you don't want to start that threat actor
process without having the on board, having the experts carry out that
process. And so those are sort of, you know, at a very high level, it's
sort of the five things that you wanna make sure you do and the four
things that you want to avoid doing when you've initially been a victim
of a ransomware attack.
Now let's talk about the stages of a ransomware response. I like to group it into six stages.
The
first stage is engaging the vendors. And when I say engaging the
vendors, you want to engage outside council and you wanna have outside
council engage a forensic firm on your behalf. And typically if you have
cyber insurance, you will use vendors that your cyber insurance company
has already vetted, or that are on your cyber insurance company's
panel. But it's important for not only for privileged purposes to have
outside council and to have outside council engage the forensic vendor,
but again, it's also very important just from an efficiency and
knowledge standpoint, the vendors that respond to somewhere events for
the most part, do this on a regular basis. And therefore they have
experience and expertise in the response process. And their experience
and expertise can maximize the efficiency of their response, minimize
the impact that the attack has on you as an organization. Now that's,
you know, first and foremost is you need the vendors in place.
So
we go to stage two, which is containment. Now, candidly part of the
containment process is going to begin when you unplug your network from
the internet or from of internet access, whether that's from a wire
standpoint or a wireless standpoint. That's gonna stop the attack, but
the next thing you wanna do is really focus on containment and that is
to make sure that you have isolated the impacted systems, you've stopped
the spread of the ransomware, and you are taking steps to make sure
that the ransomware is not spreading any further. And we'll talk a
little bit more about that in some detail. But that's really, you know,
it's fairly intuitive that if you have an attack, you wanna stop the
attack and you wanna contain it to the smallest area possible.
Now,
the next thing we wanna do is we wanna focus on restoration or
remediation, and that's essentially, you know, it's gonna depend in part
on the type of the attack, but part of that is basically recovering
from the attack. And so once we've contained, we wanna focus in
recovery. And that means restoring our systems, that means taking data
that was lost from backups or from other sources and repurposing it to
replace the lost data or the encrypted data. And so that is really what
is going to be a part of the restoration and remediation stage. The
stage four and, you know, stage three and stage four are often going to
occur in parallel.
Stage four is gonna be data collection. And
that is really going to be gathering evidence, forensic evidence for the
forensic investigator. And that could vary based on the type of the
attack, but it's typically going to include the impacted servers and
works stations. And when I say impacted are the ones that have been
encrypted. You may not need to have all of them examined, but you may
wanna start with the more critical ones and conduct some sort of triage
analysis. Now often what these forensic vendors can do is they can
conduct triage analysis remotely. And from that triage analysis,
identify the most important work stations to then examine more fully at a
later time.
So now once you've you sort of, you know, here we
have the appropriate people in place, we've contained the incident,
we're starting that restoration process while we are gathering the
information. And while we're gathering that information, our forensic
vendor is conducting a forensic investigation. Now in a perfect world
that forensic investigation will tell you how the threat actor got into
your environment, when the threat actor got into your environment, where
the threat actor went once in your environment, what data the threat
actor took from your environment, and when the threat actor deployed the
ransomware. So from that you'll know how long the threat actor was in
your environment. But of course, you know, we don't live in a perfect
world so you may not have all of those answers in every forensic
investigation. But that is really the goal of the forensic
investigation. And that forensic investigation is important for at least
three reasons.
Number one, if you know how the threat actor got
into the environment, then you have a better chance of reducing the
likelihood of the threat actor getting into your environment again. So
for instance, if the threat actor got in because you had not patched a
certain security vulnerability now you've patched that security
vulnerability and so the threat actor is less likely to get in that same
way. And now, conversely, if the threat actor got in through a
phishing, successful phishing attempt, that may be harder to prevent a
recurrence because phishing attempts or successful phishing attempts
often depend on a human component and it's always as much as you train
individuals on identifying on ways to identify phishing attempts and to
not click on links that you don't know, you know, what those links are,
it happens. And so, you know, that's another, that's really why it's
important from a forensic standpoint, to know how the threat actor got
in for prevention. Now, I said there's three reasons why that's
important. So that was reason one, it's prevention.
Reason two
is in your messaging of the incident. And we're gonna talk more fully
about messaging at a later time, but messaging is gonna be important,
not only to customers, not only to employees, but often to other
organizations that you do business with. Those organizations, especially
if you are sharing access to the network those organizations are gonna
wanna know how the threat actor got in because they wanna make sure at
least have the confidence that the organization that has been impacted
has taken steps to reduce that likelihood. So if you don't get from your
forensic investigation, the answer to how the threat actor got in, that
can put some pressure on your relationships with these other companies,
because they may not feel comfortable in reconnecting with your
environment or redoing business with you because they don't really know
how the threat got in and therefore they don't know that the
organization has taken steps to reduce the likelihood of that.
Now
the other, the third reason why that forensic investigation is
important is for assessing your legal obligations. And when we talk
about legal obligations, we are primarily gonna be concerned with
identifying if there is any unauthorized access or unauthorized
acquisition or exfiltration of personal information. And so really from
the forensic investigation, what the legal side needs to know is what
information the threat actor was able to access, what information the
threat actor was able to obtain, and then the attorneys, in connection
with the impacted organization, will conduct an analysis of that
impacted information to determine if in fact the organization has to
notify any impacted individuals because of that unauthorized access or
acquisition.
So those are really the main sort of six phases of a
ransomware response. Now there's some other phases that we're gonna
talk about later on that are related to this process and they really
don't fall under an exact timeframe 'cause they're kind of overarching
and they run the course of the response process. And that's really,
we'll talk first about messaging. Messaging is gonna take place really
from the outset and it's gonna happen all the way through the assessment
of your legal notification obligations.
Now, messaging may come
in multiple forms. It may be a PR message to, you know, on your social
media or on your website about the incident. It may be messaging to
employees, it may be messaging to a local media, it may be messaging to
customers, it may be none of those things. It really is gonna depend on
the type of incident and really who your audience is. Some people
sometimes messaging is very important and sometimes it's more important
to not message the incident. And that's another area where legal counsel
can really be helpful in that process.
Stage seven is sort of
reporting to law enforcement. And again, this is a stage that can
really, I've marked it here as stage seven but it can really happen at
any time. There is a benefit to reporting to law enforcement. There's an
optic benefit where if you are in fact notifying individuals that a
breach has in fact occurred in that notification, if you are able to
tell those individuals that yes, the FBI or law enforcement is involved,
that provides a level of comfort to some individuals and better
appreciation from individuals that yes, the organization is in fact a
victim here too. So I tend to recommend reporting to the FBI in a
situation where we are gonna have to notify individuals. There's a
couple of other reasons why notifying the FBI is important. If we're
talking about insurance reasons and paying a ransom, sometimes the
insurance companies will require as a condition of agreeing to fund the
ransom amount that the impacted organization report the payment to law
enforcement. And then the third reason would be, there's something
called OFAC, which is essentially the organization that wants to make
sure that nobody's making payments to known terrorist groups. And
there's always the concern when you are paying a threat actor is you
don't necessarily know where they from or who they are. And although you
do conduct what's called an OFAC check, which is before paying the
threat actor, you run a report that basically confirms that the threat
actor's name and the threat actor's Bitcoin wallet is not on the
prohibited OFAC list. Nonetheless, if in fact, you end up making a
payment to somebody that's on that list, if you did report the payment
to the FBI, that helps reduce your likelihood of being fined by OFAC.
And so that is another more practical reason for notifying law
enforcement.
And then stage eight and nine are often related and
a lot of that will depend on the type of incident, but notification is
obviously gonna be the outcome of stage six, assessing your legal
obligations. You may have to notify, you may not have to notify. You may
have to notify some but not all. You may elect to notify, even though
you don't have a legal obligation to. You may elect to do some sort of a
goodwill or non-legal type of notification. All of that will really
depend on the incident and what evidence you have of the information
that was taken and the type of information was taken and the type of
industry you're in and the potential impact of that taken information
could have on individuals. And then sort of related to the notification
of course, is dealing with third parties. And again, you know, these
stages of really one, you know, the messaging reporting to law
enforcement and dealing with third parties, they do sort of cover the
entire response process and dealing with third parties can again, come
into play when we're talking about messaging at the outset could also
come into play with notification. Sometimes an organization that's
impacted discovers that information that they house belonging to third
parties has been exfiltrated. And therefore you have to coordinate with
those third parties on notification, which entity of the data owner, or
the data licensee is gonna be responsible for notification. And so
that's where dealing with third parties comes into play as well. But as a
whole, you can see that this entire process is while there are sort of
articulated stages and steps to the response process, there is a lot of
variance within these steps, and that will, the variance is due in
pertinent part to the type of incident that occurs and the potential
impact that the incident could have on your organization and employees
and customers and vendors of that organization. So let me talk a little
bit more about each of these steps.
So, you know, stage one is
engaging vendors. And the first thing that we wanna do when we're
engaging vendors is make sure that we have people to help the
organizations that are familiar with the process. And that are familiar
with the threat actors. And that's, you know, usually the forensic firm
is gonna be the one that's familiar with the threat actors. And this
comes in handy quite often. I've been on many cases where, you know, I
thought, okay, we can, you know, let's say we had an initial ransom
demand of, let's say a million dollars and we've been able to negotiate
and we're down to $300,000. And the desire is hey, let's make that
$300,000 payment. It's important the organization needs the decrypter
key, we wanna get back up and running. 300,000 is, you know, that's a
good discount. Let's go ahead and make the payment. And I've had
situations where if you're working with very skilled threat actor
negotiators they can say, you know what? I know how this threat actor
group operates from past experience. I know that we can get this at down
to 150, let's say, and I know exactly what to say to get it there and
sure enough, they do it and they get the demand down even further. And
so that's another great resource to have at your disposal is experience
threat actors. And really, you know, I think the most common notion of
why you should engage a vendor is privileged purposes. And essentially
the thought process there is if an attorney is engaged guiding the
organization through the response process, the communications with the
attorney of course are privilege but then if the attorney in turn
engages the forensic firm on behalf of the organization, then the
forensic findings and determinations, legal determinations based on
those forensic findings is also privileged.
Now I know there is
some case law there that has held that forensic reports are not
privileged in certain contexts. Obviously we're not gonna go delve deep
into a privileged discussion for purposes of this presentation. But it's
important to note that, you know, engaging outside council, the sole
reason for engaging outside council should not be to preserve privilege.
Not only because there's can be questions of whether privilege exists
in certain situations under that scenario, but also that's not gaining
the full value of having outside council involved. They are very skilled
and experienced in the process can really add a lot of value to the
process.
So let's talk a little bit more now about containment.
We've talked a little bit about it and really, you know, the goal of
containment is to stop the spread of the attack. And how are we gonna do
this?
Well, first thing is we are going to unplug and we are
going to then identify isolate threats, right? We wanna make sure that
we are not having continued evidence of unauthorized access into our
environment. And really the traditional way that this is done is with
the forensic firm deploys an EDR tool. And an EDR tool is essentially an
endpoint detection and response tool. And what an EDR tool does is able
to identify unauthorized activity. That unauthorized activity could be
the form of some malware in your environment, but it can also be in the
form of atypical behavior. So for instance, let's assume that somebody
is trying to log in from Eastern Europe and you shouldn't have anybody
logging in from Eastern Europe. And so the endpoint detection and
response tool will flag that a login from Eastern Europe is suspicious,
and that will alert whoever's watching that endpoint detection and
response monitoring process to then decide, okay, let's go ahead and
let's stop the attempt to enter into our system based on this location.
And so it's obviously a very simplified example of how an endpoint
detection and response tool operates, but essentially the goal is to not
have any more alerts from the EDR tool. And that's sort of when you
have a good understanding of when containment is reached. Now I'm
oversimplifying the process here for purposes of this discussion, but
there's more, a little bit more to containment, but that's generally a
good indicator that the incident has been contained.
So when we
go to stage three or step three, we're talking about restoration and
remediation. And really what we wanna do is you're out a number of
questions as we're going through that process, right? We wanna know the
scope, right? How many servers and workstations have been encrypted from
those encrypted servers and workstations? Do we have data stored on
them? If so, what kind of data is it? Is it company sensitive data? Is
it HR data? Is it accounting data? Is it data that frankly we could do
without it or is it data that's very critical that we need? If it's
critical data, well, can we obtain that data from another source?
Whether do we have backups offsite that we can use, or are we able to
recreate the encrypted data from other systems that have not been
encrypted? And then has any of the data been stolen? And what are the
contents of the data that have been stolen? These are all the things
that you have to ask yourself as you are going through your remediation
and restoration plan, because whether you are going to obtain a
decrypter key from the threat actor, whether you're going to pay the
threat actor to return or destroy stolen data, a lot of those decision
points are going to depend on answers to these types of questions.
So
these are questions that are very important to consider in that
process. Now, as we continue to talk about restoration or remediation
you know, let's say we decide that we need a decrypter key. What do we
do? Well, we're gonna have to reach out to the threat actor. And so, you
know, the threat actor, we reach out to the threat actor through the
ransomware note. And we're gonna talk more about this process, but one
of the concerns that always comes up is when we reach to the threat
actor for decrypter key is, well, how do we know, what guarantee do we
have that the threat actor is going to, in fact, provide the key. And
often a client will say, well, can we have them give us the key and then
if the key works, we will go ahead and pay them. And unfortunately we
can't do that because the threat actor has all of the leverage and the
threat actor is not going to give us the key without any sort of payment
upfront.
But one thing that we always do in this process is we
provide the threat actor with a handful of files that have been
encrypted that are, you know, innocuous files that don't have any, you
know, personal information on them that don't have any company sensitive
information on them and we provided to the threat actor and ask the
threat actor to unencrypt those five files or so and that gives us some
level of confidence that yes, the threat actor in fact, does have the
decrypter key and that the decrypter key does in fact work successfully.
The other point I wanna talk about here, and we'll talk about this more
in part two is, in terms of the threat actor following through on its
delivery of the decrypter key, it's always important again to remember
the threat actor in terms of the threat actor's motivation. And that
motivation is money.
Remember ransomware at bottom is a means to
extort money from an organization. And so if the threat actor operates
in a manner where they are obtaining money in exchange for a key, but
not delivering that key, the likelihood of the next victim paying is
reduced. And therefore the threat actor's motivation, prime motivation,
which is to obtain money is also reduced. And so it's important to not
think of the threat actor in terms of being honorable and, you know,
following through on his or her promises. It's really, again, selfish
from the threat actor that the threat actor is going to provide the key
because what does the threat actor want? The threat actor wants money.
Not only for this attack, but for subsequent attacks. And so that's a
very important point to remember. We'll talk a more about that in part
two. So, you know, at the beginning of this process, we talked about
sort of the classic ransomware pattern, and that's where your
environment is encrypted and you need to reach out to the threat actor
to obtain a decrypter key and you pay a ransom and exchange for that
key. And then we also talked about the other type of ransomware, which
is the extortion type of ransomware. And that is again, a situation
where not only has a threat actor, well, not always, but mostly a
situation where the threat actor has encrypted your data, but a threat
actor has also taken sensitive data from your environment. And so it's
very important when you are talking about this extortion portion of the
ransomware process is a couple of things you need to keep in mind.
One
is, do you in fact have proof that the threat actor has taken data?
Sometimes in the ransom note the threat actor will say, we have taken,
you know, 300 gigabytes of your data when in fact they haven't taken any
data. Or when in fact they've only taken a subset of that data. So
there's lots of posturing by threat actors in these types of situations.
So you do wanna obtain proof that the threat actor has in fact taken
data. Now, sometimes you can get that proof through these forensic
investigation, but you can also get that proof by communicating directly
with the threat actor. And one of the things you do is you ask the
threat actor to provide samples of a handful of files.
Now,
sometimes the threat actor will, as proof when you reach out to the
threat actor, as proof of the fact that they took the files, they will
provide you with file trees. The file trees themselves is not proof that
they in fact took data from your environment. It's just proof that they
have a file tree of the data on your environment. But what you can do
and what we typically do in those types of situations is we pick a
handful of files random, right? That sort of convey or traverse a large
scope of the network, right? Cross multiple servers and workstations,
things of that nature. We don't wanna tip our hand to the threat actor
and focus on one server because the threat actor will then get the
impression that that server is critical and that may change the price of
the ransom. But we also wanna make sure we understand the scope of the
exfiltration and so that's another reason why we don't wanna pinpoint,
you know, one server necessarily, but we pick a handful of files
scattered across the environment and ask the threat actor provide proof
of those files.
And then you have to make an assumption, but a
reasonable one that if the threat actor can provide samples of, you
know, five files across the environment, five random files across the
environment, then yeah, the odds are that the threat actor does in fact
have these documents. And so once you have established the threat actor
has documents, you wanna take a internal evaluation to determine, okay,
are these documents valuable to us from a organization standpoint? If
these documents are sort of in the wrong hands on the dark web, is this
gonna cause harm to our organization? What type of harm? Is it gonna be
critical company sensitive information that if it's out there, it's
gonna put us at a competitive disadvantage? Is it going to reveal
certain information that we rely on us as a trade secret in our
operations? Is it, you know, be basically catastrophic for the company?
Or is it gonna be, you know, sometimes it could be information that
while it has personal information and it may have social security
numbers or bank account information of employees, is that information
that you want out there on the dark web? Of course not. But are you
willing to pay a ransom to prevent that information from being out
there? And that will obviously vary on the situation, the type of
information. Now, sometimes there is an optic value in just paying the
threat actor to delete the data. And when I say delete the data, you
know, the threat actors will, the proof of deletion will vary. Sometimes
a threat actor will say, yes, we deleted the data.
Sometimes a
threat actor will provide you with a deletion log. Sometimes the
director will provide you a video showing the threat actor deleting the
data from his or her side. Of course, nothing, none of those situations
creates an environment where the threat actor could not have already
made a copy of the information. So there is of course, no guarantee that
the data has been deleted, but there's often an optic value in making
that payment because when we're talking about notification letters and
notification materials, also making a statement that you have taken
steps to ensure that the data that was taken has not been disseminated
has some optic value as well. It may even have more value if you're
talking about information, belonging to customers, customers, or can be
very sensitive about the type of information of theirs that's out there
and exposed, and that may have some great business value for you. And so
there may be a business reason for making that type of payment. Now,
when we're talking about data collection, you know, it's often goes, or
it's often forgotten to have extra data capacity on hand before an
incident occurs, right? Have extra hard drives. And the reason why I say
that is a couple of reasons.
One, we talked about wiping at the
beginning, but making a copy of the impacted data before wiping,
sometimes people will just make the decision, well, I don't have time to
go to a store and get drives. I'm just gonna go ahead and wipe it. So
if you have the drives there, that makes that decision a little bit
easier, but also when we're talking about just speed of the response
process, you know, either in a city situation where you don't have data,
excuse me, extra drives on hand, you're gonna have to go purchase them,
or you're gonna have to wait for the forensic firm to provide that to
you via mail. And so that can slow down the response process. Not, you
know, super critical. It's sort of a small hurdle that's easy and enough
to overcome, but it's something that you should consider that often
goes overlooked in that response process.
Now we're gonna stage
five as the forensic investigation. We talked a little bit about this
earlier, but really we want the threat actor or excuse me, we want the
forensic investigation to determine sort of the who, what, when, where,
why, how. Who got in, how they got in, when they got in, what did they
do once they were in, what did they take once they were in, if anything,
and what steps can we take ultimately, to reduce the likelihood of them
getting back in to our environment. And that's really what the focus of
the forensic investigation is.
Now, of course, there's optic
value with the forensic investigation also, because again, if you are
notifying, whether it's, when I say notifying, whether we're doing it
from a legal standpoint with a consumer notification letter, we're doing
it more casually messaging to employees, or whether we are doing it
with, you know, let's say we have a very important client or customer
whose data we store, often, those clients are gonna want to know a, that
a forensic investigation was done, but b they're gonna wanna know the
result of that investigation. And so having a good forensic
investigation done by a third party that's recognized in the field has a
lot of value because it gives a lot of comfort to the customers, third
parties that have been impacted by the incident to know that the
impacted organization that has been, you know, the victim of the
ransomware attack has in fact taken the appropriate steps in response to
this type of attack.
Now, while every forensic investigation
tries to answer those main questions, there are often situations where
we don't have the answers to all those questions. Sometimes it's a
situation of logging where the logs on our systems only go back a
certain number of days, you know, sometimes for instance, a firewall
logs, those usually only go back a very short amount of time. And if you
don't have procedures in place where those logs are retained, or
sometimes you don't even have logging enabled, a situation can arise
where a threat actor got in and the logs don't go far back enough for
you to determine at what time the threat actor got in. And if you don't
know when the threat actor got in, typically you don't know the threat
actor got in. And so having your logs enabled is very important in this
process.
But also there are times again, now, maybe you've
already gone ahead and wiped the information before you had the forensic
investigation conducted, so you've lost certain information, that's
another way where you could lose valuable forensic evidence, but
sometimes these threat actors conduct what I call anti-forensic
activity, where they will go ahead and make certain deletions of logs
and other forensic artifacts that impedes the forensic firm's ability to
answer all of those questions. Now we wanna, again, you know, while
from a legal standpoint, it's very important to know what the threat
actor accessed or acquired. That is not the only thing that we wanna
focus on in a forensic investigation.
Focusing on, you know, how
the threat actor got in it's critical because that will help reduce the
likelihood of that happening again through the same channel but it's
also very important information that third parties always wanna know
that are there's third parties that have been impacted by the
investigation. When I'm assisting clients who as part of the attack have
third parties that are impacted, those parties bring their, you know,
security experts on their council on and the first question is,
invariably, well, how did they get in? And if you say, well, we don't
know, they're gonna say, well, how do we know that this won't happen
again? And of course you never know that this won't happen again,
because you cannot prevent 100% any sort word of incident. What you can
do, of course, is put procedures in place that reduce the likelihood but
the answer to that question is always we can't regardless. But that's
always something that the third parties tend to focus on. And so that's
an area of important information to try to figure out. Now, you know,
once the forensic investigation is complete we can really focus on our
legal obligations. And, you know, we've talked a little bit already
about, you know, how important the forensic investigation is in terms of
notification, excuse me, in terms of messaging, in terms of being able
to answer to those third parties and to your employees, how they got in,
how the threat actor got in, what the threat actor did, once they were
in there, did they take it in for information?
If so, what?
Those are all very important for messaging purposes. Those are of course
very important for legal purposes as well because your legal
obligations, if any, are going to depend on if personal information was
acquired or accessed by the threat actor as a result of the incident.
And so, you know, we've talked a about part one, which is really sort of
identifying at first what ransomware is, and then talking about how to
respond to a ransomware attack. And I think, you know, it's very
important to remember what the goal of this process is. And I know often
people will think of, okay, well, I just need to know if I have legal
obligations as a result. But really there should be two focuses. The
first should be on the business. And when I say the business, it really
depends on getting the business back operational. It depends on
maintaining or reducing any damaged goodwill or reputation to the
business and that really happens based on the type of messaging you do,
the type of forensic investigation you do, the thoroughness of it, the
answers that you can provide and how you sort of just handle that
process from a business standpoint.
And then of course, there's
the legal side of things where you have to assess if you, in fact, do
have legal notification obligations, if you do have regulatory
obligations, but really the focus of the investigation should always be
on making sure that you're minimizing the impact on the business and on
the businesses customer relationships. And really the best way to do
that is to gauge experience vendors both from a legal council
standpoint, as well as from a forensic investigation standpoint and
threat actor or ransom negotiator standpoint. Because without those
experts in place, the likelihood of you being able to minimize the
impact is going to be reduced.
So that's really what we wanted
to focus on here on part one. Now, in part two, we're gonna talk in much
more detail about messaging and how critical messaging is in the
ransomware response. So I hope you will join me for part two.
Ransomware Part I—How to Prevent an Attack
Practice areas
Credit information
Jurisdiction | Credits | Available until | Status |
---|---|---|---|
Alabama |
| ||
Alaska |
| ||
Arizona |
| ||
Arkansas |
| ||
California |
| ||
Colorado |
| ||
Connecticut |
| ||
Delaware | |||
Florida |
| ||
Georgia |
| ||
Guam |
| ||
Hawaii |
| ||
Idaho | |||
Illinois |
| ||
Indiana | |||
Iowa | |||
Kansas | |||
Kentucky | |||
Louisiana | |||
Maine |
| ||
Minnesota |
| ||
Mississippi | |||
Missouri |
| ||
Montana | |||
Nebraska | |||
Nevada | |||
New Hampshire |
| ||
New Jersey |
| ||
New Mexico | |||
New York |
| ||
North Carolina |
| ||
North Dakota |
| ||
Ohio |
| ||
Oklahoma | |||
Oregon |
| March 30, 2025 at 11:59PM HST | |
Pennsylvania | |||
Puerto Rico | |||
Rhode Island | |||
South Carolina | |||
Tennessee |
| ||
Texas | |||
Utah |
| ||
Vermont |
| ||
Virginia | |||
Virgin Islands |
| ||
Washington |
| March 30, 2026 at 11:59PM HST | |
West Virginia | |||
Wisconsin | |||
Wyoming |
Alabama
Credits
- 1.0 general
Available until
Status
Alaska
Credits
- 1.0 voluntary
Available until
Status
Arizona
Credits
- 1.0 general
Available until
Status
Arkansas
Credits
- 1.0 general
Available until
Status
California
Credits
- 1.0 general
Available until
Status
Colorado
Credits
- 1.0 general
Available until
Status
Connecticut
Credits
- 1.0 general
Available until
Status
Delaware
Credits
Available until
Status
Florida
Credits
- 1.5 technology
Available until
Status
Georgia
Credits
- 1.0 general
Available until
Status
Guam
Credits
- 1.0 general
Available until
Status
Hawaii
Credits
- 1.0 general
Available until
Status
Idaho
Credits
Available until
Status
Illinois
Credits
- 1.0 general
Available until
Status
Indiana
Credits
Available until
Status
Iowa
Credits
Available until
Status
Kansas
Credits
Available until
Status
Kentucky
Credits
Available until
Status
Louisiana
Credits
Available until
Status
Maine
Credits
- 1.0 general
Available until
Status
Minnesota
Credits
- 1.0 general
Available until
Status
Mississippi
Credits
Available until
Status
Missouri
Credits
- 1.0 general
Available until
Status
Montana
Credits
Available until
Status
Nebraska
Credits
Available until
Status
Nevada
Credits
Available until
Status
New Hampshire
Credits
- 1.0 general
Available until
Status
New Jersey
Credits
- 1.4 general
Available until
Status
New Mexico
Credits
Available until
Status
New York
Credits
- 1.0 cybersecurity - general
Available until
Status
North Carolina
Credits
- 1.0 technology
Available until
Status
North Dakota
Credits
- 1.0 general
Available until
Status
Ohio
Credits
- 1.0 general
Available until
Status
Oklahoma
Credits
Available until
Status
Oregon
Credits
- 1.0 general
Available until
March 30, 2025 at 11:59PM HST
Status
Pennsylvania
Credits
Available until
Status
Puerto Rico
Credits
Available until
Status
Rhode Island
Credits
Available until
Status
South Carolina
Credits
Available until
Status
Tennessee
Credits
- 1.15 general
Available until
Status
Texas
Credits
Available until
Status
Utah
Credits
- 1.0 general
Available until
Status
Vermont
Credits
- 1.0 general
Available until
Status
Virginia
Credits
Available until
Status
Virgin Islands
Credits
- 1.0 technology
Available until
Status
Washington
Credits
- 1.0 office management
Available until
March 30, 2026 at 11:59PM HST
Status
West Virginia
Credits
Available until
Status
Wisconsin
Credits
Available until
Status
Wyoming
Credits
Available until
Status
Become a Quimbee CLE presenter
Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.