Donna Wacker, Partner, and William Wong, Consultant, Clifford Chance, examine the increased risk of ransomware attacks, and provide guidance on preventing and preparing for such an attack, as well as how to mitigate any damage.
Ransomware attacks have drastically increased and become more sophisticated in the wake of the Covid-19 pandemic. Even before this uptick, cybersecurity professionals had predicted global damages from ransomware to reach US$20 billion in 2021, over 50 times higher than the cost in 2015. In a survey conducted in early 2020 of 5,000 IT managers employed by a range of organisations across 26 countries, over half reported being the target of a ransomware attack – and 75% reported that attackers were successfully able to infect their systems.
In addition to costing companies millions of dollars, ransomware attacks have also become a significant source of regulatory and reputational risk. As privacy and data security issues increasingly penetrate the global zeitgeist, reports of ransomware attacks have become regular fixtures in international news publications across the globe.
This article aims to help companies understand and address the risk of a ransomware attack. It provides guidance on how to prevent and prepare for ransomware attacks, what to do if and when a company is the victim of such an attack, and outlines important legal considerations for companies with operations in Hong Kong.
Anatomy of an attack
A ransomware attack combines malicious software (malware) with extortion. Attackers infect devices or systems with malware to block access, demanding payment to restore access and sometimes to avoid dissemination of exfiltrated data.
Stage 1: infection
A ransomware attack begins with malware. Attackers exploit vulnerabilities in order to gain access to a device or system. This can be accomplished in a number of different ways. In some cases, attackers can crack weak security defences and gain direct access to devices or systems, remotely installing malware. Other attackers may exploit system software vulnerabilities to find back doors into a targeted system.
One means of attack that has become increasingly popular among ransomware groups is spear phishing. Spear phishing involves targeting key employees – such as IT staff – and using social engineering tactics to acquire credentials or access. For example, attackers may send a targeted email purporting to be a family member, attaching a picture file with malicious code. Or they may masquerade as a senior executive needing to ‘reset’ their password due to a security incident. In these instances, attackers will often study their targets in advance to increase the chance of success.
Stage 2: attack
Once malware has been installed, the actual ransomware attack proceeds. Sometimes malware will stay dormant for a period to avoid detection. Eventually, however, the malware goes to work, crippling the system. In addition, ransomware perpetrators have increasingly begun to exfiltrate data prior to issuing an extortion demand and then seek payment as a condition for returning (and not further disseminating) that data.
Stage 3: extort
Once the device or system becomes fully disrupted, the attackers will make their demands. Most of the time this will be a demand for payment. Typically, these demands seek payment in untraceable cryptocurrency (such as Bitcoin).
Stage 4: spread
Ransomware attackers have become increasingly organised, forming ‘groups’ and conducting repeated attacks over a sustained period of time. Accordingly, ransomware attackers will often look to leverage successful attacks to identify new victims – or continue exploiting existing victims. For example, malware can be designed to lie dormant before it is activated again months or years later. Attackers can also use their access into one company to attack clients or service providers of that first victim.
Prevention and preparation
The best way to defend against ransomware is to prevent the attack in the first place and to be prepared to respond if an attack does occur.
Strong cybersecurity measures
Most companies are required by law to have reasonable cybersecurity measures in place to protect personal information. Such measures should help prevent ransomware infections. These measures include:
- network security (for example, firewalls, antivirus software and network traffic monitoring) to prevent and identify intrusions and suspicious activity
- software patch management to eliminate software vulnerabilities
- remote access security measures (for example, virtual private networks (VPNs) or multifactor authentication) to ensure secure work-from-home capability, and
- segmented networks to limit the spread of malware.
Training
Training is critical to preventing attacks. As discussed in the ‘Anatomy of an attack’ section above, one of the most common means of introducing malware into a system is through spear phishing. As attackers become more sophisticated, it is more important than ever for companies to train all staff – and in particular key employees such as IT, finance and human resources personnel – to identify potential attacks. This includes ‘testing’ employees by sending simulated spear phishing emails and training employees on the measures they should take if they suspect an attack, such as immediately reporting the incident and isolating and segmenting devices suspected to be infected.
Backup and disaster recovery
All companies should have an established backup and disaster recovery policy. Where complete system backups are not feasible, backups should be maintained for business-critical data and processes. Backups should be segmented from primary systems to prevent any malware from spreading to such backups.
Incident response plans
In addition to disaster recovery, companies should have in place robust incident response plans. The specific elements that should be part of such plans are discussed below, but it is important to understand that such policies and procedures must be well established before an incident occurs. Relevant personnel should be trained on the incident response plan and disaster recovery procedures. Tabletop exercises will help ensure that procedures are effective and efficient, so that staff will be prepared in the event of an actual incident.
Responding to an attack
Ransomware attacks can happen to even the most well-protected company, so companies must be prepared to quickly mitigate and remedy any damage.
Immediate response
A robust incident response plan will help companies prioritise key actions they will need to take immediately after discovering a ransomware attack. These include:
- establishing an internal steering group to oversee incident response
- segregating and isolating the malware infection to limit its spread
- developing an external communication strategy to control information flow
- establishing internal communication protocols to ensure staff are informed
- implementing backup and disaster recovery plans to permit business to continue (if appropriate and safe to do so)
- engaging key external advisers, including legal and forensic advisers
- taking care to maximise legal privilege protection over internal communications and (where possible) the work of forensic teams
- determining regulatory reporting obligations and timelines, and
- examining contractual notification obligations to key counterparties.
Many of these elements can be prepared in advance (for example, template press releases or approved preselected vendors).
Payment
One of the obvious immediate issues that victims of a ransomware attack must consider is whether to pay the ransom. There is no ‘correct’ answer to this question, but companies should consider:
- whether there are alternatives to payment (such as backups)
- legal ramifications of payment (see the ‘Legal considerations in Hong Kong’ section below regarding sanctions risk), and
- the company’s specific reputational concerns.
Notably, research has found that the average cost to a victim of a ransomware attack almost doubles when ransom is paid. And while most companies who pay are able to recover their data, payment of a ransom does not excuse regulatory notification obligations, nor does it guarantee that exfiltrated data will not be further disseminated.
Investigation and remediation
While some of the most critical work in responding to a ransomware attack will occur in the days immediately following the incident, much of the work will continue for weeks and months following the attack in the investigation and remediation phase. Key considerations for this process include:
- analysing exfiltrated data (if any) to determine notification obligations
- addressing customer concerns (for example, by providing identity monitoring services)
- eliminating the vulnerability (for example, by enhancing security systems, conducting training and so on), and
- responding to regulator enquiries.
In addition, once the incident has been fully remediated, the company should review its incident response policies and procedures, and address any deficiencies that it observed with regards to these procedures in practice.
Legal considerations in Hong Kong
There is currently no law in Hong Kong prohibiting the payment of ransoms. While such payment could potentially be caught under Section 25 of the Organized and Serious Crimes Ordinance (Cap 455) (since the victim will have reasonable grounds to believe, or even know, that the ransom payment represents the attacker’s proceeds of an indictable offence), Section 25A provides a defence if the victim notifies an ‘authorised officer’ (for example, the Hong Kong police) of the payment in advance and obtains consent, or if the victim notifies an authorised officer as soon as it is reasonable to do so after making the payment. In addition, victims should be mindful of the offences under the United Nations Sanctions Ordinance (Cap 537) and the Weapons of Mass Destruction (Control of Provision of Services) Ordinance (Cap 526), in the unlikely event that a victim suspects or knows that the attacker is a sanctioned person, or is related to any act of production of weapons of mass destruction.
Although there is no cross-sector cybersecurity legislation in Hong Kong, industry-specific notification requirements may be relevant – for example regulated financial institutions are expected to notify their regulators (the Securities and Futures Commission, the Hong Kong Monetary Authority or the Insurance Authority) in the event of a major cyber incident. To the extent that personal data of customers is compromised, the Privacy Commissioner for Personal Data in Hong Kong also encourages companies to self-report and to notify the affected customers.
Donna Wacker, Partner, and William Wong, Consultant
Clifford Chance
Copyright © December 2020 Clifford Chance
This article was adapted from a briefing with a global perspective spearheaded by Daniel Silver and Megan Gordon, Partners of Clifford Chance US, entitled ‘Ransomware: Prevention & Response’, which can be found on the Clifford Chance website: www.cliffordchance.com.