What are the Legal Implications from a Ransomware Attack?

Picture the scene: you are the chief counsel at a large, multinational corporation, and as you attempt to log on to your system on Monday morning, you notice that your email box isn’t updating, and you can’t log on to your computer using the company VPN. You then discover that others in the organization are having similar issues.

Soon after, you receive a frantic call from the company CSO who explains that the organization has been hit by ransomware and the attackers sent a ransom note demanding a huge payment within three days–and if payment is not received, all of the organization’s private data will be published online and made accessible to anyone.

Ransomware attacks are targeting every industry globally, including highly regulated industries such as government and healthcare. Since the onset of the COVID-19 pandemic, the number of ransomware attacks has drastically increased. Security Magazine reports a 72 percent increase in the number of ransomware attacks since the beginning of the pandemic. Evidence suggests that having employees working remotely significantly increases the risk of a successful ransomware attack.

Incidents like this have been occurring on an unprecedented scale, and once a company has been the victim of a successful ransomware attack, the technical and legal considerations are significant. Where an organization is no longer operational due to ransomware, they must ask themselves:

How Should Organizations Respond?

The first thing you should consider is bringing an incident response team in post-event or on retainer before an attack (recommended) to guide you through the remediation process. It is important to ensure you have this team at your disposal in case you have already been the victim of a security incident, whether that be ransomware or otherwise, and you should have access to individuals at your disposal who have a unique background in cyber incident response and investigation. 

If you have a cyber insurance policy, you should check your coverage requirements and whether you have access to a panel of response companies and/or legal counsel that you may be required to call on in the event of a data breach.

Should Organizations Pay the Ransom?

There are a variety of factors and risks which must be considered when deciding whether to pay a ransom, and organizations will need to establish some level of attribution to determine if the threat actor is subject to sanctions levied against specific nations. 

The company should also determine if payment of the ransom is permitted under applicable laws, or else the company could find themselves facing another major incident if they unwittingly vilate international sanctions by making a ransom payment.

It is currently not illegal to pay ransomware demands, but there is a huge gray area when it comes to determining whether a demand should be paid for not. Facilitating ransomware payments to sanctioned entities may be illegal according to the US Treasury, and similarly in the EU cyber criminal groups may have financial sanctions placed on them. The UK Terrorism Act 2000 also makes it illegal to pay a ransomware demand where there is a suspicion it is linked to terrorism.

In many cases, it is often not worth paying a ransomware demand. Organizations may still be infected with ransomware, which will add on further costs to remove any malware before a further attack happens. Cybereason recently published the results from our second annual ransomware study to better understand the true impact on businesses. 

The report, titled Ransomware: The True Cost to Business Study 2022, tapped the experiences of more than 1,400 global cybersecurity professionals and revealed that 73 percent of organizations suffered at least one ransomware attack in 2022, compared with just 55 percent in the 2021 study. 

The study also once again finds that ‘it doesn’t pay-to-pay’ a ransom demand, as 80% of organizations that paid were hit by ransomware a second time, with 68% saying the second attack came less than a month later and threat actors demanded a higher ransom amount, and nearly 70 percent of companies paid a higher ransom demand the second time.

When Do Organizations Pay a Ransom?

In order to determine if a ransom should be paid, organizations need to assess the severity of a threat and whether they can restore infected or lost data from backups, together with the overall financial impact of the loss of business per day. 

Other risk factors to organizations include possible ineffectiveness of the ransom payment, as paying a ransom will not guarantee that systems can be unlocked successfully. Previous ransomware attacks show that some threat actors don’t provide decryption code following receipt of payment, or the decryption code simply does not work. 

In the Cybereason study for instance, of the organizations who reported having paid a ransom demand after a successful attack, only 42 percent indicated the effort resulted in restoration of all services and data, while 54 percent said some were returned to normal but some issues persisted, or some data was corrupted after decryption.

There is also the loss-of-life scenario where critical infrastructure organizations like healthcare and utilities are concerned, where these organizations need to evaluate potential sanctions in applicable jurisdictions versus the possibility that any delay in restoring systems could result in injury or death. 

Does a Ransomware Attack Mean Your Network was Breached?

Organizations infected with ransomware also face the high probability that the attackers also infiltrated their networks and exfiltrated sensitive proprietary or customer data, so further legal analysis should be conducted to assess risk to the organization accordingly.  

Many ransomware threat actor groups engage in the tactic of double extortion, where exfiltrated data is used as further leverage to compel organizations to make the ransom payment or face the possibility that the data will be made public, a scenario where having data backups does little to keep the organization out of jeopardy. In situations like this, it is important to establish if a data breach has occurred as part of the ransomware attack and take the necessary steps accordingly.

Should Organizations Notify Law Enforcement?

The decision on whether to involve any relevant law enforcement bodies should take into account factors such as the applicable legal requirements regarding regulatory notice, the benefits in contacting law enforcement and any contractual requirements. 

Will your law enforcement contact and any information shared with them become public? They may want to act quickly to publicly share any decryption keys at their disposal, or they may simply note that an organization has been victimized and ask that you share information regarding the breach such as any key indicators of compromise.

Defending Against Ransomware

From a commercial perspective, business continuity issues as a result of a ransomware attack may cause an organization to be in breach of service agreements or delay fulfillment of other contractual obligations, so it is imperative to be as prepared as possible for a ransomware attack and have a strategy in place for how to deal with it. 

Waiting until such an attack has occurred to assess your strategy and response to a ransomware attack is too late, and organizations should have an incident response plan in place that contemplates a potential ransomware attack before one actually happens. It is best to be as prepared as possible and be one step ahead against cyber criminals.

In preparing to defend against a ransomware attack, many organizations turn to data backups for post-attack remediation, but as we discussed above, that only goes so far. While still a smart choice to backup systems and data, it does not solve the problem of double extortion. 

An effective ransomware prevention plan includes actions like:

  • Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
  • Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
  • Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
  • Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
  • Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
  • Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. 
  • Evaluating Managed Security Services Provider Options: If your security organization has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
  • Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly-secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.

Ultimately, a multi-layered defense approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed