Ransomware? Don’t Pay It, Says FBI

October.07.2016

What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.

FBI Public Service Announcement

In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.

Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”

The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more.

How and What to Report

What is most helpful to law enforcement is attacker tools, signatures, and profile identity information. The announcement lays out categories of information that companies should consider providing to local FBI contacts or through the Internet Crime Complaint Center (IC3) portal, an automated reporting system that companies can leverage to report an attack easily and quickly:

Date of Infection
Ransomware variant (identified on the ransom page or by the encrypted file extension)
Victim company information (industry type, business size, etc.)
How the infection occurred (link in e-mail, browsing the Internet, etc.)
Requested ransom amount
Actor’s Bitcoin wallet address (may be listed on the ransom page)
Ransom amount paid (if any)
Overall losses associated with a ransomware infection (including the ransom amount)
Victim impact statement

Don't Pay Ransom Demands

“The FBI does not support paying ransom demands.” According to the FBI, some companies never get a decryption key, even after payment. And, every payment “emboldens the adversary to target other victims for profit,” incentivizing similar conduct by other criminals seeking financial gain.

That said, the FBI acknowledges that executives must act to protect shareholders, employees and customers where ransomware seriously threatens core operations and services. To assist companies in this regard, the announcement lays out a number of proactive risk mitigation measures.

Key Takeaways

Regulators are pressing companies to proactively address ransomware. For example, the Department of Health and Human Services recently stated that ransomware attacks can constitute notifiable breaches under the HIPAA/HiTech regime. The head of the Federal Trade Commission has recently warned that a failure to patch vulnerabilities known to be exploited by ransomware may violate Section 5 of the FTC Act. Given this regulatory climate, companies who fail to engage with law enforcement may be scrutinized. Indeed, an FTC Assistant Director explained in a blog post last year that the agency will look at whether the company “cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion,” and that a cooperating company will be viewed “more favorably than a company that hasn’t cooperated.” Companies should pay particular attention to the recommendations made by the FBI, and should anticipate that regulators will consider whether, and to what extent, companies have followed the FBI’s recommendations in their own enforcement investigations/proceedings.
Will you pay, and under what circumstances? The decision to pay a ransom demand depends heavily on the circumstances. Companies should carefully consider who within the incident response team, as well as among the executive and business teams, will be involved in making this decision. The availability of database back-ups and the operational impact of unavailability should be understood today, so that decisions can be made quickly and efficiently, with risk mitigation in mind. And bear in mind that executives have a fiduciary duty of care to the company, and must consider how they fulfill those obligations to keep the company operational while preserving its assets.
Companies should decide how they will engage with law enforcement now, establishing thresholds that will dictate when to reach out, who will reach out, what information will be shared and in what format. There are many reasons – more than those cited by the FBI – why a company may be reluctant to reach out to law enforcement: cooperation increases the risk that a breach becomes public, that privilege or work product protections over certain information may be lost, that reporting may incite retribution by the attackers, or that the scope of law enforcement’s investigation may expand beyond the breach. Executive leadership should be prepped on the protocols for law enforcement engagement. Pre-approved sign off processes and authority should be identified now, so that companies can move quickly at the onset of an incident.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.