Ransomware: Avoidance and Response

By Charles S. Morgan, Ellen Yifan Chen and Jonathan Jacob Adessky, of McCarthy Tétrault

Ransomware is on the rise.  A 2020 report by IBM demonstrates the commonality of these attacks, indicating that ransomware is by far the most common form of cyber attack in the world. It is also one of the most common cyber threats in Canada according to the Canadian Centre for Cyber Security (the “CCCS”). The CCCS stated that ransomware is becoming an increasingly common threat and that it is one of the cyber threats most likely to affect Canadians. It is thus understandable that Canadian IT professionals flagged malicious software attacks (including ransomware) as the most significant cyber risk according to the Canadian Internet Registration Authority’s 2020 Cybersecurity Report.

What is ransomware?

The CCCS defines ransomware as “a type of malicious software that infects your device and holds your files and data for ransom.” There is a wide variety of and different modalities for such attacks, and as the CCCS warns, no one is safe. The malicious actors behind such attacks try to cast wide nets that target individuals and businesses alike. The good news is that diligent planning both at the prevention and incident response levels can help minimize the risk of harm.

Steps to take before an incident occurs

While ransomware incidents are on the rise, if properly managed, they need not lead to a catastrophic outcome. Organizations that take steps to prevent such attacks and plan their responses to them should they occur are significantly more likely to have a favourable outcome (and to avoid such incidents from occurring altogether).

Planning begins with the proactive step of establishing a cybersecurity framework, being a complete set of organizational resources to assess and mitigate cybersecurity risks, including ransomware. The organization must leverage its policies, staff, processes, practices and technologies to account for and prevent ransomware attacks. Note that the CCCS shared certain best practices that should factor into an organization’s cybersecurity framework specifically within the context of ransomware prevention.

Planning includes a reactive step, being a cybersecurity incident response plan that factors in ransomware forms of attack. This plan should be enterprise-wide and should make the most efficient and effective use of the organization’s resources to minimize the risk of harm following a ransomware attack. It is important to note that it might not be feasible to pull a copy of the incident response plan in the midst of a ransomware attack. Therefore, organizations should have physical copies of it.

The incident response plan should address several specific concerns.

  1. The decision to pay or not to pay. Organizations should consider the risks of paying ransoms too quickly, or not paying at all. Some organizations have proper backups and opt to completely disregard the option to pay the ransom. The risk of doing so without even considering the option to pay is that the ransom cost might be less than that required to rebuild and restore the affected system. On the other hand, there is a risk of paying too quickly, before legal counsel and/or a professional negotiator are retained. In our experience, the involvement of certain external negotiators can reduce the ransom by as much as 80%. The incident response plan should provide for a protocol that considers these risks.
  2. The legality of paying ransom. The incident response plan should also consider that there exist legal prohibitions to paying ransom. For instance, there are now some prohibitions in place against paying ransom to sanctioned individuals or entities (i.e. known terrorist organisations). Omitting this consideration could lead an organization to inadvertently commit a crime. The decision to pay needs to account for this factor.
  3. The timing of when to restore/rebuild. Organizations often make this decision too quickly and with haste. The result of this means the potential loss of forensic evidence and erasing traces that would otherwise allow for the identification of the path of attack. It is crucial to involve legal counsel, ideally before an incident occurs, but certainly right after. Technical consultants often rush to restoration and rebuilding, which may well be the best path forward, but legal counsel will provide important guidance regarding timing to ensure compliance with legal obligations.
  4. When to engage external expertise. It is important to have a pre-established protocol regarding who to contact and when. As evidenced in point (3) above, we highlight one risk associated with retaining external consultants immediately but delaying the retention of legal counsel. Ideally, organizations will already have a list of pre-vetted service providers ready, so that the response to the ransomware attack can be executed without delay. On this point, it is also important for insurers to be promptly notified of any ransomware attacks.

What to do following a ransomware attack

Ransomware attacks represent one form of cyber crime in which law enforcement is often unable to offer meaningful help and wherein the victim organization must directly confront criminal actors. There are many moving parts following a ransomware attack, and with proper planning and the support of counsel early-on, an organization can significantly reduce resulting harm.