Do I need legal counsel during a ransomware attack?

If your organization is one of the many that has fallen victim to ransomware, you might wonder “Do I need legal counsel during a ransomware attack?”. There are several crucial legal matters that you need to consider during and after a successful ransomware attack.

Whether you decide to consult with a law firm or not, seeking legal counsel is just one element of a comprehensive strategy for how to handle ransomware. Below, we’ll discuss the legal issues in question, as well as how legal counsel should be part of your response to a ransomware attack.

Do I need legal counsel during a ransomware attack?

Being subject to a ransomware attack isn’t just disruptive to your business—it could also expose you to legal risk. In this section, we’ll discuss some of the legal considerations that may affect you as a result‌.

Paying the ransom

If you’re desperate and short on time, paying the ransom may seem like a tempting alternative to get your files and applications back. However, several laws and regulations may subject you to legal consequences and financial penalties, depending on the identity of the attacker.

In October 2020, for example, the U.S. Office of Foreign Assets Control (OFAC) released a ransomware advisory warning companies about the potential risks of paying a ransom to entities sanctioned by the United States. These include all members of OFAC’s Specially Designated Nationals and Blocked Persons List, as well as Cuba, Iran, North Korea, and Syria.

What’s more, laws such as the U.S. Patriot Act and anti-money laundering regulations prevent individuals from providing material support to terrorist organizations or engaging in money-laundering activities. Although prosecution or penalties for ransomware victims under these laws seem to be rare (if they exist), the risk is nevertheless present.

Keep Reading: What is threat hunting in cybersecurity?

Industry-specific data security laws and regulations

Regulations such as HIPAA (for healthcare organizations), PCI DSS (for retailers), and Sarbanes-Oxley (for financial companies) all deal with the handling of sensitive and confidential data. By exposing this data to malicious actors, your business may have violated data security regulations as the result of a ransomware attack.

HIPAA violations, for example, are classified into four tiers depending on the degree of the organization’s negligence. Businesses in “willful negligence” are guilty of violating the highest tier and subject to fines of $50,000 per violation (up to a maximum of $1.5 million per year).

Keep Reading: What is XDR security and why should you care?

Security breach notification laws

If your organization is the target of ransomware, it’s highly possible that you were affected by a data breach, as well. Beyond industry-specific laws and regulations, your company is likely covered by general laws that govern companies’ actions in the wake of a data breach.

As of writing, all 50 U.S. states and the European Union have enacted security breach notification laws. These regulations require companies to promptly announce that individuals’ sensitive information may have been leaked to a third party and take specific actions to address the situation.

Given the intricate legal questions surrounding a ransomware attack, it’s highly advisable to consider speaking with a law firm ransomware specialist who can provide guidance on these issues. In particular, legal counsel can act on your behalf to preserve attorney-client privilege—for example, when contracting an external forensic investigation team to probe the causes of the attack during the aftermath.

Keep Reading: What is advanced persistent threat detection?

How do you respond to a ransomware attack?

Consulting with legal counsel is just one step you should take after suffering a ransomware attack. Below are three more recommendations:

  • Engage your incident response team: Whether it’s in-house IT personnel or a third-party expert, having an effective ransomware response team is a must for companies of all sizes and industries. As soon as ransomware is discovered on an infected system, your incident response team should move to contain the malware and isolate the device(s) from the larger network. The team will then need to perform root cause analysis to identify how the ransomware entered your IT environment and patch any security flaws.
  • Notify law enforcement: Notifying law enforcement after a ransomware attack is usually a wise decision and may even be a requirement from your insurance company (if you’re lucky enough to have cyber insurance). The list of agencies you may wish to speak with ranges from your local police department to the FBI. The information you provide to law enforcement may be crucial to helping stop the attackers and even recovering your information. In 2020, the FBI’s Internet Crime Complaint Center (IC3) was able to freeze $380 million of $462 million in reported losses due to cyber crime.
  • Decide whether to pay the ransom: Making a ransomware payment is an ugly business, but if you don’t have recent backups available, you may see it as your only option to get up and running again. Aside from the legal issues mentioned above, you should be prepared for the risk that the ransom payment will be partially or fully ineffective. According to Forbes magazine, 92% of companies that pay a ransom demand don’t receive access to all their encrypted data.

Keep Reading: 3 threat intelligence benefits that are important for business

What’s the best way to defend against ransomware?

Planning for a strong ransomware attack response is essential. What’s even better, however, is a strong ransomware defense so that you never have to put your incident response plans into action.

The list of actions you should take to guard against ransomware include:

  • Keeping regular backups: Making regular backups of your mission-critical data, and storing them in a secure, inaccessible location, is the best thing you can do to neuter a ransomware attack and preserve your business continuity. By efficiently restoring from backup as soon as possible, you’ll lose only hours or days of work, rather than months or even years.
  • Hosting training and education programs: Ransomware can enter your IT environment in many ways, but one common cause is phishing attacks that trick users into downloading malicious software (or even intelligent “spear phishing” attacks that target a specific individual). Training your staff in topics such as how to recognize suspicious emails and what to do in the wake of a cyberattack will ensure that your entire workforce is prepared if an incident occurs.
  • Running tabletop exercises: A tabletop exercise is a simulation of a malware attack that assesses the strength of a company’s ransomware response plan. This exercise involves key personnel, such as executives, managers, IT personnel, and legal and HR representatives. After being given a specific scenario, participants need to formulate how they would respond to the attack and mitigate its impact.
  • Installing the right cyber defenses: Last but certainly not least, organizations need to protect their endpoints, network, servers, cloud deployments, and other areas of their cyberattack surface. Deploying a cyber defense tool such as XDR or SIEM will provide greater visibility into your IT environment by detecting threats so that your incident response team can mobilize more quickly.

How to get started with ransomware defense

If you’re just getting started with ransomware defense, it’s an excellent idea to work with a skilled, experienced IT security partner that can provide advice and support. The first step to protecting your network is to use a solution like an XDR (extended detection and response) platform that monitors your IT environment for abnormalities and sends alerts to your security team.

UncommonX is an IT-managed detection and response provider that offers keen, cutting-edge data security insights to our clients, including ransomware response and defense. Our BOSS XDR security operations platform helps with everything from protecting against cyberattacks to response and recovery after a security incident.

Want to learn more about how UncommonX’s BOSS XDR solution can enhance your cybersecurity posture? Get in touch with our team of IT security experts today to discuss your business needs and objectives or to request a demo of the BOSS XDR platform.

About the Author

At the center of our U.S.-based Security Operations Center (SOC) is a distinctly skilled team of security architects, engineers, analysts, and data scientists. Each is an expert in their respective field and dedicated to protecting our customers 24/7.