To pay or not to pay. That has been the question in relation to ransomware, the pernicious and now ubiquitous attack that locks your systems and files, and demands ransom for the “key” to unlock them.
Putting aside the question of whether the “key” will work or whether paying the ransom (which can be covered by insurance) incentivizes the attackers, the question for the victim of the attack is often one of survival. In the end, it boils down to how robust a victim’s backups are and how long the victim can operate without full access to its systems and files. As the recent Hollywood Presbyterian attack showed, a ransomware victim can be left without key system access for days, creating huge losses and operational disruption. See http://www.cbsnews.com/news/ransomware-hollywood-presbyterian-hospital-hacked-for-ransom/.
The question may now also be to report or not to report. The FBI has recently appealed for help from victims in gathering information concerning ransomware attacks. In a recent PSA, which can be found here, the FBI asks victims to report ransomware attacks, via the Internet Crime Complaint Center, www.IC3.gov, including such information as:
- Date of Infection
- Ransomware Variant (identified on the ransom page or by the encrypted file extension)
- Victim Company Information (industry type, business size, etc.)
- How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
- Requested Ransom Amount
- Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
- Ransom Amount Paid (if any)
- Overall Losses Associated with a Ransomware Infection (including the ransom amount)
- Victim Impact Statement
The question of whether to report is not an easy one, however. Law enforcement plays a crucial role in relation to investigating and hopefully thwarting cyber extortionists. But ransomware victims have other considerations before them, including what effect a report to law enforcement will have, whether the victim has other reporting duties, and the role of confidentiality in relation to a cyber-attack. Although a victim’s first reaction to a cyber-attack is often to call law enforcement, it is best served having a detailed plan in place, well before the attack, to weigh all relevant considerations before reporting the attack to anyone. In this regard, as in relation to incident response generally, planning can be the best defensive move an entity can take.
Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2016 Harter Secrest & Emery LLP