With ransomware attacks running rampant, companies need to proactively establish ransomware war rooms, using a dedicated physical or virtual space and including all business stakeholders in preparation, according to an expert panel speaking at the Mandiant Cyber Defense Summit last week. As part of the preparations, businesses should establish processes to handle negotiations with the threat actor as well as manage the legal and public relations fallout resulting from such an attack.
Ransomware gangs will purposefully target companies after work, on weekends or holiday recess in order to catch a company with a minimal security operations team — an event that will disrupt the personal impact of staff and other stakeholders, Jibran Ilyas, a managing director at Mandiant and an adjunct professor of digital forensics at Northwestern University.
Unless companies are prepared to have the right personnel in place with an understanding of the key issues on the table, that could have a major impact on how successful they are in managing and remediating the attack, according to Ilyas.
A ransomware attack will also have considerable legal ramifications for a company, according to Dominique Shelton Leipzig, a partner and co-chair of the Ad Tech Privacy and Data Management practice at Perkins Coie. Legal challenges include breach notification requirements at the federal and state level, accurate and timely disclosure to federal regulators, and litigation resulting from the breach of privacy laws.
Businesses need to align internal stakeholders and outside experts in advance of a ransomware attack, to make sure all of the necessary people are on notice to respond to an attack.
These include external forensics firms, external counsel as well as key executives from human resources, communications, business continuity, business application owners, help desk personnel and others, according to the panel.
Companies would benefit from appointing a project manager and hold tabletop exercises with all key stakeholders involved. If brought in early, red team officials can play the role of an adversary, and will essentially be able to warn company executives where there are exploitable weaknesses in the system, according to Evan Pena, the global red team director at Mandiant.
Building a response plan
A central consideration in a company's incident response plan is preparing for business continuity. Organizations should always set up data backups, however they cannot assume those backups will allow a company to immediately resume normal operations after a ransomware incident, according to Leipzig.
"It's been a rude awakening for certain companies to find out that what is on the BCP (backup file) locations cannot really be used for weeks and months to stand up operations, so you really need to be prepared and understand how quickly you can get back to business with your backup locations," Leipzig said.
The legal ramifications of ransomware attacks are becoming an even greater concern, Leipzig said. The Securities and Exchange Commission is closely monitoring whether companies disclose cyber incidents in a timely and accurate manner, and have launched investigations against firms that fail to properly disclose cyber incidents. The Department of Justice is also adding timely disclosure requirements for federal contractors.
Regarding potential liability, the California Consumer Privacy Act allows up to $750 in statutory damages for every record that is part of a cyberattack. There are more than 170 class action suits currently underway for these types of data breaches. As previously reported, the massive T-Mobile data breach which impacted more than 54 million customers, is expected to fall under the CCPA.
Separately, the impact of cyberattacks will open companies to litigation regarding business continuity. Colonial Pipeline is facing litigation from gas station owners who lost business due to the May ransomware attack, Leipzig said.
A spokesperson for Colonial said the company could not comment on pending litigation but said "we worked around the clock to safely restart our pipeline system following the cyberattack against our company."