Ransomware in Asia-Pacific: how to prepare

Anatomy of a ransomware attack

Ransomware attacks typically involve the use of malware that infects systems in order to encrypt the victim's data and/or disable access to impacted systems. The attacker will exploit vulnerabilities in the victim’s cyber defences, often relying on "spear phishing" attacks to obtain access credentials from unsuspecting employees.

Once the victim's systems are infected with the malware, the attacker may exfiltrate data so as to set the stage for a ransom demand that includes a threat of disclosure of compromised data. In other cases, the software functions only as a "locker" that disables the victim’s systems but does not involve the exfiltration of data.

With the stage set, the attacker then issues a ransom note, typically demanding payment in untraceable cryptocurrency in exchange for the keys that will unlock the impacted systems and data.

The storm that follows

Depending on the threat actor's tactics, ransomware attacks may be accompanied by parallel manoeuvres such as denial of service attacks aimed at distracting and confusing the victim, not to mention stretching its technology resources. Some attackers operate blogs that announce the successful attack. Some threat actors will even publish samples of exfiltrated data, drawing publicity that can only raise the pressure on the victim as regulators, business partners, and potentially impacted data subjects raise questions and demand immediate answers.

The victim organization is faced with extraordinary challenge in the hours that follow, seeking to identify the source of the infection, contain it, and restore service, while at the same time taking steps to prevent further infection and assess the impact in terms of systems and data compromised.

The operational challenges of a malware attack can be crippling. The legal implications of a successful malware attack can also be wide and far-reaching. Regulated industries are faced with a need to notify authorities, typically on very short timeframes. To the extent that personal data has been compromised in the attack, consideration will also have to be given to making notifications to data protection authorities and impacted data subjects. With mandatory data breach notifications on the rise in the Asia-Pacific region, regulatory requirements on this front have increased significantly in recent years. Depending on the situation, the victim may also have contractual obligations to notify business partners and customers, and may well be in breach of obligations to keep data confidential or provide service to contracted standards. Victims of ransomware attacks may suffer the loss of valuable proprietary information and data protected by intellectual property rights. Depending on the scale of the impact, publicly listed companies may be under a duty to make regulatory notifications and announcements.

The foregoing considerations apply to many different types of successful cyber-attacks. The unique feature of a ransomware attack is the threat actor and its demand for payment. The legality of making payments to an extortionist needs to be assessed under applicable laws, with consideration given to whether or not the payment raises money-laundering, sanctions, or terrorist finance issues, potentially with a need to notify or obtain approval of law enforcement officials prior to making payment. As law-makers begin to react to the scourge of ransomware, we see specific legislation being brought into force. In June of this year, for example, a Ransomware Payments Bill was introduced to the Australian Parliament. The Bill proposes that businesses that have an annual turnover in excess of AUS$10 million would be required to notify ransomware payments to the Australian Cyber Security Centre, with the failure to do so attracting a civil penalty.

What should you do?

1. Preventative measures

In matters of cyber security, an ounce of prevention is always worth at least a pound of cure. Organizations are well-advised to analyse their specific vulnerabilities carefully and take precautions that reduce the chance of a would-be extortionist succeeding with an attack.

Many preventive measures are technical and operational in nature: ensuring that appropriate security measures are in place, technology is secure and up to date, and monitoring tools are closely tracking system access and data usage. Organizations looking to prevent ransomware attacks have directed attention more broadly on data management programs: looking at how and where data is stored, which personnel have access to it, and how long data is retained, all of which can serve to reduce the number of "soft spots" available to the attacker and limit the scale or severity of harm if security is breached. Business continuity planning is also key, understanding the organization's critical points of failure and implementing fail-overs and recovery measures that keep business functions running during an attack.

Cyber security training has taken on new dimensions with the threat of ransomware attacks, with many organizations simulating spear phishing attacks to test employee vigilance. Interactions with employees is often the weak link that threat actors exploit. Training and discipline around password usage and system access can significantly improve an organization’s ability to repel a ransomware attack.

2. Incident response planning

For all the preventive measures an organization may take, the sad reality of the matter is that a successful attack remains a strong likelihood for many. Incident response planning is therefore a key piece of the preparations.

The best prepared organizations invest in detailed planning addressing a range of issues:

• Response team composition and roles: It is critical to have a team organized in advance so that it is ready to be activated in the first moments of a ransomware attack. As is the case with cyber security incidents more generally, ransomware response is a cross-disciplinary exercise involving a range of functional roles and expertise, including information security, information technology, legal, compliance, and public relations/corporate communications. From these functional competencies, the organization should draw a dedicated incident response team. This team’s reporting lines and escalation paths to senior management should also be defined and documented.
• Response procedure: The specific response to ransomware incidents will vary significantly from case to case, but there are key tasks and actions that will apply in any event, from root cause investigation and containment, data and systems recovery, internal and external communications, and evaluating the need to make regulatory notifications. Having a game plan in place can only improve the company’s position. The role of legal and compliance in incident response planning should not be underestimated. Much of the critical decision-making in responding to a ransomware attack will involve legal and regulatory considerations, not only in terms of legal obligations to make notifications to regulatory authorities, impacted data subjects, and others, but also in terms of considerations such as whether or not the organization should engage with the threat actor that has demanded payment. Legal involvement in the earliest stages of a ransomware attack can also help address considerations such as the application of legal privilege to forensic investigations and the early development of a litigation strategy where disputes with customers, suppliers, and other business partners may arise.
• General discussion of notification obligations and how they work: It can be very helpful for the incident response plan to outline the potential notification obligations that will need to be evaluated by an organization impacted by a ransomware attack. These will depend on the nature of the organization and the specific systems and data compromised, but there will be some obvious candidates. There may be specific industry regulators, data protection authorities, customers, business partners, and insurers who must be notified. Listed organizations will need to consider stock exchange filings, and law enforcement notifications are an important feature of ransomware attacks, given the threats of extortion involved.
• Template notifications and FAQs: Although specific notification requirements and corporate communications may vary significantly from incident to incident based on the circumstances of the attack, having generic templates that function as checklists can be helpful towards bringing structure and organization to the frenzied first hours following a ransomware attack.
• Post-incident actions: Organizations will typically face a number of critical actions following a ransomware attack, including attending to any post-incident litigation and regulatory investigations, continuing investigation work, and undertaking any remediation work needed to improve system security and data management practices going forward to prevent a recurrence of similar attacks. The incident response plan itself should be reviewed with areas for improvement noted based on its use in anger.

Authored by Mark Parsons, Tommy Liu, Katherine Tsang, and Anthony Liu.