What do you do at closing time on a Friday when your data is encrypted, and a message tells you that you must pay 1000 Bitcoin to decrypt it? Sadly, this scenario is seen routinely across the United States by local governments, for-profit businesses, and non-profit organizations. So, what should you do when you discover your systems are locked until a ransom is paid?
Make Sure Critical Data is Backed Up
Hopefully, you won’t be paying a ransom because you have a backup. However, many businesses and individuals typically create a copy of their data in real-time (or close to it). While this form of backup may protect against natural disasters and power failures, it may not be enough to mitigate ransomware risk. In some instances, real-time copying of data will just copy the malware onto the replicated server. Then, the ransomware kicks in and encrypts both the copy and the live system.
Organizations, businesses, and individuals should scrutinize whether there is an interruption in the transfer of data to their backups. That action can help to mitigate the risk of malware infecting both the primary system and the backup system. If you are fortunate enough to have a backup, then it can eliminate the ransomware, and paying is not an issue.
If No Backup Exists, You May Have a Big Problem
If you do not have a backup, then you must look at other options. You may want to contact knowledgeable counsel and hire a computer forensic team. To avoid paying a ransom, a computer forensic team can initiate an investigation to determine whether or not the data can be decrypted. However, more urgently, you should try to wall the encrypted computers off from the rest of the system if the ransomware has not encrypted everything.
You need to be able to respond to the incident while ensuring that you do not create a discoverable paper trail that could be used against you later. An attorney can help to craft the scope of your forensic team’s inquiry. The scope of the forensic team’s work may also influence turning over the team’s work product in a discovery. Professional legal advice can help to define the scope of the work, mitigating the risk of future disclosure.
However, the company or individual’s immediate concern should be crafting a response to the ransomware incident. However, you should also be mindful of potential legal risks in doing so. Shareholders, vendors, insurance carriers, and customers may all become potential adverse litigants at some time in the future, so the response to the incident should proceed while keeping that risk in mind.
Notify Your Insurance Company
Fortunately, many individuals, companies, and organizations now have ransom insurance coverage. These insurance policies often identify legal counsel and forensic investigators. Policies may allow organizations to hire their own, however, subject to approval by the carrier. Ideally, you will have identified these legal and forensic professionals ahead of time. If not, and the provisions of the insurance policy are encrypted, then you should proceed with retaining knowledgeable and experienced professionals.