Avanan hosted an informative Ask Me Anything with Joelle Dvir, associate in McDonald Hopkins' national Data Privacy and Cybersecurity Group, one of Advisen's Cyber Law Firms of the Year.
Joelle advises companies on incident and breach response to minimize exposure. Working across a number of sectors, Joelle handles everything from implementing best practice to working with third party vendors to remediate ransomware attacks.
Given the spate of ransomware in the news, Joelle was the perfect person to have on our webinar, talking about all the things you need to know if you're attacked by ransomware.
The full conversation is worth watching. In the meantime, we rounded up a few highlights from the webinar below:
Is Paying Ransomware Legal?
It's unclear, Dvir says. Certainly, if a state-sponsored actor is involved, then it almost assuredly is not legal. The U.S. Treasury's Office of Foreign Assets Control said that paying or facilitating payment to sanctioned hackers could be illegal—even if you didn't know the hackers were under sanction. Regardless, your legal team—which should be your first call after you've discovered the attack—will help chart the course.
How Much Will an Attack Cost Me?
You probably won't pay the $10 million that Garmin paid.
Sure, you'll have to pay legal fees and for any outside experts and of course, if you have to pay the ransom, that too.
But the biggest cost might be in downtime. Depending on the attack, it could take up to two weeks before your company and services are back up and running. That downtime is expensive. One of the many calculations companies have to make is whether it's more expensive to pay the ransom or to have services down.
Who's on My Response Team?
Given the rise in ransomware, your response team should already be identified. It often consists of an incident response group with the company, legal counsel, a forensics team and potentially a negotiation team.
Knowing who to go to, and being able to do quickly, is essential.
What Are Some Trends To Be Aware Of?
Ransomware has changed, says Dvir. Now, groups are doing a ton of due diligence before they let an attack loose. They are infiltrating systems, rummaging around, stealing data and using it to do social engineering. "It's a different ballgame," she says. Groups also know how much money an organization has so they know how much to ask for. This isn't spray and pray. These are targeted, well-thought-out and organized attacks.
Another change? It's not just about encrypting the data, only to decrypt it after the money is paid. It's about stealing the data. Brian Krebs has written about companies seeing their data published even after ransom is paid.
And as Dvir noted, while not incredibly common, it is possible that groups ask for more money, even after being hit and paid.