Tag: Ransomware

The Empire Strikes Back — Did the DOJ Hack the Colonial Pipeline Hackers?

Now we are in no way confusing the cyber-criminal enterprise DarkSide with the plucky light-side rebels from Star Wars, but it appears the United States Department of Justice seized 63.7 bitcoins, worth $2.3 million, paid to cyber-criminal enterprise DarkSide following the May 7 ransomware attack against Colonial Pipeline. The attack resulted in a highly publicized, brief shutdown of the company’s pipeline infrastructure, which transports approximately 45% of the oil consumed on the U.S. East Coast, and which took days to resolve and create widespread gasoline shortages in some parts of the country. The seizure was coordinated through the DOJ’s recently created Ransomware and Digital Extortion Task Force, which was created to address increasing ransomware and digital extortion attacks again U.S. businesses.

The story is big news because ransoms are rarely recovered.  Typically, the victim of a ransomware attack transfers the ransom to hackers, who then transfer the funds to hundreds of other wallets and the funds are essentially gone forever.  Even if the payments can be tracked to accounts, what is even more rare is the ability to unlock those accounts.  So the question on everyone’s mind is how did the DOJ unlock the account holding the ransom?

According to documents filed in the U.S. District Court for the Northern District of California, Colonial Pipeline provided investigators with the bitcoin address of the hackers it paid on May 8.  The hackers then moved the funds through at least six more addresses by the next day.  On May 13, DarkSide told affiliates that its servers and other infrastructure had been seized, but did not provide any details.  On May 27, the FBI seized 63.7 bitcoins traced to the Colonial ransom, when it  landed at a final address.  Impressive.

So how did the FBI get the private encryption key?  The FBI disclosed in its application for a warrant that it had the private encryption key for that bitcoin address.  The FBI has not, however, disclosed how it obtained the encryption key.  There are a few possibilities.  First, it is possible someone close to the attack tipped off the FBI.  Second, the attackers may have been careless.  The FBI noted that they had been investigating DarkSide since last year.  It is possible the FBI got access to communications that may have provided clues to the private key or access to a private server holding information about the private key.  Third, the FBI may have received assistance from the cryptocurrency exchange where the bitcoin had been moving from account to account.  Fourth, the FBI could have hacked the key on its own.  The most likely scenario is that the attackers were careless, and the FBI was able to capitalize on their carelessness to uncover the private encryption key.

The good news for the crypto community is that law enforcement was able to track down and recover much of the bitcoin.  Contrary to the perception that cryptocurrency is untraceable, it appears the public blockchain made it easier in this case to track and recover the ransom than it would have been if the ransom was paid in fiat.  We may never know how the FBI unlocked the private encryption key in this case, but if the DOJ is successful in recovering future ransom payments, it may shed some additional light on this case and others.

Copyright ©2021 Nelson Mullins Riley & Scarborough LLP
For more articles on the Colonial Pipeline hack, visit the NLR Communications, Media & Internet section.

Ransomware Incident Compromises Unemployment Claim Information of 1.6M in WA

It is being reported that the Office of the Washington State Auditor (SAO) is investigating a security incident, allegedly caused by a third-party vendor, that may have compromised the personal information of up to 1.6 million residents of the state of Washington who filed unemployment claims in 2020.

The SAO is investigating fraudulent unemployment claims filed in Washington in 2020 that reportedly cost the state up to $600 million. In completing the audit, the state utilized a third-party vendor, Accellion, to transmit computer files for the investigation.

According to the SAO, “during the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service.” The SAO posted on its website that the unauthorized person “was able to exploit a software vulnerability in Accellion’s file transfer service and gain access to files that were being transferred using Accellion’s service,” which occurred in December 2020.

Data that may have been affected includes 1.6 million individuals’ claims made between January 1, 2020 and December 10, 2020, including claims made by state employees. The compromised information includes individuals’ names, Social Security numbers and/or drivers’ license or state ID numbers, bank information and place of employment. In addition, the personal information of some individuals whose information was held by the Department of Children, Youth and Families was also compromised.

What a terrible consequence for those who legitimately lost their job and filed for unemployment benefits. For those whose personal information was used to file a fraudulent unemployment claim, this news throws a massive amount of salt in the wound of being the victim of identity theft.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.
ARTICLE BY Linn F. Freedman of Robinson & Cole LLP

For more, visit the NLR Communications, Media & Internet section.

Ransomware Payments Can Lead to Sanctions and Reporting Obligations for Financial Institutions

With cybercrime on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued advisories on one of the most insidious forms of cyberattack – ransomware.

Ransomware is a form of malicious software designed to block access to a system or data.  The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information.  Ransomware attackers usually demand payment in the form of convertible virtual currency (“CVC”), which can be more difficult to trace.  Although ransomware attacks were already on the rise (there was a 37% annual increase in reported cases and a 147% increase in associated losses from 2018 to 2019), the COVID19 pandemic has exacerbated the problem, as cyber actors target online systems that U.S. persons rely on to continue conducting business.

OFAC

The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.”  OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks.

OFAC maintains a consolidated list of sanctioned persons, which includes numerous malicious cyber actors and the digital currency addresses connected to them.[1]  Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.  The advisory states that “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

In addition to violating sanctions laws, OFAC warned that ransomware payments with a sanctions nexus threaten national security interests.  These payments enable criminals to profit and advance their illicit aims, including funding activities adverse to U.S. national security and foreign policy objectives.  Ransomware payments also embolden cyber criminals and provide no guarantee that the victim will regain access to their stolen data.

Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.

OFAC encourages financial institutions to implement a risk-based compliance program to mitigate exposure to potential sanctions violations.  Accordingly, these sanctions compliance programs should account for the risk that a ransomware payment may involve a Specially Designated National, blocked person, or embargoed jurisdiction.  OFAC encouraged victims of ransomware attacks to contact law enforcement immediately, and listed the contact information for relevant government agencies.  OFAC wrote that it considers the “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”  OFAC will also consider a company’s cooperation efforts both during and after the ransomware attack when evaluating a possible outcome.

Such cooperation may also be a “significant mitigating factor” in determining whether and to what extent enforcement is necessary.

FinCEN

FinCEN’s advisory also encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement.  The FinCEN advisory arms these institutions with information about the role of financial intermediaries in payments, ransomware trends and typologies, related financial red flags, and effective reporting and information sharing related to ransomware attacks.

According to FinCEN, ransomware attacks are growing in size, scope, and sophistication.  The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks.  The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise.

FinCEN touted “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense.  The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments.  These red flags include, among others: (1) IT activity that shows the existence of ransomware software, including system log files, network traffic, and file information; (2) a customer’s CVC address that appears on open sources or is linked to past ransomware attacks; (3) transactions that occur between a high-risk organization and digital forensics and incident response companies or cyber insurance companies; and (4) customers that request payment in CVC, but show limited knowledge about the form of currency.

Finally, FinCEN reminded financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments.  A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity.  “Reportable activity can involve transactions . . . related to criminal activity like extortion and unauthorized electronic intrusions,” the advisory says.  Given this, suspected ransomware payments and attempted payments should be reported to FinCEN in SARs.  The advisory provides information on how financial institutions and others should report and share the details related to ransomware attacks to increase the utility and effectiveness of the SARs.  For example, those filing ransomware-related SARs should provide all pertinent available information.  In keeping with FinCEN’s previous guidance on SAR filings relating to cyber-enabled crime, FinCEN expects SARs to include detailed cyber indicators.  Information, including “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications,” will assist FinCEN in protecting the U.S. financial system from ransomware threats.

[1] https://home.treasury.gov/news/press-releases/sm556

© Copyright 2020 Squire Patton Boggs (US) LLP
For  more articles on cybersecurity, visit the National Law Review Communications, Media & Internet section.

Interpol Issues Alert on Increased Risk of Ransomware Attacks Against COVID-19 Medical Organizations

Interpol has issued an alert to global law enforcement agencies about the increased risk of ransomware attacks on hospitals, health care providers and other organizations on the front line of response to the COVID-19 pandemic.

The Purple Notice, issued to all 194 member countries, notified them that Interpol’s Cybercrime Threat Response team has detected a “significant increase” in ransomware attempts against hospitals and medical organizations.

According to a spokesman from Interpol, “[A]s hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cyber-criminals who are looking to make a profit at the expense of sick patients. Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable.”

The primary vector for the ransomware attacks continues to be phishing attempts. Unfortunately, due to the emergency nature of COVID-19, healthcare workers are working long, stressful hours, and may not be as vigilant as usual in spotting phishing emails. The criminals are luring tired workers into clicking on links and attachments with subject lines that appear to be COVID-19- related or are from the Centers for Disease Control or other governmental bodies trying to keep healthcare workers informed about the rapidly spreading virus.

Hospitals and other healthcare entities should be aware of these warnings from INTERPOL and Microsoft [view related post] and notify their employees to be extra vigilant when opening emails, links and attachments.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more industries affected by COVID-19, see the National Law Review Coronavirus News section.

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

Health Care Task Force Pre-Releases Report on Cybersecurity Days Before Ransomware Attack

Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry.  The Task Force was established by Congress under the Cybersecurity Act of 2015.  The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”

The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12.  The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date.  In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.”  HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched.  As in-house counsels understand, the ransomware attack raises a host of legal issues.

Timely, the HCIC report calls cybersecurity a “key public health concern that needs immediate and aggressive attention.”  The Task Force identifies six high-level imperatives, and for each imperative, offers several recommendations.

The imperatives are as follows:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

With respect to medical devices (imperative #2), the Task Force specifically advocates for greater transparency regarding third party software components.  The report encourages manufacturers and developers to create a “bill of materials” that describes its components, as well as known risks to those components, to enable health care delivery organizations to move quickly to determine if their medical devices are vulnerable.  Furthermore, the Task Force writes that product vendors should be transparent about their ability to provide IT support during the lifecycle of a medical device product.  The Task Force also recommends that health care organizations ensure that their systems, policies, and processes account for the implementation of available updates and IT support for medical devices, such as providing patches for discovered vulnerabilities.  The report suggests that government and industry “develop incentive recommendations to phase-out legacy and insecure health care technologies.”

The Task Force also encourages medical device manufacturers to implement “security by design,” including by making greater security risk management a priority throughout the product lifecycle, such as through adding greater testing or certification. In addition, the report encourages both developers and users to take actions that improve security access to information stored on devices, such as through multi-factor authentication.  The Task Force recommends that government agencies, such as the U.S. Food and Drug Administration (FDA) and the Office of the National Coordinator for Health Information Technology (ONC) at HHS, consider using existing authorities to “catalyze and reinforce activities and action items” associated with this recommendation.  This includes leveraging existing government guidance and industry standards, like FDA’s premarket and postmarket cybersecurity guidance documents.  Published in 2014 and 2016, these documents recommend that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the [secure development lifecycle].”  We have previously discussed these guidance documents here and here.

Finally, the Task Force recommends that the health care industry take a “long-range approach” to considering “viability, effectiveness, security, and maintainability of” medical devices. The Task Force states that each product should have a defined strategy and design that supports cybersecurity during each stage of the product’s lifecycle.  In particular, the Task Force encourages HHS to evaluate existing authorities to conduct cybersecurity surveillance of medical devices.

This post was written by Dena Feldman and Christopher Hanson of Covington & Burling LLP.

“WannaCry” Ransomware Attack Causes Disruption Globally – With Worst Yet to Come

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected.  Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

Edwin Tan is co-author of this article. 

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

ARTICLE BY Amy GordonAnn KillileaMichael G. MorganSusan M. Nash & Angela M. Stockbridge of
McDermott Will & Emery
© 2016 McDermott Will & Emery

Ransomware: How It Works and What You Can Do

“Ransomware” is making big news, with reports that a California hospital paid $17,000 to regain access to its network after malware locked access to files. This is a case, however, of the news catching up to the facts. Ransomware has been one of the fastest growing forms of cyberattack over the last year. According to media reports, as many as 100,000 computers per day are being infected with ransomware.

These increasing ransomware incidents serve as the latest warning that companies need to take steps to protect against costly and damaging cyberattacks.

How Ransomware works

Without getting too technical, ransomware works by infecting a computer, then using modern cryptography methods to encrypt files. Once encrypted, the files cannot be decrypted without the “key” that the hackers provide when you pay them ransom. Since we are talking about encryption schemes that would take supercomputers years to break, there is (with one increasingly limited exception) no way to regain access to the encrypted files without paying for the key.

We mentioned an increasingly limited exception. A couple of years ago, when one ransomware ring was taken down by law enforcement, some of the private keys that ring used to decrypt were recovered. Thus, if the ransomware variant that infected your machine happens to be the increasingly outdated version that matches these keys, then you have a shot at getting your files back without paying the ransom. But, the hackers are very aware of this loophole, and more modern ransomware variants do not respond to the captured keys.

How Ransomware is spread

The delivery methods keep evolving, but almost all delivery mechanisms have something in common: human help. Common delivery methods include such human-machine interactions as opening infected email attachments, and visiting websites which inject the malware into the user’s machine. While even the most innocent websites can be hijacked to deliver malware, the shadier websites are the most likely to give you an unwanted infection.

These delivery methods have several implications which help explain ransomware’s rapid proliferation. First, the hacker doesn’t have to put any thought into making you a target. He or she just has to cast the malware about (much like throwing seed into the air), and then wait for you to call once you are infected. Second, ransomware has an extremely high ROI for the hacker’s limited efforts. The hacker has to write (or buy) the ransomware once (and it’s not expensive to acquire), seed it once, and then sit back and watch the profits roll in from thousands of infections.

What you can do

While nothing provides a bulletproof solution to this growing problem, implementing and strengthening several measures can lower your risk:

•Because much of this malware infects machines by tricking the user, raising user awareness of this problem is crucial. Users who are more resistant to clicking on suspicious email links and visiting shady  websites are your best means of lessening exposure. You should realize that:
◦Inattentive users run a very real risk of bringing damaging cyber-infections into the company.
◦“Think before you click” on email attachments and imbedded links is an important defense. You are far better off having users who over-report suspicious links to IT than with users who are overly trusting.
◦Web browsing should be limited to those business sites that are necessary for your operations..
◦If your users have the ability to link to company systems from their personal computers or other devices, understand that applying these rules to their personal device use makes them, and the company, safer.
•Encourage prompt employee reporting of potential problems. Even the most diligent employee may fall prey to a malicious email. Employees who fear discipline or termination will be much less likely to swiftly report potential problems. You will eventually discover you’ve been compromised, but only after the damage has multiplied.
•Backup frequently. Losing a file to encryption is much less problematic if you have a clean backup copy. Review your backup procedures, and make sure you have a robust backup process.

Article By Lucas AmodioDaniel C. Nelson Jeffrey Schultz of Armstrong Teasdale

© Copyright 2016 Armstrong Teasdale LLP. All rights reserved

Ransomware Strikes California Hospital – Could You Be Next?

digitallife03-111715In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wiredquestioned that assertion. The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.

  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.

FBI on Ransomware

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601

  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

Article By Cynthia J. Larose & Kate F. Stewart of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.