By Katie Anderson  |  Buffalo Business First  |  Jan 13, 2022, 6:00am EST

Attorneys warn that all companies should be prepared for a ransomware attack

Last month’s cyberattack on the workforce management company, Kronos, shut down the payroll system for weeks, a warning that all companies should be prepared for a ransomware attack.

“When we started hearing about cyberattacks, we were worried about people stealing information,” said Anna Mercado Clark, a partner at Phillips Lytle LLP and a professor at Fordham Law School.

Ransomware attacks shut down a system and demand money to get it up and running again.

“There’s also a sense of urgency when a ransomware is involved, particularly with health care because they need to provide medical care and sometimes urgent medical care,” Clark said. “It can pose serious hazards.”

That sense of urgency is attractive to attackers because it often means a company may do whatever it takes to get the system up and running, even paying the ransom.  

“It’s a much more lucrative way to get a return on their attack,” Clark said. “They’re targeting a few different types of organizations that were not previously thought of as prime potential victims.”

In many ways, she said, the criminals aren’t targeting industries, but rather, vulnerabilities.

Kevin Szczepanski, partner with Barclay Damon LLP, said there are four good reasons companies shouldn’t pay the ransom, including making them a target.

“You’re more likely to be the victim of a future attack if the bad actors know that you paid in a previous one,” he said.

Second, if a company pays a ransom there’s no guarantee the criminals will give the data back after payment. Third, there’s no guarantee how much of the data will be returned or if some will be kept for future attacks. Lastly, Szczepanski said, paying the ransom creates a moral hazard.

“When you subsidize bad behavior, you tend to get more of it,” he said. “I think that’s why the Biden administration and other law enforcement agencies are strongly discouraging the making of ransomware payments because they want to discourage ransomware attacks.”

Since the Kronos attack is recent, experts don’t yet have a full picture of what happened. But there are lessons to be learned.

“The question is not if but when,” Clark said. “Perhaps the more important thing is to know how to prepare for an attack and to know how to respond.”

Companies should use software and hardware to detect and isolate suspicious activity. IT providers can focus on protection.

“I think the challenge is, some companies don’t have the resources or the leadership that recognizes the value of that,” she said. “IT is thought of as making things run smoothly, but they also need to supplement those services with someone who will be focused on protection.”

Because ransomware attacks also go after backup data, Clark said companies should keep multiple backups in different, unconnected places.

Nick DiCesare, partner at Barclay Damon, said some attacks happen slowly, where the criminal gets into the system and finds the backups before launching the ransomware.

“They get into your system someway, and then they spread out without your business knowing,” he said. “They try to get into your backups, so when they launch the ransomware and shut down the system, they have the backups too.”

Administrative protections

Companies should implement physical protections to ensure unauthorized people are not accessing the system, and administrative protections such as training, policies and procedures. Some of the most basic cybersecurity measures include writing policies and enforcing them throughout the company, from entry-level employees to the CEO.

“You want to make sure your employees are trained on best practices so they can identify a social engineering scam, a malicious email or another attempt to breach an organization’s system,” Szczepanski said.

Companies should have a policy that prohibits employees from using work email accounts for personal use or subscription services.

“It can really help employees identify if something is fishy, because they’re not expecting those things coming to their work email,” DiCesare said.

One of the best ways an organization can prepare for an attack is to have an incident response team with a plan and practice, he said.

“That way, when your organization does suffer an attack, you know the individuals in your organization that are going to quarterback your response, you know the lawyer outside your organization that you’re going to contact to serve as your breach coach, and you know the forensic expert you’re going to contact to help identify how the bad guys got in and what, if any, data they accessed,” he said. “The more you can do in advance to prepare, the better able you are to reduce the risk and the more efficient your response will be.”