Client Alert: Ransomware – COVID-19 & Upgrading Your Defences

We first published this alert in March 2020 and we have updated it to reflect more recent developments

Introduction

It’s pretty shameful that in the current crisis we’re seeing ransomware on the rise.  It’s even more shameful that organisations involved in fighting the COVID-19 pandemic seem to be especially at risk.  In 2019 ransomware targeted healthcare more than any other industry, accounting for 29% of total ransomware attacks, according to Beazley’s 2020 Breach Briefing report.  Our experience in handling these attacks suggests that the number of attacks is still rising, with criminals working on the theory that an organisation desperate to unlock its data is now more likely to pay.  The recent prolonged attacks on health services in Ireland and New Zealand are just one recent illustration.

But the damage is not just limited to the healthcare sector.  The combined effects of COVID-19 + ransomware have already seen at least one victim as Travelex entered into administration in August 2020 after having reportedly paid a ransom to hackers.  A rescue package was agreed but with the loss of 1,300 jobs.  Regrettably it is likely that Travelex will be just one of many victims.

There are some GDPR-specific terms used in this note which are explained at www.bit.ly/gdprwords.

What techniques are hackers using?

A ransomware attack uses malware that encrypts or otherwise restricts access to computers, systems or data by exploiting system vulnerabilities.  The attackers demand that the victim pays money (usually in cryptocurrency such as Bitcoin or Monero) to receive the decryption key or recover access.

The main ways that a ransomware ‘payload’ can enter an organisation’s network are via:

• an attachment to an email (usually framed as something important or “urgent”);
• web-browsing;
• what looks to be a voicemail message perhaps via social media;
• remote access and remote control applications (either on the company’s own systems or using lateral movement on shared systems); or
• removable media and personally owned devices.

The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.  There’s a short film on the current state of play with ransomware so you can understand more about it and who is behind these attacks here https://www.corderycompliance.com/cordery-head-to-head-don-smith-ransomware/.

What’s the worst that can happen?

The impact of a ransomware attack can be severe and far-reaching. For the corporate victim, it can mean business disruption, financial loss and reputational damage. For some it may mean that they are forced to close.

For those whose data has been compromised, this could mean that critical data is rendered inaccessible or disclosed to unauthorised people – in some cases this could include sensitive data.  This is because many attacks also come with a threat to release data stolen from the network to try and increase the chances of a ransom being paid.

In terms of data protection law impact, in both the EU and the UK GDPR imposes key requirements relating to security. Controllers must take appropriate technical and organisational measures (TOMs) to keep personal data secure against loss or destruction. There’s an analysis of how GDPR continues to operate both in the EU and the UK here https://bit.ly/brexdpfaq.

Where a ransomware attack means that an organisation is unable to restore compromised data for a period of time, this could constitute a breach of GDPR on the basis that appropriate measures have not been taken to keep the data secure.

Often ransomware gangs also take data – either to sell if the ransom demand is not met or to demonstrate to the organisation that they have the data and increase the value of the ransom.  In our experience gangs sometimes look for the most sensitive data to sell including passports, health records and personal data relating to the organisation’s leadership.  Data may also be taken for cybershorting i.e. to move the share price and trade on the value of the organisation.

If a personal data breach has occurred, this will need to be reported by the controller organisation to the relevant DPA(s) (in the UK the Information Commissioner’s Office (ICO)) within 72 hours, unless the personal data breach is unlikely to result in a risk to individuals. If the personal data breach is likely to result in a high risk to individuals, the controller usually needs to also communicate the breach to individuals whose data has been compromised without undue delay.

It is possible that the incident may not amount to a reportable personal data breach if:

• a working copy of the data can be restored from back-ups, then the loss of data may not be permanent; and
• it can be established that the data being held ransom has not been accessed or misused.

We know that a number of organisations who have suffered a ransomware attack have argued that because the data has not left their systems no data breach has occurred. That’s unlikely to be correct. There’s detailed guidance on this at an EU level. Individual data protection authorities have issued guidance too – for example the ICO’s guidance says that even if it can restore data from back-up an organisation “would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding”.

Organisations that fail to meet their security obligations under GDPR face high fines as follows:

GDPR Provision	Requirement	Maximum Fines
Article 5(1)(f)	For not ensuring that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate TOMs (‘integrity and confidentiality’).	The higher of €20,000,000 and up to 4% of the total worldwide annual turnover of the preceding financial year
Article 32	For not implementing appropriate TOMs to ensure a level of security appropriate to the risk, including as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of TOMs for ensuring the security of the processing.	The higher of €10,000,000 and up to 2% of the total worldwide annual turnover of the preceding financial year

Fines and other enforcement action can also be incurred for failing to report a personal data breach in time (see for example https://www.corderycompliance.com/irish-dpc-fines-twitter-2/) and not fully cooperating with a DPA.

If the breach has a cross-border impact, this could potentially mean fines from multiple regulators in different jurisdictions. It is important to remember that it is not just GDPR which allows regulators to act. For example in December 2020 the Singapore DPA (PDPC) investigated Water + Plants Lab for failing to prevent a ransomware attack on its systems despite the fact that the company had taken some preventative measures and was able to restore its data successfully from back up. In the same month the PDPC also investigated R.I.S.E Aerospace after it suffered a ransomware attack and that followed a similar investigation in October 2020 into Everlast. Whilst these investigations did not result in substantial fines the PDPC has had new powers from 1 February 2021 which include the ability to fine up to 10% of an organisation’s Singapore-based revenue.

What are some examples of ransomware attacks?

WannaCry

In May 2017, the world was gripped by the “WannaCry” ransomware attack, which encrypted files on infected machines unless the victim paid a $300 million ransom. The NHS in the UK was hit particularly hard because it had not upgraded to the most recent versions of the Windows operating system. The press reported that the attack is estimated to have cost the NHS £92 million.

Norsk Hydro

In March 2019, aluminium producer Norsk Hydro’s systems were infected with the LockerGoga ransomware, resulting in a drop in productivity at the organisation’s 171 sites. The company’s financial reports stated that the ransomware attack resulted in a drop in profits of 82%. The company has spent an estimated £60 million on restoring data from recent back-ups, which it luckily had – not all companies do.

Maze

In a series of sophisticated attacks spanning from mid-2019 to early 2020, hacker group Maze had reportedly exfiltrated a range of organisations’ data before locking victims out of their networks. If a victim does not pay the Bitcoin ransom (up to millions of dollars’ worth in some cases), the group posted the victim’s name and sensitive data relating to them on its website. Its victims have included law firms and companies in various other industries, mainly US-based but also French firm Bouygues Construction. The FBI was called in to investigate. In March 2020 it was reported that Maze had published personal and medical details of thousands of former patients of a London-based medical research company after a failed attack. It was said that this organisation was on standby to carry out trials of a possible future vaccine for COVID-19. In June 2020 it was reported that the criminal gang behind Maze teamed up with two other threat actor groups, LockBit and RagnarLocker, essentially forming a ransomware supergroup. Their co-operation seems to extend to technology and techniques to get victims to pay ransoms.

Redcar and Cleveland Borough Council

In Spring 2020 the Council experienced a security incident targeting its website and affecting 135,000 people when its appointment bookings, planning documents, social care advice and council housing complaints systems were taken offline. The Council disclosed that its systems were being rebuilt and they were being assisted by the National Cyber Security Centre (NCSC). One Redcar and Cleveland councillor told the Guardian newspaper they had been advised it would take several months and cost between £11m and £18m to repair the damage. The ICO has said the Council self-reported. Any action to be taken by the regulator remains to be seen.

Travelex

On 31 December 2019 Travelex’s systems were reportedly brought down by a ransomware attack thought to have been carried out using similar techniques to the Maze attacks mentioned above. Interestingly, the ICO had said that, whilst it is advising Travelex on the data breach, the company had not reported the breach to the ICO. As we’ve said Travelex, a company which did have more than 1,500 stores entered administration after the attack.

Blackbaud

One of the most significant ransomware attacks in 2020 was the Blackbaud attack which has affected many universities and charities across the world. We’ve written about the effects of that attack here https://bit.ly/blackcrack.

There are more details of recent attacks in the BlackFog report ‘The State of Ransomware in 2020’ – details are below.  We are also seeing ransom inflation as the gangs get braver and ask for more and more money.  Our experience is backed up by a Marsh study which reported that in the first half of 2020 average ransomware payments increased by 60%.  Since cryptocurrency is used for most payments a rise in those currencies can also mean a rise in the level of ransom demanded.  The same Marsh study estimates that Bitcoin accounted for approximately 98% of ransomware payments although since the study was published we have seen gangs get more inventive in their payment demands notably after the FBI’s seizure of cryptocurrency valued at $2.3m from the DarkSide gang in June 2021.

One worrying trend we are seeing is the distributed nature of the gangs launching these attacks.  For example those using REvil ransomware (also known as Sodinokibi) seem to have operated a quasi-franchise model with techniques and exploits developed centrally and then used by different gangs to target different sectors in different locations.  Other gangs seem to offer a Ransomware-as-a-Service model with payment on a contingency basis.

How can you prepare to be in the best position to manage such attacks?

Each attack will be different but there are many things that organisations can do to harden its defences including:

1. Having a proper plan in place to deal with suspected ransomware attacks. You’ll need to get to the bottom of the possible issues quickly.  A pre-prepared checklist can help.
2. Making sure your systems are fit for purpose. In our earlier alert on the data protection aspects of COVID-19 we looked at some measures to take now that home working is on the increase.  You can read that alert here Client Alert: Returning to Work during Coronavirus – Health Testing and Data Protection | Cordery (corderycompliance.com).
3. Doing proper due diligence on your technology partners and suppliers – including checking to see if they have been involved in any data breaches or ransomware attacks in the past.
4. For remote access and remote control applications, using strong credentials, multi-factor authentication (MFA) where possible, and ensuring the application itself is kept up-to-date.
5. Using anti-malware and antivirus software tools and services, and blacklisting malicious websites.
6. Routinely applying software patches – and doing that quickly.
7. Backing up critical data and encrypting this.
8. Only having a core group of administrators and implementing appropriate access controls and user privileges. Don’t make it easy for an employee to escalate privileges.  You should also regularly review those privileges too and change them quickly when an employee leaves the organisation or moves role.
9. Segmenting the network so that damaged suffered in an attack is contained. In one case we were involved with the network was segmented and quick action to remove the connections between different parts of the network limited the effects of the attack.
10. Managing data import and export by scanning for malicious content.
11. Regularly removing or disabling redundant software.
12. Only using supported operating systems and other software wherever possible.
13. Developing and maintaining an incident response plan.
14. Developing and implementing anti-malware policies and standards and regularly reviewing these to take into account emerging threats and organisational changes.
15. Training employees and raising awareness about ransomware and other cyber threats, such how to identify phishing emails and suspect sites, not connecting unapproved removable media or personally owned devices to the corporate network and how to report a security incident. As we’ve said before some anti-phishing training is simply not fit for purpose.  Make sure that your training reflects current not historic risks and forms of attack.
16. Running simulated ransomware attacks / testing. This could include a rehearsal of your response to an attack using the Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/).

The NCSC has published a page on malware in its “10-steps to cyber security” series: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/malware-prevention

What damage control can you do once you’ve been attacked?

You should follow your incident response and business continuity plans. You are likely to need specialist help – that will include lawyers experienced in ransomware issues. This is not a time for enthusiastic amateurs. If the attack has already happened, the FBI recommends the following mitigation steps (amongst other measures):

1. Executing a network-wide password reset;
2. Scanning system back-ups for registry persistence;
3. Scanning system back-ups for other malware infections, particularly IcedID banking Trojan, Trickbot, and/or Emotet;
4. Auditing logs for unexpected network traffic and mitigating as necessary.

In addition whilst it is not covered in the FBI guidance our view is that if you are a listed entity watching out for unusual activity related to your stocks and shares. There is a possibility that in 2021 ransomware attackers will move to techniques like cybershorting as organisations become less willing to pay ransoms. We’ve talked about some of this in our film here https://bit.ly/techlaw2021.

You might in addition want to consider decryption tools to see if they could assist you. For example the No More Ransom! campaign group maintains links to some tools here – https://www.nomoreransom.org/en/decryption-tools.html. You should seek specialist help before using these tools.

You are likely to need specialist help

You should consider extremely carefully if a ransom demand should be met – even if the ransom is paid, there is no guarantee that the attacker will hand over the key and it will spur on the attackers to attack more organisations if they think that no one will stop them. There is at least anecdotal evidence that those who pay ransoms are more likely to be hit. Some police forces advise you to never pay a ransom. In some cases paying a ransom could lead to different criminal offences being committed by the payer. For example in October 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanctions risks for facilitating ransomware payments. We have a separate alert and film on the issues with ransomware payments – https://bit.ly/ransompay.

Organisations should also choose their insurers carefully. We have heard reports of insurers paying off ransoms, sometimes against the insured’s wishes. That could have consequences and so those insuring against this type of loss may wish to make sure that their policy allows them sufficient control and protection.

These are challenging times and organisations will have to balance multiple priorities currently. The threat is real however and organisations should do what they can to become more resilient given the rise in attacks.

There is more information on ransomware in different languages here https://www.nomoreransom.org/en/index.html

There are details of additional ransomware attacks and their consequences here https://bit.ly/3BiU247.

The Water + Plants Lab Pte. Ltd decision is here https://bit.ly/3cu2ALH.

Details of the FBI’s DarkSide seizure are here https://bit.ly/3CXU9mI.

For more information please contact Katherine Eyres, Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH		André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH		Katherine Eyres, Cordery, Lexis House, 30 Farringdon Street, London EC4A 4HH
Office: +44 (0)207 075 1784		Office: +44 (0)207 075 1785		Office: +44 (0)20 7075 1786
jonathan.armstrong		andré.bywater		katherine.eyres