Cyber Security
How to Respond to a Ransomware Attack
Provided by Matthew Meade, Breach Counsel, Eckert Seamans’ Cybersecurity, Data Protection & Privacy
Ransomware attacks continue to plague local government entities throughout the United States at an unprecedented rate. Unfortunately, Minnesota counties have not been immune to these incidents, with more than 10 counties affected by ransomware within just the past six months.
Although members can take steps to reduce the chances of a ransomware attack (which will be addressed in a subsequent article), members can also take immediate measures if the organization experiences ransomware to limit its effects.
Threat Actors Deploy Two-pronged Ransomware Approach
During the past several years, most threat actors executing ransomware attacks have been using a two-pronged approach to extort money from their victims:
- Once they gain access to a network, they exfiltrate data from the network before encrypting the data on the network. To increase the likelihood of payment, they frequently attempt to destroy backups of critical systems.
- They then demand payment: 1) to provide a decryption key to unlock the data, and 2) to agree to delete whatever they have taken and not release the data on the dark web.
In this scenario, even if a member entity has viable backups that the threat actors were not able to destroy, the organization’s data being released on the dark web can be highly damaging to the member, both from a reputational and a litigious perspective.
Sensitive Data at Risk
Member data repositories often hold sensitive information relating to residents and others. This can include personally identifiable information (PII), as well as protected health information (PHI) from a range of sources and departments including human resources, social services, coroner and veterans services.
Further, the potential release of highly sensitive sheriff’s office files detailing sex crimes investigations, domestic abuse, ongoing investigations and crimes against children can be injurious.
The unauthorized acquisition of data maintained by a Minnesota government entity that compromises the security and classification of that data is a breach under Minnesota law. The definition of access includes obtaining, accessing or viewing government data.
When there is a ransomware attack, a member needs to conduct an investigation to determine the extent of the incident, whether there has been unauthorized acquisition of government data and, if so, notify those residents whose data was affected.
The Incident Response Plan
MCIT’s cyber-security incident response team, which includes cyber forensic investigators, Sylint, working in conjunction with and under the direction of legal counsel Matthew Meade, Esq., have developed an incident response protocol. It helps limit the impact of an attack and determines, to the extent possible, when and how threat actors gained accessed to the network, as well as the specific data compromised.
Counties should have a cyber-incident response plan that identifies the incident response team and describes the procedures the county will take in the event of an attack.
It is important to note that a ransomware incident is a crime scene and should be treated accordingly. Valuable evidentiary data can be obfuscated or destroyed by IT teams rushing in to restore from backups (which may themselves contain malware).
Response efforts need to be detailed in the incident response plan and must balance the desire to return to normal operations with the need to accurately determine what occurred and what data was impacted.
One function of the cyber-security incident response team is to provide a detailed plan to recover and conduct the needed investigation as expediently as possible. However, there are steps a public entity can take immediately, to reduce impact and improve resiliency as outlined on page 5.
Learn More About Cyber-security Best Practices
MCIT offers members a number of resources to assist them in their cyber-security efforts. Check them out in the Resource Library.
Members may also contact their MCIT risk management consultant at 1.866.547.6516 to discuss cyber-security concerns.
Immediate Steps to Take After a Cyber-attack
If ransomware is detected in the network, disconnect devices from the network and isolate backups. The goal is to contain the incident and keep it from spreading to other devices or networks that may be unaffected.
- Any devices that are shut down should be left off. If disconnecting is going to impact county services, notify that department and help them shift to emergency processes.
- Internal segmentation can be a component in decisions to disconnect. For example, if the sheriff’s office runs on an isolated subnet or separate network, it may be able to continue operations if connections and trusts are broken with potentially affected devices/networks.
Report the incident to MCIT as soon as possible; do not wait weeks, days or even hours. The sooner the member alerts MCIT, the quicker the cyber-security incident response team can provide guidance and assistance.
- Members should call 1.866.547.6516 immediately even if they “think they might” have a problem.
- Then members should complete and submit the online incident notice through the member portal (see orange button at top or bottom of page).
Although most members want to be as transparent as possible, it is important not to overcommunicate, especially when the facts are not yet known.
- Disclosing that the member has “experienced a cyber-incident that is being investigated” is likely to be accurate without being overly alarming.
- Threat actors often monitor news about their victims, further emphasizing the need to keep public disclosure during the early stages of response to a minimum.
- If media outlets attempt to interview anyone, ask them to put their questions in writing and advise that the organization will respond when appropriate. Just as it would be inappropriate to comment on a homicide investigation until it is concluded, it would similarly be inappropriate to comment on a cyber-incident investigation while it is still ongoing.
- Department heads and elected officials should be informed and also cautioned not to make statements prematurely.
It is important that digital evidence be preserved.
- Do not attempt to copy, restore or decrypt data until a plan to preserve critical evidence has been created in conjunction with the cyber-security incident response team.
- If local, state or federal law enforcement want access to evidentiary material, Sylint* can provide forensic images as needed. They have extensive experience working with law enforcement, and follow strict chain of custody and evidence handling protocols for evidence used in state and federal courts.
*MCIT’s partner cyber forensic investigator.
Although communication with the threat actors can often yield valuable clues and intelligence, the best practice is not to communicate directly with them. Sylint* has extensive experience dealing with cyber-extortionists and is best equipped to communicate on the member’s behalf.
*MCIT’s partner cyber forensic investigator.
A ransomware incident can be chaotic. Systems are failing, data is unavailable and users start to panic.
- If you have an incident response plan, follow it, keeping in mind evidence preservation.
- Start making a list of devices (servers, workstations, mobile devices) in the environment and note: 1) if they appear to be impacted, 2) what data resides on them, and 3) what functions they provide. This is the first step to assessing the scope of the incident and understanding how much damage has occurred. It also is critical in determining the member’s options for restoring data and continuing to provide services to the community.
