ransomware: history, histrionics, and “honor”- the...
TRANSCRIPT
Ransomware: History, Histrionics, and “Honor”- The Intersection of Preparation and Prevention
February 24, 2017 Emily R. Fedeles
[email protected] James A. Sherer Breach Hotline: 855-217-5204 [email protected] www.dataprivacymonitor.com
JamesSherer,Partner
2
JamesShererisapartnerintheNewYorkofficeofBakerHostetler,wherehechairstheInforma<onGovernanceprac<ceteamandservesaspartoftheE-DiscoveryAdvocacyandManagementandPrivacyandDataProtec<ongroups.JamesassistswithoversightofdiscoveryandElectronicallyStoredInforma<onissuesforfirmclients.Jamesisalsotaskedwith“deepdive”technologicalandcaselaw-relatedassignmentsforomnibusmo<onsandcasestrategy.James’sworkfocusesonadvisingonmerger&acquisi<onduediligence;informa<ongovernanceprac<cesandpoliciesforclients;andclientcorporatestructureandbusinessofferingsregardinginterna<onaldataprivacyrequirements.
JamesholdsanMBA,hasCIPP/US,CIPP/E,CIPM,andFIPdataprivacyprofessionalcreden<als,theCIPandIGPinforma<ongovernancedesigna<ons,andtheCEDSeDiscoveryspecialistcreden<al.JamesisamemberofTheSedonaConference®WorkingGroupsOne,Six,andElevenandhasservedonSearch,AchievingQuality,DataPrivacyandSecurity,andMerger&Acquisi<onDra\ingTeams.HeisalsoamemberoftheNewYorkStateBarAssocia<onEDiscoveryCommi]eeaswellastheNewYorkeDiscoveryCounselRoundtable.
EmilyFedeles,Associate
3
EmilyFedelesisanassociateintheNewYorkofficeofBakerHostetler,whereshemaintainsageneralli<ga<onprac<ceandservesaspartofboththeE-DiscoveryAdvocacyandManagementandthePrivacyandDataProtec<ongroups.Emilyregularlyworkswithclientsacrossmul<pleindustrysectorsonawiderangeofma]ers,includingassis<ngwiththeoversightofdiscoveryandElectronicallyStoredInforma<onissuesaswellasdevelopingli<ga<onandregulatoryresponsestodatabreaches.
PriortojoiningBakerHostetler,Emilyprac<cedli<ga<oninGeneva,Switzerland,whereshedevelopedawealthofexperiencerela<ngtocross-borderli<ga<onanddiscoveryissuesanddataprivacyandsecurityconsidera<ons.ShebeganherlegalcareerasanassociateinFlorida,whereshewasamemberoffourtrialteamsformul<-milliondollarcasesinbothstateandfederalcourt.
Emilya]endedEmoryUniversityforbothundergradandlawschool,wheresheheldaninternshipwithTheAtlantaSpiritandservedasajuvenilepublicdefenderundertheThirdYearPrac<ceAct.SheisamemberoftheInterna<onalAssocia<onofPrivacyProfessionals(CIPP/E)andTheSedonaConference®
WorkingGroupsOne,Six,andEleven.Emilyhaswri]enandspokenone-discoveryandprivacyissueswithapar<cularfocusontheimpactsofemergingtechnologiessuchascorporate“BringYourOwnDevice”programs.
Agenda
• RansomwareExplained• HistoryofRansomware
– RansomwareasaProcess– RansomwareasaBusiness
• DefendingagainstandRespondingtoRansomware– Ransomware’sDirectImpact– Ransomware’sIndirectImpact– RansomwareResponse
• Prac<calandLegalChallenges
• FutureofRansomware
4
5
WhatisRansomware?
RansomwareUnpacked
• Whatisransomware?• Maliciousso\warethatexploitsordamagesatargetby
infec<ngacomputerorsystem• Maybespreadinavarietyofways• A]ackersaregeengsmarterindeliverymethods
• Whatformsdoesransomwaretake?• Canbecategorizedbasedontheformofa]ackthat
ransomwaretakes• Lockerransomware,cryptoransomware,hybridapproaches
6
HowRansomwareWorks
• Encryptsorotherwisedeniesaccesstothedata
• Atnextlog-in,thevic<mgetsamessagethathisdataisbeingheldhostageun<lapaymentismade
• Typicallyincludesafast-approachingdeadline,some<mesincludesancillarythreatstodisclosethedatapublicly
7
HowVic<msPay
• Ransompaymentsgenerallymustbemadeinadigitalcurrency(Bitcoin)
• A]ackersremainanonymousandtransac<onsarevirtuallyuntraceable
• Nomiddle-maninvolved• Someevenoffer“customerservice”• Strategicdecisionwhethertopay
8
HowOrganiza<onsareDamaged
Monetary• Ransompayment• Lostprofitswhilebusinessopera<onshalted• CostofengagingoutsideIT/forensicsconsultant• Breachresponsecostsifpersonaldataaccessed• Poten<alregulatoryfinesorli<ga<oncosts
Non-monetary• Reputa<ondamage• Disrup<onofcustomeraccesstovitalservices• Nightmareofpoten<albreachifpersonaldataaccessed
9
10
RansomwarethroughtheDecade(s)
• Late1980s-early2000s– Minorinconvenience– Paymentlargelyunnecessary
• 2005resurgence– Actuallysuccessfulindisablingmachines– Precursortowhatweseetoday
• 2013-present– Fastspreading– Growingexponen<allyinnumberandpossibleofdevicesitmayeffect
• Emergenceofsmartphonevariants
11
TheRiseofRansomware
TheRiseofRansomware
12
13
RansomwarebyIndustry
Protec<ngAgainstandRespondingtoRansomware
• Implementrobustbackupandrecoverypoliciesandprocedures– Backupstobemaintainedseparatefromthemain
network,preferablyoff-site
• Thoroughdatasecuritytraining• Workforceeduca<on• So\waresolu<onstoblockincomingmalware• Stayontopofthelatestdevelopments
15
RansomwareDefense
• Technicalandadministra<vesolu<ons– Disableuseofvulnerableplugins– Deployintrusionpreven<on– U<lizeendpointsecurityso\ware– Keepan<virusprotec<onup-to-date– Ensuresecuritypatchesareinstalledpromptly
16
RansomwareDefense
• July2016–theDepartmentofHealthandHumanServices,OfficeforCivilRightsreleasesguidanceonhowtheagencyinterpretsransomwarea]acksonHIPAAcovereden<<esandbusinessassociates– “Whenelectronicprotectedhealthinforma<on(ePHI)is
encryptedastheresultofaransomwarea]ack,abreachhasoccurredbecausetheePHIencryptedbytheransomwarewasacquired….unlessthecovereden<tyorbusinessassociatecandemonstratethatthereisa‘…lowprobabilitythatthePHIhasbeencompromised,’basedonthefactorssetforthintheBreachNo<fica<onRule.”
17
OCRGuidance
• Willpaymentresultinreleaseofdevicesorareneweddemandforanincreasedpayment?
• Lawenforcementwillnotadviseacompanywhetherornottopay,thoughmayprovideanecdotalevidenceorinforma<onaboutapar<cular“brand”ofransomware
• MayviolateOfficeofForeignAssetsControl(OFAC)restric<ons
• Mayresultinfurtherdemands
18
ToPayorNotToPay?
• PaymenttypicallymustbemadeinBitcoin– Availability– VulnerabilityandVic<mIden<fica<on– Taxablestatus
• RansompaymentsarenotendorsedbytheUSA• OFACRestric<ons• Execu<veOrder13694CybercrimeRestric<ons
19
PaymentandLogis<cs
JamesA.ShererPartner,BakerHostetler–[email protected]@jamesshererEmilyR.FedelesAssociate,BakerHostetler–[email protected]@emilyrfedeles
20
Ques<ons?