Ransomware鈥檚 first documented attack was relatively rudimentary and delivered via floppy disk containing a malware program in 1989 that told its victims to pay聽$189聽in ransom to a PO Box in Panama. Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber-methods and cryptocurrencies.

The US Secret Service reported a marked growth in crimes involving cryptocurrencies and digital extortion schemes, including ransomware, in 2021. Other reports show that ransomware is fast becoming a tool of choice for far flung cyber-criminals. Verizon, which has been analyzing data security trends since 2008, finds in their 2022 Data Breach Investigations Report that ransomware has increased almost 13% since last year 鈥� a rise as big as the last five years combined, and ransomware was present in almost 70% of malware breaches last year.

The people problem

Security experts agree that the human element is a crucial driver of this type of digital threat. Verizon鈥檚 report puts a number to it, citing that 82% of data security breaches involve human error 鈥� most often employees who inadvertently expose systems to data threats.

鈥淢ost ransomware attacks are made possible through the vulnerabilities caused by humans (i.e., the employees of the firm). This is why hyper-vigilance about phishing emails is crucial,鈥� explains Jennie Wang VonCannon, a Certified Information Privacy Professional and Partner with Ellis George Cipollone O鈥橞rien Annaguey. 鈥淢any times, it is an employee who clicks on an email which contains malware, inadvertently deploying it onto their computer which then infects the entire network. Or someone enters their login information after receiving an email request to do so, thinking it鈥檚 legitimate, and just like that, the malicious actors can enter the firm鈥檚 network and encrypt the firm鈥檚 data and hold the decryption key for ransom.

Management should educate their personnel about how to spot a scam email and the importance of not clicking on any links or even opening the email, if possible, adds VonCannon. 鈥淒epending on the organization鈥檚 culture, it may want to conduct regular tests by sending out suspicious-looking emails to keep employees primed to spot a phishing attack.鈥�

Weidlich agrees that many data breaches occur due to employee error, either clicking on a phishing link or through malfeasance, such as stealing data. 鈥淚t鈥檚 crucial to let employees know how important the issue is to the firm,鈥� he says. 鈥淭alk to employees, train employees, and view employees as a defense against breaches.鈥�

Depth of your data

A fundamental step in mitigating the harm of a ransomware attack is understanding what data your firm collects and maintains 鈥� and the access rights that certain parties have to it.

Trina L. Glass, a shareholder and member of Stark & Stark鈥檚 Investment Management & Securities Group, suggests that firms inventory their data to know who has what kind of access. 鈥淧rior to implementing controls and procedures to help prevent or mitigate a firm鈥檚 risk of a ransomware attack, the firm should first know what data it collects, where the data resides, and who has access to the data,鈥� says Glass, adding that firms also should take steps to reduce copies of sensitive firm and client data.

Indeed, supply chain weaknesses, partners, and vendors pose a unique data risk; and these third-party risks are increasing, according to Verizon鈥檚 data risk analysis. Glass says that firms should take appropriate precautions. 鈥淓ducate and train your employees and third-party vendors on your firm鈥檚 information security control procedures,鈥� she explains. 鈥淢ost ransomware attacks are orchestrated through phishing scams, third-party software vulnerability, and credential stuffing.鈥�

There are several basic IT security measures that firms must take to prevent malware disruptions, including:

• • • • establishing security practices and policies;
      • ensuring software patches and virus protections are current, proactive system protection such as firewalls;
      • encrypting information; and
      • installing two-factor authentication.

What to do when an incident occurs

Should a ransomware incident occur, most law firms already will have a crisis playbook in place that would likely trigger the firm鈥檚 lock-down protocols. Communication during this period is critical, Glass says, noting that at this point, firms should activate their incident response plan. 鈥淪ince you鈥檝e taken the time to implement a comprehensive plan, you will know to whom, internally, to immediately escalate the incident and what details to include in your notification,鈥� she says. 鈥淭he who should also include law enforcement, your insurance carrier, IT vendor, and outside counsel.鈥�

A forensic analysis of how the risk came about will likely occur soon after discovering the incident. This intervention involves understanding what data and systems were compromised and how and when that happened, VonCannon adds. 鈥淚f the entire network is encrypted and the firm鈥檚 computers [are compromised], firms need to think about getting back online as soon as possible using the up-to-date data backups that they have been diligently keeping so that they can continue operating in the event of a ransomware attack. They should also immediately consult with an expert in this field, such as an attorney with cybersecurity and data privacy experience, who can coordinate the firm鈥檚 response.鈥�

Weidlich agrees, and advises that there are three defensive measures firms must immediately take should they find themselves on the receiving end of a ransomware or data security incident. Those include: i) hiring a data-incident firm; ii) hiring a crisis-communications firm; and iii) informing legal authorities since every state has unique laws that must be followed.

The big questions: Transparency & the ransom payment

Two decisions that every law firm must make in the aftermath of a ransomware attack have the potential to divide firm management and will need careful consideration on a case-by-case basis.

The first question on which to achieve consensus is whether to disclose the attack publicly or not. Law firms will naturally be conservative around making public statements and want to minimize liability risk; yet Weidlich counsels that it is possible to communicate a breach in a way that respects those views. 鈥淔irms should publicly communicate beyond the legal requirements and standard practice,鈥� he says. 鈥淭he focus should be on rectifying the situation.鈥� He cautions that any communication must be empathic, and firms can achieve this by acknowledging to clients the inconvenience arising from operational disruption and stating if and how the breach will affect clients and other outside stakeholders.

Second, the firm will also need to determine whether to pay the ransom or not.

Glass cautions that, generally, firms should not be quick to pay ransomware requests. 鈥淭he FBI鈥� does not support paying ransom in response to a ransomware attack,鈥� she says. 鈥淧aying a ransom does not always guarantee that you will receive your data back or prevent future attacks.鈥�

Weidlich observes that ransomware attacks present great difficulty concerning how firms respond to them. 鈥淔irms must realize that whatever action they take 鈥� whether they pay the ransom or not 鈥� they will be criticized,鈥� he explains. 鈥淚f you pay the ransom, you鈥檒l be criticized for encouraging criminals; but if you don鈥檛 pay, you鈥檒l be criticized for not caring enough about clients鈥� data.鈥� To ensure that all sides receive due consideration, the firm must be clear on why it鈥檚 taking the action and be just as clear in communicating that, he adds.

Of course, the best defense against potential ransomware threats is a strong offense. Firms can accomplish this through updated policies and protocols that provide clear guidelines to employees and third parties with system access, regular training and testing to shore up your systems against attacks, and an active crisis-management plan that can validated against known and emerging digital threats.

Because healthcare organizations are so heavily dependent on access to data 鈥� such as patient records 鈥� to maintain their operations, they are a frequent target for ransomware attacks. Even a short delay in access to records can result in negative outcomes for patients.

A full 61% of the healthcare organizations that reported ransomware attacks had their data encrypted during the event, according to the Sophos report,聽. This was slightly better than the 65% encryption rate across all industry sectors worldwide, “indicating that healthcare was better able to stop data encryption in a ransomware attack,” Sophos said, noting that it also is an improvement from the 65% encryption rate in healthcare in 2020.

The report findings are based on an independent “vendor-agnostic” survey of 5,600 information technology professions in medium-sized organizations, including 381 healthcare respondents across 31 countries.

The report also showed an improvement in the rate of extortion-only attacks to just 4% in 2021, compared to 7% in 2020. In extortion-only attacks, the data is not encrypted but the healthcare organization was “held to ransom with the threat of exposing data.” The improvement could be because more healthcare organization have cyber-insurance, “which demands higher cybersecurity defense enhancements.”

The increase in successful ransomware attacks has “affected healthcare more than any other sector,” according to Sophos, which is based in the United Kingdom. Healthcare had the “highest increase in volume of cyber-attacks (69%) as well as the complexity of cyber-attacks (67%)” when compared with cross-sector averages.

Improved ransomware outcomes

Almost all (99%) of healthcare organizations subject to ransomware attacks in 2021 got “some encrypted data back” compared with only 93% in 2020. Within this group, 72% were able to restore encrypted data from backup files; 61% also reported that they “paid the ransom to restore data”; and 33% used other means to restore data. These numbers show that “many healthcare organizations use multiple restoration approaches to maximize speed and efficacy” to restore data and operations. More than half of healthcare organizations (52%) reported using multiple restoration methods, according to Sophos.

Interestingly, 14% of healthcare organizations reported using “three methods in parallel” to restore their data, which was the highest rate across all sectors and double the global average.

However, healthcare organization that paid the ransom to restore their data got back only 65% of their data compared with 69% in 2020. Only 2% that paid the ransom received all of their data, down from 8% in 2020.

Cost of ransomware attacks

Although healthcare tops the list for volume of payments, it is at the bottom for the amount paid with the “lowest average ransom payment” around $197,000 of all sectors. Although the amounts paid were lower than in other sectors, the “overall amount of ransom paid by healthcare in 2021” went up by 33% compared to 2020, according to Sophos.

Only three respondents said their organization paid $1 million or more, according to the report. In contrast, 60% of the ransoms paid were less than $50,000. The lower amounts likely due to the “constrained finances” of healthcare organization, especially those in the public sector, according to Sophos.

Paying the ransom, however, is not the only cost of a ransomware attack. Ninety-four percent of respondents said the ransomware attack impacted their ability to operate and 90% of private sector healthcare organizations responded that the attack “caused them to lose business or revenue.鈥� In fact, the average cost for a healthcare organization to remediate the impact of a ransomware attack went up to $1.85 million in 2021, compared to $1.27 million in 2020. This was the second-highest average cost across all sectors.

It took 44% of healthcare organizations “up to a week” to recover from a ransomware attack in 2021, and 25% took up to a month to recover. The average time for healthcare organizations to recover was one week.

Use of cyber-insurance

Only 78% of healthcare organization reported having cyber-insurance against ransomware, with 46% also saying that here are “exclusions or exceptions in their policies.” Additionally, 93% of healthcare organizations with cyber-insurance reported it was getting harder to secure coverage with 34% saying it was also more expensive. Additionally, healthcare organizations reported the level of cybersecurity required to qualify for coverage was higher, policies are more complex, and fewer companies offer cyber-insurance.

For healthcare organizations with cyber-insurance coverage, 97% that were hit by ransomware and had ransomware coverage report that their policy paid out in the “most significant attack.” More than 80% reported the insurer paid the costs incurred to restore operations; however, only 47% reported that the insurer paid the ransom.