Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
A North Carolina county went public with its recent ransomware attack and decision not to pay a ransom, providing a rare look inside such crippling hacks, the vast majority of which are kept under wraps.
Workers for Mecklenburg County, N.C. learned Dec. 5 that several computer networks had been frozen by the LockCrypt ransomware strain. Cybercriminals demanded payment of 2 bitcoin—worth approximately $24,000 at the time—to provide the key to unlock the data on 48 of the county’s 500 computer systems that were encrypted. The county’s data was backed up, one of the best defenses to a ransomware attack.
Transparency during a ransomware attack “is a noble effort but must be weighed against the short-term strategic need to defend against the attack,” Joseph Moreno, a cybersecurity partner at Cadwalader, Wickersham & Taft LLP in Washington, told Bloomberg Law. Much like a hostage situation, “the first call should be to law enforcement and the focus should be on addressing the risk, securing your data, and taking back control of your systems,” he said.
Nearly all organizations and companies need to be prepared for ransomware well in advance of a hit, because the problem is growing in size and scope. Global ransomware specific incidents have almost tripled in size since the third quarter of 2015—rising from 3.9 million to 12.3 million, according to McAfee Inc. data.
An attack also can remind organizations and companies that they need proper cybersecurity procedures and event-specific incident response plans in place, including processes for paying cybercriminals for a decryption key.
Ransomware attacks put victims “in a literally debilitating situation, and the impact is all the more critical if the systems support critical infrastructure such as government,” Moreno said. “If you don’t see yourself as a target you are already behind the curve,” he said.
The county had cybersecurity protocols in place, Leo Caplanides, a spokesman for Mecklenburg County, told Bloomberg Law, but wouldn’t comment on whether the county had ransomware-specific incident response plans. Once notified soon after the discovery of the attack, all county stakeholders gathered to initiate operation continuity plans, he said.
The decision to not pay the ransom was a good move and was supported by the FBI, Moreno said. Paying cybercriminals or even storing cryptocurrency in case of an attack is dangerous because it “illustrates to those in the know that you are a potential payer,” he said.
The county has no plans to stash cryptocurrency as a means to more easily pay ransom in the future, Caplanides said. The county will instead continue to invest in IT security infrastructure and cybersecurity training for employees, he said
Although some organizations and companies decide to pay the ransom, it only helps fuel cybercriminals for their next attack, cybersecurity pros said.
“Organizations that are the victim of ransomware should not pay the ransom,” Jerry Dixon, chief information security officer for Arlington, Va.-based cybersecurity company CrowdStrike, told Bloomberg Law. “It only encourages criminal groups to continue to propagate malicious software used to victimize companies or organizations with it.”
Backing up data so that it is readily available if systems are compromised by ransomware makes the decision not to pay easier.
“If you fall victim to ransomware then the next best thing is restoring from backups. If a company or organization has a good data backup program it basically makes ransomware just a nuisance due to the time to restore the data and get back into production,” Dixon said
The locked Mecklenburg County information is available in backed up files, Caplanides said.
The county decided to go public the ransomware attack because it was the “right thing to do to keep the public, data partners, and employees informed,” Caplanides said. Such a move should be weighed on a case-by-case basis, even when a government is involved, attorneys and cybersecurity pros said.
The ransomware attack had a “downstream impact on day to day citizens” and an “effective communications plan to help and manage end users though the incident” is imperative, Peter Tran, general manager and senior director in the worldwide advanced cyber defense practice at RSA Security in Boston, told Bloomberg Law.
With assistance from Andrew Ballard in Raleigh, N.C.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)