Ransomware Victims Urged to Report Infections


By: Jeremy W. Rogers

By now, most people have heard of that nasty form of technological extortion known as ransomware.  This is a type of malware that is installed on a computer or server that encrypts files, thus rendering those files inaccessible. To decrypt the files, users must pay a “ransom” that usually takes the form of cryptocurrency such as Bitcoins, to obtain the decryption key.  This may, and likely does, have serious consequences to the users who have lost access to important and, in some occasions, confidential files. Important financial files or files containing trade secrets may be affected as well.  Also, if the business electronically stores protected medical records, recent guidance issued by the Centers for Medicaid & Medicare Services declared that encryption of protected health information by ransomware is a form of unauthorized access under HIPAA.  This potentially requires notice to patients unless the covered entity can demonstrate through a detailed risk assessment that there is a low probability that the information was compromised.  Click here for our recent post on this issue.

Because of the seriousness of the ever-growing problem of ransomware, the FBI recently issued a Public Service Announcement urging those who have been infected with ransomware to report infections to federal law enforcement.  There are several reasons the FBI says it wants to have this information.  Historically, many, or even most, of those infected with such malware do not report the infection.  This may be because of simple embarrassment, concerns over privacy or business reputation, or regulatory data breach reporting requirements. The FBI reasons that if they are notified of a larger percentage of infections, they can justify more involved investigations, better understand the extent of the threat, and, hopefully, be able to determine who is behind attacks.

In a general sense, the question for those who have been infected is how to respond.  This should be analyzed on a case-by-case basis according to each individual or business. Executives must protect their shareholders, employees, customers, and patients, as the case may be. The FBI, for their part, does not recommend ever paying a ransom.  They point out, rightfully, that there is no guarantee that payment will result in receipt of the decryption key, and sometimes will embolden perpetrators to seek further payment. The key is to protect yourself and your data as well as possible.  The FBI also recommends implementation of continuing and updated measures such as frequent backup of data, installation of up-to-date application patches when they become available, and keeping anti-virus and anti-malware solutions updated. Businesses should also consider and implement strong security policies for its employees related to data and internet access. This may seem like common sense, but it is all too easy to become complacent or procrastinate in updating security measures.

Coming back to the PSA, businesses must be careful when deciding on whether they will report a ransomware infection. For instance, will reporting affect business reputation or trigger regulatory data breach reporting requirements? Is there a risk that reporting will embolden others to attempt targeted attacks with the hope of pecuniary gain?  Each business and each situation is different from another, so these questions can only be answered on a case-by-case basis.  To help make these decisions and ensure compliance with applicable notification and privacy laws, organizations should work with experienced legal counsel.

If your organization experiences a ransomware attack, our Cyber Liability, Data Security & Privacy team is available to assist you in each step of the way.