Share This Article
Cyber criminals have become a major threat with increasing ransomware attacks that require to implement robust measures of legal compliance, this article gives indications on how to deal with it.
As reported by my dear friend, Pierluigi Paganini, the US government is offering USD 10 million to whoever provides information on the leaders of the famous cyber gang Blackcat (also known as ALPHV).
I have been fortunate to deal (on behalf of clients) with Blackcat in a few instances following a ransomware attack. The mechanics of the so-called double extortion are now the norm; threat actors request a payment/ransom to decrypt the victim’s data, also threatening to publish the data on the dark web at a specific time in the absence of payment.
But how do you deal with them if you are in a situation of crisis following a cyberattack? There is no magic formula, but below are a few recommendations:
1. Immediately establish a communication channel with the threat actors, also relying on professional intermediaries depending on the complexity of the case:
- Ignoring them is NOT a strategy; in almost 100% of cases, your initial findings on the impact of the cyberattack will likely be wrong, and you need to at least buy some time to reinforce your defenses and avoid a second attack.
2. Do NOT hide the cyber attack; your customers, employees, and regulators will find it out:
- The initial instinct might lead you to hide or minimize the occurrence, but if your customers and employees as well as regulators find out (and they will), you risk being in even worse trouble. Depending on the impact of the cyberattack, you can send an initial communication to customers and employees and a preliminary notification to regulators. For this purpose, you will need to assess the obligations under the laws of the impacted jurisdictions and, if the applicable obligations are triggered, file a notification.
3. Notify regulators in a strategic manner, building your defense from the outset:
- Once you have understood that a notification is due, you cannot just file it stating that you have no idea about what happened. The reputation of the cyber criminals attacking your business is in a way also part of your defense since you have to stress the measures that you had in place and that threat actors were so skilled to overcome that. You need to file notifications with a long-term view, thinking about potential challenges from data protection authorities, other regulators, and individuals whose data have been impacted. With the increase of class actions in connection with cyberattacks, this aspect is exponentially becoming prominent.
4. Assess whether you are forced to pay the ransom because of the impact of the cyber attack on your business and whether that would be lawful under the laws of the impacted jurisdictions:
- Rules applicable to the payment of the ransom depend, among others, on the nationality of the threat actors, the countries impacted, and whether the cyber gang has been blacklisted by the relevant government. The payment of the ransom is NOT a good option, unless it is the SOLE option, as you are dealing with cyber criminals, and they will not give you any guarantee of deletion of data that might be sold to other gangs.
5. Negotiate with the threat actors but be always prepared for the worst:
- You want to negotiate with cyber criminals to reduce their payment request and buy some time to investigate the impact of the attack on your business and strengthen your defenses. But since you are dealing with criminals, you should be prepared to react to the potential publication of the data on the dark web with a communication strategy that conveys trust to your customers and demonstrates that you have done your best to minimize the effects of the cyberattack.
6. Rely on professionals; cyber attacks are not for newbies:
- I might have a conflict of interest in this recommendation since we frequently advise clients following major cyber attacks. However, there is no doubt that cyber attacks have consistent dynamics that require experts who can better understand what happened and give you the best recommendation on how to proceed. Your business risks ending up on its knees if the response to a cyber attack is not appropriate.
I discussed about how to deal with a cyber attack and much more with my US DLA Piper partner, Ron Plesco in an episode of our podcast Diritto al Digitale “How to deal with Cyber Risk in the Era of Artificial Intelligence”.
