Ransomware Protection: Prevention, Response and Recovery
Ransomware attacks are here to stay, and it is essential that organisations are well prepared to protect themselves from the growing threat of digital extortion. From regular backups and securing network systems to employee training, preventive technical and organisational measures are key to preventing attacks. But there is also a lot of legal groundwork to be done in order to be prepared. Find out how you can best protect your business and what to do in an emergency.
What is ransomware?
Ransomware is a form of malware designed to encrypt business-critical data or block access to IT systems until a ransom is paid. As a result, businesses are often severely restricted in their ability to operate. In addition, internal company data is usually extracted from the affected systems (e.g. if backups are available), threatening to publish the data as well as encrypting it. Attackers usually demand cryptocurrency payments to cover their tracks. Ransomware is often introduced through phishing emails, insecure software or network vulnerabilities.
The potential impact on businesses is dramatic: business interruption, data loss and financial loss can be the result, often combined with high recovery costs and reputational damage. There is also the risk of compensation claims from affected individuals, customers and clients, as well as possible action by data protection authorities, especially if the attack can be attributed to a lack of data protection and security measures.
What types of ransomware are there?
There are different types of ransomware that can threaten businesses. Attackers often combine the encryption of data with the threat of publishing the stolen data. Companies that do not pay the ransom not only risk losing access to their data, but also face a loss of reputation and possible legal consequences for releasing confidential information.
The concept of ransomware as a service (RaaS) is becoming more widespread: ready-made ransomware products are offered on the darknet. This allows criminals without in-depth technical skills to carry out ransomware attacks by purchasing the virtually ready-made software solution from malware developers. This makes the ransomware threat even more unpredictable for organisations and increases the number of potential attackers.
How does a ransomware attack work?
A ransomware attack happens in several steps. Here is a typical sequence:
Initial infection
The attack usually begins with an infection, usually via phishing emails, manipulated attachments or malicious links. Downloading infected software or exploiting vulnerabilities in outdated systems can also provide an entry point.
Spreading across the network
Once inside the system, the ransomware will attempt to spread across the corporate network. This is often done by exploiting security vulnerabilities or weak passwords. The malware can quickly spread to multiple devices and servers to infect as many systems as possible.
Data extraction
The attackers often move around the system undetected for months, identifying data that would be worth extracting in order to create value from the captured data themselves (e.g. by selling it) or to add to the blackmail by threatening to release it. Data is often extracted gradually in small amounts so that security systems do not raise alarms when large amounts of data are extracted.
Encrypting the data
The next step is for the ransomware to encrypt critical business data or entire systems. Without the decryption key, the data is unusable and normal business operations are severely disrupted.
Ransom demand
Once the data has been encrypted, a ransom note is usually sent to the affected company. The attackers usually demand payment in cryptocurrencies (such as bitcoin) in exchange for decrypting the data.
Threat of additional consequences
In many cases, the attackers also threaten to publish sensitive company data if the ransom is not paid. This is known as 'double extortion' and increases the pressure on the company, as there is not only the threat of data loss, but also reputational damage.
No-obligation initial consultation on cyber-attacks & ransomware
Why not arrange a no-obligation initial consultation with one of our specialist solicitors to discuss your situation, your advice needs and - if necessary - to act quickly!
What should you do in the event of a ransomware attack?
In the event of a ransomware attack on an organisation, quick and focused action is essential to minimise the damage. Here are the key steps to take in the event of an attack:
Isolate systems immediately
As soon as the attack is detected, the affected systems should be immediately disconnected from the network. This will prevent the ransomware from spreading to other systems or servers on the corporate network. Any infected devices should be taken offline and isolated.
Notify the IT and security team
The internal IT and security team must be informed of the incident immediately. In many cases, it will be necessary to call in external IT security experts who specialise in cyber-attacks and incident response. A quick response from experts can help contain the attack.
Document the attack
Each step of the attack should be documented in as much detail as possible. This includes the type of ransomware, the ransom demands and the systems affected. This information is important for later analysis, incident reporting and any insurance claims.
Making contact with authorities and regulators
In many cases, it is advisable to inform law enforcement authorities such as the police or the Federal Office for Information Security (BSI). In the case of data breaches, the relevant data protection authority should also be contacted. If necessary, individuals whose personal data has been affected by the attack should also be informed directly.
Review backup strategies
Check that there are current and uninfected backups of the affected systems and data. If clean backups exist, the data can be restored from them. This can at least limit the damage caused by the encryption.
Do not pay immediately
Paying the ransom should not be your first choice. There is no guarantee that the attackers will provide the decryption key after payment, that they will subsequently increase the ransom, or that no further attacks will follow. It is important to carefully assess the situation and discuss it with experts before making a decision. The legal implications of paying the ransom should also be considered.
Strengthen IT security
Once the incident has been dealt with, companies should strengthen their IT security measures to prevent future attacks. This includes regular security audits, employee training, the implementation of security software and a review of backup strategies.
A well-thought-out ransomware contingency plan can help minimise damage and restore business continuity as quickly as possible.
Communication with partners, customers and employees
In addition to reporting to the authorities, good internal and external communication is also necessary. Employees need to be informed and there should be clear language rules for all external communications. Business partners must or should also be informed when necessary. Immediate information may be required by law, especially if the affected company is a service provider and processor. Good communication helps to meet legal obligations, minimise PR damage and avoid subsequent claims.
Is a ransomware attack a data breach and do I have to report it?
Yes, a ransomware attack is generally a reportable data protection incident, as personal data is almost always involved and there is usually a likely overall risk to the rights and freedoms of individuals. In this case, the incident must generally be reported to the competent data protection authority within 72 hours. Processors, on the other hand, must in particular inform the controller (their customer).
In addition, data subjects may need to be informed if the incident poses a high risk to them, for example in the case of possible consequences such as identity theft or financial loss.
In the case of processors, in particular, there are often difficult double situations, as a large-scale ransomware attack often affects both data that the processor processes on behalf of its customers (data of its customers) and data that it processes under its own responsibility (e.g. data of its own employees). It is important to carefully consider what mandatory information needs to be provided and to whom.
It is therefore crucial to assess the incident quickly and in a structured manner in order to fulfil all legal obligations and avoid possible sanctions and claims for damages.
Can the attacked company be fined or face claims for damages after an attack?
Yes. The affected company can face fines and claims for damages after a ransomware attack. If the attack results in a breach of the protection of personal data and the company fails to comply with its obligations under the GDPR (e.g. reporting the incident, taking appropriate technical and organisational measures), the data protection authority may impose fines. Fines may also be imposed for the data protection and IT security deficiencies that led to the success of the attack.
In addition, data subjects may claim damages if they have suffered specific losses as a result of the data breach, such as identity theft, financial loss or damage to their reputation. In order to minimise these risks, it is essential to take preventative security measures and to act quickly and correctly in the event of an attack.
For example, customers may be able to claim damages for the (temporary) unavailability of data and systems if, for example, a certain level of system availability has been contractually guaranteed.
No-obligation initial consultation on cyber-attacks & ransomware
Why not arrange a no-obligation initial consultation with one of our specialist solicitors to discuss your situation, your advice needs and - if necessary - to act quickly!
Recovering data after a ransomware attack
Recovering data after a ransomware attack is a critical step in getting a business back up and running. Here are the key steps to consider:
Verify backups
The most important step in recovering data is to use backups made before the attack. It is vital that these backups are up-to-date and undamaged. Only backups that have not been infected by the ransomware can be restored.
Recovering systems step by step
To ensure that the ransomware does not regain access to the system, the restored systems should be brought back online gradually and under strict supervision. This will allow you to identify any vulnerabilities and take immediate action if the threat reappears.
Check for residual malware
Before systems are fully restored to normal operation, a thorough check for any remaining malware must be carried out. This includes the use of anti-virus software and specialised ransomware detection tools. Network logs should also be analysed to ensure that no ransomware residue remains.
Restore critical data
Businesses should prioritise which data and systems need to be restored first in order to resume operations as quickly as possible. Critical data and applications should be recovered and tested first.
Verify the integrity of restored data
Once data has been recovered, it is important to verify its integrity and completeness. Ensure that no data has been corrupted and that all necessary files are present. Missing or corrupted data should be recovered from other backups if possible.
Communicating with affected stakeholders
Once systems and data have been restored, communication should take place with relevant stakeholders such as customers, business partners and employees to inform them of the status of the recovery and the next steps.
Successful recovery from a ransomware attack depends on the preparation and quality of the security measures in place. Organisations should therefore take preventative measures to avoid downtime and data loss.
The most famous examples of ransomware
WannaCry
WannaCry is one of the best-known ransomware attacks, hitting thousands of businesses and institutions around the world in May 2017. The attack exploited a vulnerability in older versions of the Windows operating system and crippled critical infrastructure, including hospitals. The attackers demanded a ransom in bitcoin to release the encrypted data.
NotPetya
2017 saw the spread of NotPetya, a particularly aggressive form of ransomware that also exploited a vulnerability in Windows. NotPetya was initially thought to be ransomware, but was later revealed to be a wiper, as data could not be recovered even if payment was made. This attack had a massive impact on global businesses, causing billions of dollars in damage.
Conti
Conti ransomware first appeared in 2020 and has since become one of the most dangerous and widespread ransomware threats. Conti specifically targets large businesses and organisations, using targeted phishing attacks and network vulnerabilities to gain access. Most notably, Conti uses a dual extortion model: The attackers not only encrypt the data, but also threaten to release the stolen data if the ransom is not paid. Several large companies and even government agencies have been hit by Conti.
Preventing ransomware
Prevention is the best way to fight ransomware attacks. At best, they can prevent attacks or at least mitigate the severity of their impact. Processes can also be put in place and tested to ensure a rapid response in an emergency. These should be implemented as soon as possible and reviewed regularly. These include the following:
- Implementing robust firewalls and intrusion detection/prevention systems (IDS/IPS);
- Updating and patch management for operating systems and applications;
- Conducting regular security training and awareness sessions for employees to sensitise them to ransomware attacks;
- Use anti-virus and anti-malware software on all endpoints;
- Good segregation and isolation of different system and network areas;
- Meaningful logging;
- Conduct regular security audits and penetration tests to identify vulnerabilities.
Underestimated measure: secure contracts with partners and service providers
Another important - and often forgotten - aspect is the legal preparation for incidents. In particular, existing contracts with service providers should be reviewed to ensure that they contain sufficient technical and organisational measures and cooperation obligations to ensure that the necessary information and support can be obtained quickly from the service provider in the event of an attack.
Existing contracts with business partners should also be reviewed for possible liability risks and it should be ensured that, for example, the IT infrastructure and backup concept are designed in such a way that contractually guaranteed services can be provided within the permitted downtime even in the event of an attack. Contract templates for future contracts should be supplemented with appropriate clauses.
In addition, cyber insurance contracts should be reviewed to determine whether they cover ransomware attacks, what costs and expenses they cover, and what exclusions may exist.
How we can help you in the event of a ransomware or other cyber attack
- Review of legal and technical preparedness for cyber-attacks in the form of a ransomware readiness assessment.
- Design and implementation of tailor-made processes to ensure the ability to act in the event of an emergency.
- Review and optimisation of existing contracts with service providers in relation to mandatory TOM and cooperation obligations.
- Review and optimise existing contracts with business partners to address liability risks.
- Add appropriate clauses to contract templates for future contracts.
- Review existing cyber insurance contracts for coverage in the event of a ransomware attack.
- Communicating with employees, regulators, customers, service providers, business partners and the press.
- Defence against third-party claims and regulatory proceedings.
- Enforcing claims against third parties.
- Conducting a post-mortem analysis after an attack to assess its causes and development.
- Continuous improvement of security measures.
In cooperation with our sister company ISiCO GmbH, we can advise you not only on legal matters, but also on technical aspects of IT security and the prevention of cyber attacks.
Why Schürmann Rosenthal Dreyer is your partner for cyber attacks such as ransomware
Schürmann Rosenthal Dreyer has been involved in numerous cyber-attacks and data protection incidents over the past 16 years. Our firm not only has experienced lawyers, but also technology experts who work together to make your digital projects legally compliant and future-proof.
Our expertise has been recognised many times: We have won the prestigious JUVE award for Law Firm of the Year in Data Protection and IT and are ranked as one of the top 2024 law firms by The Legal 500.
Trust Schürmann Rosenthal Dreyer - the partner who will successfully represent you with a unique combination of legal excellence and technical understanding.
No-obligation initial consultation on cyber-attacks & ransomware
Arrange a no-obligation initial consultation with one of our specialist solicitors to discuss your situation and advice needs and, if necessary, act quickly!