Throughout 2020, ransomware has increased rapidly in both the number of incidents and the ransom amounts paid, and current data shows no foreseeable slowdown. As these ransom demands continue to surge, what do lawyers need to know if they fall victim to an attack? Digital Detectives Sharon Nelson and John Simek talk with Ted Kobus about how threat actors in these incidents typically operate, what usually happens to ransomed data, and what law firms should do and not do in the event of an attack.
Ted Kobus is a partner and the firmwide chair of BakerHostetler’s Digital Assets and Data Management Group.
Special thanks to our sponsor PInow.
Ransomware Surges, What Law Firms Need to Know
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you can use in your law practice. Right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 121st edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today, on Digital Detectives, our topic is Ransomware Surges, What Law Firms Need to Know.
Sharon D. Nelson: Before we get started, I’d like to thank our sponsor. Thanks to our sponsor, pinow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Today, we’re lucky to have our guest, Ted Kobus, a partner in the firmwide chair of BakerHostetler’s Digital Assets and Data Management Group. He has led the defense of hundreds of regulator investigations, including those brought by the attorney general multi-state Department of Health and Human Services, Office for Civil Rights, Department of Insurance, SEC and FTC. In the healthcare space, Ted has defended more than 200 OCR investigations and has negotiated more privacy security-related resolution agreements than any other lawyer. It’s great to have you with us today Ted.
Ted Kobus: Thanks for having me today. It’s great to be with you both.
Sharon D. Nelson: Well Ted, according to your firm’s annual report issued in April 2020 by your Digital Assets and Data Management Group, ransomware has surged in both the number of incidents and the amount of the ransom paid and there is no foreseeable slow down. What percentage of the 1,000 incidents included in the current report involved ransomware and has that percentage increased from the 2019 Report?
Ted Kobus: So approximately 25% of the incidents we worked on in 2019 involved ransomware. We love to talk about how 2020 is the year that you fill in the blank. But in reality, 2020 really is the year of ransomware and it’s when it really blew up. We are still crunching the numbers but my guess is approximately 35% to 40% of our matters involve ransomware this year. On top of that, we are likely to work on 1,700 incidents this year, which is a 70% increase over last year, that’s a lot of ransomware. Late last year, we joked on our team about ransomware Thursday because a lot of ransomware matters would come in on Thursdays. Now, we’re seeing one to five new matters every day of the week.
John W. Simek: That’s phenomenal.
Sharon D. Nelson: It is phenomenal but it is consistent with — were a much smaller firm obviously, but we can’t believe how it’s blown up either.
John W. Simek: Well Ted, what we’ve also noticed though is that there’s been a huge increase in the amount of the ransom that the cybercriminals are demanding. Can you tell us a little bit about the increases from 2018 to 2019? And what you’re expecting to see for this year?
Ted Kobus: Yeah, the demands are getting out of control. The overwhelming majority of ransoms are paid in Bitcoin. So, all of the statistics that I’m going to provide today in the U.S. Dollar equivalent at the time the event happened. So, as you are likely aware, we see great fluctuations in the Bitcoin exchange rate and that’s sort of why we don’t talk in terms of Bitcoins and we talk in terms of U.S. dollars. So, in 2018, the average ransom paid was a little under $30,000.00 and the highest demand that year was probably around $ 1 million. I believe in 2018, the largest ransom that we actually paid was approximately $250,000.00. Now in 2019, that’s when we saw the highest demand skyrocket to $18 million and the highest amount paid to $5.6 million. When we look at the average paid, it probably was around $300.000.00 that year. 2020 was a game-changer and if you found the increases in 2019 to be startling, you might want to sit down for the 2020 stats.
Keep in mind, the year is not over, we still have another month.
Sharon D. Nelson: Oh please. No.
John W. Simek: Sit down or lay down?
Sharon D. Nelson: They want to lay down.
Ted Kobus: This year, our highest demand was $68 million, the highest paid was a bit over $15 million and I don’t have the average paid yet for this year, but we are paying multimillion-dollar ransoms every week.
Sharon D. Nelson: Yeah, this really has become a scourge and as we all well know, ransomware victims are now often hit with two ransoms rather than one and while we could both explain it, I’m sure you’re going to do it better. So, would you explain why that is because people still are not aware when we go out and lecture which is what we do a lot. They don’t know about these two ransoms, so take it from the top.
Ted Kobus: Yeah, and it’s not the BOGO or the buy one two one —
That we still look forward to. It’s actually a single Ransom but it has two components and this really was the game changer. I’d say we’ve talked about so many statistics that changed the game. This really is one of the statistics that changed the game. The threat actors(ph) figured out rather quickly that many companies can restore from backups and if you can restore from backups, then you likely do not need to purchase the decryption key to unlock your data. So, what we’re seeing is more and more groups stealing information and then threatening to post it if you refuse to pay an extortion fee, so that’s sort of the two for one component that we’re seeing and ransomware these days.
John W. Simek: Well, Sharon and I have some personal experiences with these things Ted, but I have to ask this question. How much do you think you can trust that that if you pay the ransom, you’re actually going to get a valid decryption key? And whether or not the criminals will in fact destroy and not divulge any confidential data that they may have Excel Traded(ph).
Ted Kobus: I tell clients there are good criminals and there are bad criminals. And the good criminals are the ones that you can trust more than the bad criminals. So, as for the decryption key, remember, these criminals are in a business and their business is to make money. So, if they don’t follow through on their promise to provide the decryption key, they will get a bad reputation and it will hurt their ability to extort money from the next business.
John W. Simek: They only get a four-star rating then.
Ted Kobus: That’s exactly what we do, you track the default rate so that we’re able to tell the client. “Yeah, you know what? When you’re dealing with this criminal, the default rate is low and it is very unlikely that they’re not going to follow through and provide the decryption key. So, we really do find threat actors want to keep their reputation of keeping their word. The instances because we have seen some defaults, the majority of those instances where the threat actor defaults, is where they screwed up. And they accidentally did something they didn’t intend to do and they’re not able to follow through.
And they are extremely only polygenic when that occurred. It doesn’t give the client any comfort but it does really show that their intent is to follow through so that they can extort the next business who is victim to their crime. When it comes to the deletion of the information, a similar philosophy applies. They often provide evidence of deletion, and we have not seen subsequent posting of information after payment. In this one case, we had a large amount of data that was stolen and it took the threat actor over a week to actually delete the information and they would send us a status of where the deletion was in progress and how much more they had to go.
So, we actually saw the process now, did they have a second copy of it? I don’t know but they do they do take steps to show and try to give you comfort that they are no longer in possession of that information. One thing that I think we do need to watch and that is the rate of re-extortion. That is where the threat actor comes back after you pay and makes a renewed demand. Now, we didn’t see this frequently historically. We’ve seen it a few times over the past two years including very recently, but it’s still a limited occurrence. And there are few signs, to look out for. Quick drops in the ultimate demand and low amounts demanded compared to what the threat actor may have demanded in other matters.
So, it’s good to watch this carefully so that you have an idea of whether or not this may occur.
Sharon D. Nelson: I have a bit of a follow-up there, Ted. You were talking about knowing the criminals and who they are and whether they had a record of paying up. One of the one of the things that struck us very recently, when we were working a case is that Homeland Security came out on a Sunday, no less. And they were talking to us and they were saying that even they can only source about 10% of where the attacks are coming from and of course these people tend not to tell you who they are. So, is it different for you in your experience? I mean 10% seemed very small to me.
Ted Kobus: Right, and you know this. An attribution has always been a challenge in the cyberworld and ransomware is not any different. We will know who the attack group is because they use a name associated with the type of malware. So, in the ransom note, we usually see the name of the threat actor and we’ll know who it is. But beyond that, we really don’t know who they’re connected to, where they’re out of. Sometimes you may be able to guess regions of the world based on the language, expression used in the negotiations. But other than that, we find it extremely difficult to ever really tie it back to a specific individual group or government.
Sharon D. Nelson: Let’s move on to something that we’ve been really interested in this year. And that is, that cyber insurance companies do seem to be more and more of a game-changer in that they seem increasingly anxious to pay the ransom. They seem to feel like it will cost them 10 times more if they don’t pay the ransom and they’d rather get the ransom paid and get the data back, is that also your experience? And why are some of them advocating the payment of the ransom, just for money?
Ted Kobus: Well, in my experience is that most of the leading cyber carriers are not a heavily weighing in on whether the ransom should or should not be paid. I think what they are doing is making sure that companies are considering whether or not it may be the less expensive option. A lot of these cyber policies include business interruption insurance and may cover reputational losses and if it takes longer to restore from backups than to pay the ransom, I think they want you to consider actually paying the ransom to get the decryption key to sort of offset those losses
When it comes to extortion component, we really see them deferring to companies and really having an understanding of if the data is important from a confidentiality standpoint, if it gets exposed, how sensitive that information is. And will paying the threat actor not post the information. Will that actually help mitigate against any damages in a class action lawsuit or potentially help in a situation where you’re participating in a regulatory investigation?
Sharon D. Nelson: Thank you, that’s very useful as a perspective. I do think the involvement of cyber insurance has at least increased it and how often they are involved somehow in the decision-making process.
Ted Kobus: Yes agreed.
John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.
Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.PInow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Ransomware Surges, What Law Firms Need to Know. Our guest is Ted Kobus, a partner and firm-wide chair of BakerHostetler Digital Assets and Data Management Group.
John W. Simek: Well Ted, recently the Office of Foreign Assets Control issued an advisory regarding ransom payments and the risk of sanctions violations associated with such payments. But while the U.S. Government doesn’t recommend paying a ransom and we’ve heard that multiple times from the FBI as an example. There is no general ban on that. So, can you tell us a little bit about the advisory and what it means for a business, for an entity that’s been struck by ransomware?
Ted Kobus: Right, so that is probably the number one question, “Am I allowed to pay the ransom? Is it illegal to do that?”
And there have been a lot of questions swirling around the appropriateness of paying ransom and I think the recent OFAC Advisory reiterated a lot of what we already knew. One, we know the U.S. Government disfavors paying ransom as a public policy position. But the reality is the U.S. Government also knows that sometimes you have no other option. We’ve also known that the FBI struggles in these investigations because there is not enough reporting when these incidents occur. The OFAC advisory makes it clear that the U.S. Government wants to see more outreach by companies to the FBI when they are hit by ransomware.
So, we regularly reach out to the FBI and I actually find very surprising that there are still lawyers out there frightening their clients and encouraging them not to reach out. The advisory is going to change that in my opinion and I think the advisory makes it clear that you need to conduct the appropriate due diligence during the sanctions compliance check to confirm there is no, no nexus to a sanction, individual entity or government. I think people have been doing that all along. But they just really reiterated the fact that this is a critical component of the process. And I think importantly and finally, OFAC has not invited companies to ask for permission to make a payment in every matter. It is only in those very, very, very limited situations where there is a known nexus with a sanctioned individual entity or government then an application for a license would be appropriate. However, OFAC has made it clear that there will be a presumption of denial on any application, simply from a public policy standpoint.
Sharon D. Nelson: I know that this has been around this policy for a while, but people didn’t know about it. I mean, that’s just a fact and so for some reason, recently when they issued this, it got all around and all of these folks from smaller law firms started calling us and saying “Well, how much is the penalty?” and of course you tell them 20 million and they faint. At least up to 20 million. Of course, you also tell them that there are ameliorating(ph) factors, if they had no reason to know that they were dealing with sanctioned group, et cetera. But it is very difficult to comply with the advisory if you can’t know who you’re dealing with, right?
Ted Kobus: Right, many people get nervous about the fact that we cannot attach a malware — a ransomware variant with a specific threat actor, government entity individual. And that is has always been a challenge in the cyberworld. That is not what the advisory tells us to do, the advisory reiterates the importance of going through your due diligence and compliance sanctions check to make sure that there is no known nexus to a sanctioned individual, group or government. And that’s really what you’re required to do, so it’s important that when you go through this process, you’re working with experienced incident response partners, including your lawyers, forensics companies and payment facilitators. And all of those partners should be involved in regular threat information sharing with the FBI. Through that type of collaboration and partnership, companies are able to get comfort that the payment is not prohibited by law.
Sharon D. Nelson: That’s the best answer I’ve ever heard to the question, very good.
Ted Kobus: Thank you.
Sharon D. Nelson: Don’t worry, Ted’s going to send you a bill. Ted, we know you have a bulleted list of important points that the advisory does not address. Can you talk to us a little bit about those?
Ted Kobus: Yeah. So even though there is a belief that the Advisory was prompted by speculative and rumored connection of a new ransomware variant to a sanctioned organization, the Advisory did not list any new ransomware variants, I think that was intentional. Just recently, a new ransomware variant was added and again, it was not the variant involved in these speculative discussions. The advisory also did not expand the connection to known and sanctioned groups to other variants of ransomware. And OFAC had an opportunity to do that. And then finally, the advisory certainly did not include an invitation to ask OFAC for approval every time you’re going to make a payment. In fact, I think that’s exactly what they told us not to do.
Sharon D. Nelson: Well, it’s interesting that what people ask us all the time is, you know, “What’s the real skinny(ph)?” What do you recommend that companies do and not do if they’re hit by ransomware? And you’d probably be a very good person to answer precisely that question.
Ted Kobus: Well, I certainly have an opinion, that’s for sure. I would say don’t panic and don’t start reading blogs on what you can or can’t do.
Work with experienced vendors. Work with vendors who have dealt with your malware variant. Your counsel should be aware of which FBI field office has been assigned to investigate your malware variant and you should work with your counsel at some point to report the incident to the FBI. Determine the timeline for restoring from backups compared to paying for the key and engage with the threat actor to determine what they have and what they may admit they may want but don’t start that until you get the right vendors on Board. Get your executives on board with the notion that payment may be required ultimately and even if you don’t end up paying, you will likely have to engage in communications with the threat actor and then when and if you do make a payment, make sure you have the assurances from your vendors that payment is appropriate.
Sharon D. Nelson: So as a follow-up question, what we’re often asked is your assuming and you said this that you’re going to talk at some point to a data breach lawyer. You’re going to talk to digital forensics, you’re going to talk to the FBI. They want us very specifically to say who do you call for a second and third?
Ted Kobus: Well, I’m a lawyer so I would say — your lawyer first.
Sharon D. Nelson: I guess I could have predicted that one.
Ted Kobus: That was a giveaway. I do think well, if you have cyber insurance, you should be calling your broker or your cyber carrier immediately. I think that engaging counsel and forensics is your next step. And once you have them engaged, you can conduct a privileged investigation and you can determine the strategy that’s best suited for that specific threat actor.
Sharon D. Nelson: Okay, how about digital forensics and the FBI? Who do you bring in first?
Ted Kobus: I’d definitely bring in digital forensics first. I make sure that I have answers to several questions before I go to the FBI. Going to the FBI, even though we go to the FBI on a regular basis and we do find them helpful in many situations. I like to be prepared with more facts and more information before making an outreach. I also like to keep control of our investigation and make sure that we’re coordinated with the client, coordinated with forensics before making that outreach to the FBI.
John W. Simek: But Ted, you already alluded to this about how 2020 has been one heck of a year. How about the working from home and impact on the ransomware problem?
Ted Kobus: When we take a look at 2020, what we have seen is were on email a lot more than we ever were. And because of that, we see an increased phishing attacks, which is the way a lot of these ransomware attacks start. Also, what we saw is that once we started going back to work and the lockdowns were lifted. We started discovering a lot of incidents that may have been unnoticed because we weren’t in the office and connected to the network. So, I’m not sure that the increase in ransomware can be attributed to COVID. In fact, in the beginning of COVID we actually had some threat actor saying, “Oh, we’re not going to attack hospitals because they’re being taxed by the pandemic and that’s not the right thing to do.” That was short-lived and they started going back at hospitals.
But I do think that there was a period of time where we really weren’t seeing what was going on in our network and then once we started going back to work, we were able to uncover a lot of that.
John W. Simek: That’s interesting you say that because — then I guess that there was a bogus alert that the government gave about warning healthcare?
Ted Kobus: Right, well. Look, I’m not (00:24:05) I will tell you that we were prepared that weekend and we will still be prepared if that ever comes. I think that what the FBI did in sharing that was very good for businesses and the public. Because if something did happen that weekend and information wasn’t shared, there would have been a lot of angry people. And you saw health care organizations working together over those days to figure out how to quickly shut down an attack, engaging in threat information sharing, probably beyond what they normally do. And I thought that it was extremely helpful.
Sharon D. Nelson: Well, we certainly want to thank you Ted for being with us today. As our guest that has been just fascinating stuff. I know a lot of the listeners this is brand new to many of them or at least much of it is. And on my own behalf, I want to thank you for answering the “Who are you going to call” question.
And I want to thank you for the upcoming PowerPoint slide, which says; one, cyber insurance carrier; two, cyber data breach lawyer; three, digital forensics; and four, the FBI. So, thank you for creating that slide for me and it really has been a fun and very informative podcast and we’re very happy that you could be with us. Thank you.
Ted Kobus: Thank you for having me, it has been a lot of fun, I appreciate the time.
John W. Simek: That does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com, or in Apple Podcast. And if you enjoyed our podcast, please rate us on Apple Podcast.
Sharon D. Nelson: You can find out more about Sensei’s Digital Forensics Technology and Cybersecurity Services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.