Antonia M. Apps and Adam Fee are partners and Matthew Laroche is special counsel at Milbank LLP. This post is based on their Milbank memorandum.
Ransomware is an escalating and evolving cybersecurity threat facing organizations around the world. In 2020, ransomware attacks increased seven-fold by year end, with over 17,000 devices detecting ransomware each day. As an added challenge, ransomware is more sophisticated than ever before with modern variants designed to inflict immense damage and perpetrators demanding higher payouts. In the past few months alone, ransomware has caused catastrophic disruptions to the business activities of, among others, Colonial Pipeline, food processing giant JBS USA Holdings Inc., and Ireland’s national health care system. Successful attacks cost businesses millions of dollars, including disruption to business, personnel cost, device cost, network cost, lost opportunity, reputational harm, and a potential payment of a ransom. Cybercriminals are demanding and making more and more money, with the average ransomware payout per event growing from approximately $115,000 in 2018 to more than $300,000 in 2020; and the highest ransom paid more than doubling from $5 million between 2015 and 2019 to $11 million in 2021. Governments, law enforcement, and regulatory bodies have taken notice, with companies facing pressure to effectively prepare for and respond to ransomware attacks.
Given the current threat environment, it is critical that companies seeking to manage their cybersecurity risks have some understanding of how ransomware has evolved to become one of the most damaging cybersecurity threats today. Companies are facing increased legal, regulatory, and political scrutiny in the wake of these attacks, which in turn requires companies to have appropriate management structures and controls in place, with board oversight, in order to anticipate and address the significant harms that can be caused from a ransomware attack. Below we examine the key features of modern ransomware that companies should be considering, including how ransomware actors are now targeting specific companies, threatening to post their victims’ most sensitive data online, and collaborating with other cybercriminals to increase the sophistication of attacks. After exploring modern ransomware, we then recommend guidelines for companies responding in the immediate aftermath of an attack so that companies are best positioned to contain the incident, resume normal business operations, and appropriately assess legal and regulatory risks.
READ MORE »