Free government decryption keys save ransomware victims millions

Government authorities in the US have saved “millions of dollars” for private companies hit by ransomware attacks by sharing decryption keys for free.

John Mullen - partner at law firm Mullen Coughlin, which specialises in handling security breaches - told last week’s Consumer Electronics Show (CES) that the government had helped out on cases his firm handled.

“There has been a few cases where the federal government has come in,” Mullen said during a panel discussion.

“We talk to them all the time on these cases - sometimes they can help, sometimes they can’t, there’s no promises.

“But there have been cases where they’ve come in and saved millions of dollars, not to mention speed and business interruption, because they’ve had the decryption keys available and shared them for free with us and our clients.”

Mullen did not mention the nature of the infections where the US government had offered assistance, however such assistance is not unheard of.

In Europe, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee jointly run ‘No More Ransom’, which freely offers decryption tools and ‘how to’ guides to victims of dozens of types of ransomware.

Mullen said that ransomware attacks generally had a greater impact than in the past, and the time provided by the attackers to pay the ransom was getting shorter.

“The speed at which you need to respond, especially in a ransomware case, is fantastic,” he said.

“We see a lot of ransomware cases and they have a lot of impact beyond what you might think. Five years ago, we were worried about personal information being compromised and [whether or not] someone has to [send out] a notice.

“Now you’ve got ransomware coming in and freezing manufacturing lines and stopping the ability of companies putting out their product. We’ve had those cases. They always come in on a Friday night, on Christmas eve or Thanksgiving.

“Being told it’s frozen and you need to spend $5 million in the next two hours if you want to start the process of recovering, by the time you needed to be up and running again, that’s difficult.”

On the same page

Mullen said the speed at which action was required meant a lot of stuff had to be “figured out ahead of time”.

In his world, that meant having cyber insurers ready to confirm an attack (and its recovery expenses such as forensics) would be covered by a policy and therefore the resources could be called in immediately.

It also meant having everyone on the same page with attorney-client privilege, he said, to ensure any early panic did not come back to bite the attack victim.

Caroline Krass, general counsel and senior vice president for insurer AIG (and a former legal chief of the CIA), highlighted the fining of Yahoo! as a good reason to establish privilege as soon as an attack was uncovered.

Though she did not name Yahoo! directly, she discussed a settlement between the US Securities and Exchange Commission (SEC) “and a company where it was revealed in 2014 the IT folks learned of a breach and they were creating documents describing the breach as affecting the ‘crown jewels’ of the company” - mirroring the timing and language of the SEC’s Yahoo! case.

“It appears to me from just reading the press release from the SEC that those conversations were not privileged otherwise I’m not sure how they ended up with the SEC,” Krass said.

“That’s exactly what, as a lawyer, you don’t want. You don’t want something to be not privileged describing the material at hand as the ‘crown jewels’ [when] there were not processes put in place there to figure out your disclosure obligations.

“What’s your public disclosure? How quickly are you disclosing? What are you saying before a breach happens that might be misleading or perceived to be misleading later?

“That’s become a real focus.”

On a similar note, Mullen warned against executives and others being too quick to want to inform users of a suspected attack or breach.

“We’ve had cases where we get on the phone and within half an hour the person is saying they’re ready to send out 400,000 notices, and we’re saying ‘let’s pull those reins back a bit’,” he said.

“In that case, they had already signed up $500,000 for some [recovery] services, and after we rolled in forensics, they did have to do notices but they did it for 11 people, not 400,000 people.

“[So when you’re called in] you take control of the situation and you have to fight that urge that people have [to immediately say] we did it, we’re going to be transparent.

“Well, dial it back a little bit. Let’s see what [your] legal duties really are.”

The rush to disclosure before damage could be properly assessed was highlighted in last year’s PageUp People incident.

The head of the Australian Cyber Security Centre Alastair MacGibbon later characterised the attack as “someone breaking into the house, but not necessarily leaving with what they broke in to steal”.

He argued the reaction of customers to suspend use of the software for months was driven by a lack of information available when the incident was first disclosed.

The insured

The discussion at CES was rooted in specific cyber insurance policies, but for companies without them (and who are perhaps relying on the coverage of more traditional policies), a must-watch case in the US is emerging.

Food manufacturer Mondelez, the owner of brands like Cadbury and Oreo, is presently suing Zurich American Insurance Company over the aftermath of 2017’s destructive NotPetya malware outbreak.

The existence of the case received attention in the back half of last week following an opinion published by Bloomberg.

However, US law firm Skadden first published substantial details of the Mondelez case in November last year.

Citing the text of Mondelez’s court complaint, it was noted that NotPetya “initially infected two of Mondelez’s servers before spreading to other servers, stealing the credentials of numerous users and ultimately rendering approximately 1700 of Mondelez’s servers and 24,000 of its laptops ‘permanently dysfunctional’.”

Skadden reported that Mondelez was claiming losses in excess of US$100 million under a property insurance policy it held with Zurich. The policy allegedly had clauses around “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.”

Skadden raised the case as a test for how cybercrime and other cyber-related losses were treated under “traditional coverage lines, such as property insurance”.

“This case also serves as an important reminder to insurers and insureds alike that it is vital to have a clear understanding of the scope of such coverage in their policies, including which exclusions may be implicated, taking into account that cyber-related losses, such as those suffered by many companies as a result of NotPetya, can stem from government-backed actions,” Skadden said.

Bloomberg also opined that the case highlighted the dangers of rushing to attribute the source of cyber attacks to particular nation states, since that could then provide the impression of a cyber war being underway and the basis to invoke certain clauses in insurance and other contracts.

While incident response and recovery was still challenging even for companies that held specific cyber insurance, Mullen noted that a small number of companies that contacted his firm did not have this level of cover.

“You think it’s hard with coverage,” he said. “Try it without.”