Hot Topics
Security Bloggers Network 
SBN

Ransomware Incident Response: Data & Process Driven

Avatar photo by Bill Siegel on August 28, 2018

A recent disclosure by Health Management Concepts to the State Attorney General of New Hampshire provided a glimpse into the challenges of cyber extortion logistics and communications. The disclosure described a case wherein the forensic firm that was engaged to resolve the ransomware incident accidentally disclosed personally identifiable medical information.

Proof of decryption

During a ransomware remediation it is common for an attacker to demonstrate that decryption is possible. If proof is not offered, then it is standard to request proof of decryption. This is typically done by sending a small encrypted file to the attacker. The attacker then responds with a decrypted version. However, this small exchange can change the nature of the attack; now the attacker is in possession of company data.

As described in the letter, the forensic firm that was engaged to handle the ransomware incident sent an encrypted ‘proof’ file that contained patient data.  When the attacker decrypted it, they possessed the patients personal information. This oversight was obviously a mistake, but it materially exacerbated the severity of the breach.

The mistake demonstrates how many pitfalls exist during the ransomware recovery process. In addition to maintaining the victims industry specific data requirements, unforeseen penalties of accidental data disclosure or immutable cryptocurrency transactions can be severe. This case highlights how important it is for IT departments, IT service providers and other companies to partner with firms that have experienced and proven ransomware recovery plans.

Data driven ransomware recovery

That proven expertise is exactly what drove Coveware to take a data driven approach to ransomware recovery. In a constantly evolving landscape our data helps answer basic questions such as “How quickly will the hacker respond?” to more material questions like whether or not ransom payment will result in data decryption. We provide clients with insights driven by relevant data to ensure efficient and successful ransomware recovery.

Walk softly and carry big data!

PS: HealthITSecurity wrote a nice article on this quoting our write up.

Ransomware disclosure.jpg

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/datadriven-ransomware-incident-response

Bill Siegel
Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 72 posts and counting.See all posts by bill-siegel