Ransomware Recovery – Dont Make Matters Worse
A recent incident involving a chronic care management company spotlights how paying a ransom to recover decryption keys from ransomware attackers can put sensitive data at additional risk.
Jupiter, Florida-based Health Management Concepts – which also is known as HMC Healthworks – learned on July 16 that data on a server used to share files with its clients had been infected by ransomware, according to a notification letter it sent to the New Hampshire state attorney general.
“When HMC learned about the incident, it took immediate steps to decrypt the files, provision a new server, begin an investigation and, through counsel, engage a leading forensic firm,” the notification letter indicates. “HMC promptly obtained decryption keys from the attackers and decrypted the data without any impact on the services HMC provides.”
On July 19, however, “HMC discovered that the attackers were inadvertently provided a file that contained personal information of [some] members, including Social Security numbers of four New Hampshire residents.”
……… An organization that chooses to pay attackers to unlock data “should apply the decryption key itself with whatever instruction the criminals can provide – instead of sending a file to the ransomware perpetrators to decrypt as evidence the key works,” suggests Keith Fricke, partner and principal consultant at tw-Security.
“If possible, it is a good practice to have a third-party vendor pay for the decryption key on behalf of the [organization],” he adds. “First, it keeps the organization anonymous to the ransomware criminals. Second, it takes additional time to set up a digital currency account to pay the ransom if such an account is not already established. Some forensic vendors provide this service.”
………To prepare for any type of cyberattack, Fricke says, “having an incident playbook is important. Playbooks help guide response teams and make decisions under duress. Such a playbook could reduce the likelihood of costly mistakes if followed. The lack of playbook could potentially increase the opportunity for mistakes.
“The time to verify that backup jobs are executing without error is not during a ransomware incident. Periodically confirming backup jobs are completing successfully aids in relying on those backups if ransomware issues arise.”