Ransomware Incident Response: Data & Process Driven

A recent disclosure by Health Management Concepts to the State Attorney General of New Hampshire provided a glimpse into the challenges of cyber extortion logistics and communications. The disclosure described a case wherein the forensic firm that was engaged to resolve the ransomware incident accidentally disclosed personally identifiable medical information.

Proof of decryption

During a ransomware remediation it is common for an attacker to demonstrate that decryption is possible. If proof is not offered, then it is standard to request proof of decryption. This is typically done by sending a small encrypted file to the attacker. The attacker then responds with a decrypted version. However, this small exchange can change the nature of the attack; now the attacker is in possession of company data.

As described in the letter, the forensic firm that was engaged to handle the ransomware incident sent an encrypted ‘proof’ file that contained patient data.  When the attacker decrypted it, they possessed the patients personal information. This oversight was obviously a mistake, but it materially exacerbated the severity of the breach.

The mistake demonstrates how many pitfalls exist during the ransomware recovery process. In addition to maintaining the victims industry specific data requirements, unforeseen penalties of accidental data disclosure or immutable cryptocurrency transactions can be severe. This case highlights how important it is for IT departments, IT service providers and other companies to partner with firms that have experienced and proven ransomware recovery plans.

Data driven ransomware recovery

That proven expertise is exactly what drove Coveware to take a data driven approach to ransomware recovery. In a constantly evolving landscape our data helps answer basic questions such as “How quickly will the hacker respond?” to more material questions like whether or not ransom payment will result in data decryption. We provide clients with insights driven by relevant data to ensure efficient and successful ransomware recovery.

Walk softly and carry big data!

PS: HealthITSecurity wrote a nice article on this quoting our write up.

Ransomware disclosure.jpg