Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Dallas Baptist University Reimagine Technology Conference course in Dallas, Texas on November 18, 2020.
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifecycle of a Ransomware Attack and Recovery
1. Spencer Fane LLP | spencerfane.com 1
Reimagine Your Company Operating
Again After a Ransomware Attack
Shawn E. Tuma
Co-Chair, Data Privacy & Cybersecurity Practice
Spencer Fane LLP
4. Spencer Fane LLP | spencerfane.com 4
Common business objections
1. We have an “IT Guy”
2. We have an “IT Company”
3. We are “compliant”
4. We have cyber insurance
5. We are not a large company (or, “tech” company)
6. Our data is not that valuable
11. Spencer Fane LLP | spencerfane.com 11
Company Size Distribution
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
12. Spencer Fane LLP | spencerfane.com 12
Takeaway: Cybersecurity is no longer just an IT issue – it is an
overall business risk issue – indeed, the ONE RISK...
13. Spencer Fane LLP | spencerfane.com 13
Initial
Discovery
Basic Intel +
Activate IR
Plan & Team
Triage Security
+ Backups
Security
Experts
Data Recovery
+ Restoration
Forensic
Examination
Incident or
Breach?
After Action
Review
Most
Common
Causes
Ransomware Lifecycle
15. Spencer Fane LLP | spencerfane.com 15
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR Team
Triage Security
+ Backups
Do Not Wipe
Drives
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR and
Potential
Notification
+8 Hours
Confirm Proof
of Life
Payment
Transaction
Obtain
Decryptor
Test Decryptor
+12 – 72+
Hours
Begin Data
Decryption
Process
Follow-up with
TA if Problems
Obtain Interim
Signals from
Forensics
< 2 – 4+
Weeks
Restoration of
Operations
After Action
Review
Implement
Additional
Security
Complete
Forensics &
Obtain Report
Determine
Incident or
Breach
Notifications &
Reporting if
Breach
1 – 48 +
Months
Individual
Notification
Escalations
Business
Partner
Escalations
Regulatory
Investigations
Litigation
16. Spencer Fane LLP | spencerfane.com 16
Most Common Causes
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
17. Spencer Fane LLP | spencerfane.com 17
Most Common Causes & Solutions
• This is random – scanning web for Internet facing RDP access
• Virtual Private Network (VPN) with Multifactor Authentication (MFA)RDP Access
• Email phishing tool
• Workforce training and simulated phishingPhishing
• Install patches timely
• No unsupported software
Unpatched /
Outdated Software
• Multifactor Authentication (MFA)
• Longer passphrasesPasswords
• 3-2-1 Backup Process
• Something comparable – you may end up with only your offline backup
Backups, Backups,
Backups!
18. Spencer Fane LLP | spencerfane.com 18
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-20
• Best Lawyers in Dallas 2014-20, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)