ABA Panel: AI Empowers Cybercriminals in Ransomware Attacks

Science & Technology Law Section

The panel, moderated by Lisa R. Lifshitz and featuring Jason S.T. Kotler, Melissa Maalouf, and Bezawit Sumner, used a question-and-answer format to walk through cybercriminals' latest tactics, options for responding to ransomware attacks, and proactive steps companies can take to protect themselves.

Cybercriminal organizations have shifted to a more franchised or corporate structure rather than their former mafia structure, to appear more “reliable” to their clients. They are using AI to steal data more efficiently in numerous ways, even if they lack technical skills. AI assists cybercriminals with social engineering, phishing schemes, automated malware, ransom and negotiation scripts, and outreach. It enables them to extract data within an hour, while it can take over 200 days for affected individuals to notice. Threat actors seek the most sensitive, high-value information they can access, such as CEO messages, intellectual property, or customers’ financial and health data, to use as leverage over their victims.

Having an incident response plan in place before an attack is important; due to AI, it is reasonable to assume that data theft is inevitable. The first hours are the most critical, but a company should not rush when informing its customers or negotiating with threat actors; this is the time for a reasonable investigation. A company should follow its incident response plan, notify counsel, retain a forensic firm to perform containment, and then, lastly, have its breach counsel contact the ransomware negotiation firm so they can become the primary communicator with the threat actors. All these teams can be retained prior to a cyber-attack to be prepared. Companies should also be aware of the cybercriminals they negotiate with. It is important to never trust these criminals, but if the group has a relatively straightforward history and is not on the OFAC sanctions list, a company may be able to proceed with negotiations and pay them. If the cybercriminals are on the OFAC sanctions list, companies will be held strictly liable. If the cybercriminals have a complicated history of behavior, companies are advised not to pay.

Adopt a resiliency approach by accepting that an attack is inevitable and preparing accordingly. To prevent ransomware attacks, companies should have an incident response plan, a documented process understood by all named individuals, and provide a psychological safety net for the named individuals so they can handle the situation without panicking. The company should routinely check its technological systems by hiring an ethical hacker and ensure that users utilize multi-factor authentication to log in. Additionally, the company should follow proper data retention policies (e.g., removing access from former employees); it is also advisable to conduct tabletop exercises and involve the technological, legal, and communications staff to develop realistic scenarios for practicing data defense. It is recommended to practice these steps as often as possible.

Endnotes

Author

View Bio →

Author

Emily Joinville

Committees

This content was produced by:

• Law Student Engagement Committee

Related Content