FAQ: UNDERSTANDING RANSOMWARE ATTACKS (AND HOW TO RESPOND) As dealers are a frequent target of cyberattacks, particularly ransomware attacks, the following are some frequently asked questions to help dealers understand these attacks and how best to respond. 1. What types of organizations do ransomware groups target? It is a popular misconception that ransomware groups attack only large or high-profile targets, or businesses in specific industries. Unfortunately, any organization that has a computer connected to the internet is at risk regardless of their size, industry, or location. Given the vast amounts of personal information that dealerships have access to, they are a popular target for these attacks. 2. What is a ransomware attack? During a ransomware attack, “threat actors” gain access to a device, conduct reconnaissance to identify sensitive information, and deploy malicious code to encrypt data or systems to render them unusable. They demand a ransom in exchange for the decryption key (to allow you to access your data) and/or to prevent them from leaking your stolen data on the Internet. 3. How do threat actors gain access to an organization’s systems? While there are many ways threat actors can gain access, frequently it is through a phishing email or by exploiting the organization’s remote desk protocol (RDP). 4. What should dealers do in the event of a ransomware attack? The initial steps for responding to a ransomware attack can be remembered by the acronym CPR. The first critical step is Containing the incident — in other words, stopping the attack from spreading. The second and third steps run on parallel tracks. These involve Preserving evidence of the attack while Restoring the impacted systems and data so the organization can continue business operations. This evidence will be critical for determining what happened and whether the incident triggers a legal reporting obligation for the organization. 5. Is an organization immune to a ransomware attack if it has backup data? Not necessarily. The backup needs to be segregated so that threat actors can’t wipe or encrypt the backup data. Even if the organization has viable backup data, it can take days or weeks to restore from backup, so the likelihood of business disruption is still high. Additionally, while a backup may help the organization get back up and running, the threat actor may still seek a ransom in order to prevent them from leaking any stolen data. 6. Do dealers need to conduct a forensic investigation of the incident? Conducting a forensic investigation is generally necessary for determining what happened as well as whether personally identifiable information was impacted. If the organization has cyber coverage, insurance carriers typically require conducting a forensic investigation using an expert third-party forensic investigation firm under the direction of external counsel to protect the investigation under attorney-client privilege. 7. Is it illegal to pay a ransom? No, as long as the ransom group is not on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) list. The OFAC list consists of sanctioned individuals, entities, 19 NEW JERSEY auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==