Ransomware victims: you are potentially responsible, so check your contracts and most of all, do not pay!

Ransomware victims: you are potentially responsible, so check your contracts and most of all, do not pay!

During this october 2020 cybermonth, we propose you to shed a light on ransomware attacks against companies.

  Growing in frequency and sophistication (we now talk about "Big Game Hunting" adapted to the financial means of the victims), these attacks are the subject of particular attention from the ANSSI, which recently published a guide to assist victims in dealing with them: "Ransomware attacks, all concerned - How to anticipate them and how to react in the event of an incident? ».   On October 14, 2020, when the 20th Assises de la Cybersécurité was opened, Guillaume Poupard, director of the ANSSI (Agence nationale de la sécurité des systèmes d'information - National Cybersecurity Agency of France), made a statement that could not be clearer, speaking of the cyber risk: "I do not want to turn victims into the guilty, but decision-makers who underestimate become more and more blameworthy. Today, nobody can say "I didn't know" anymore. At the same time, he showed his enthusiasm as he pointed out the progress that has been made: "Practice. Don't be superstitious. Just because you think the worst doesn't mean the worst will happen! »[1] .  

What is ransomware?

  A ransomware is a malicious program designed to obtain ransom payments from the victim. During a ransomware attack, the attacker sets the victim's computer or information system in a reversible state of inoperability. Most of the time, a ransomware encrypts data using cryptographic mechanisms, making it impossible to view or use the data. The attacker then sends an unencrypted message to the victim in which he offers to provide him with the means to decrypt his data, against payment of a ransom [2]. The motivation is therefore the lure of gain.  

Massive development of ransomware attacks

While being a known phenomenon, ransomware attacks are currently experiencing a significant increase: ANSSI has dealt with 104 ransomware attacks between January and September 2020 alone (without this figure representing the actual number of attacks suffered) [3]. Whereas in the past, ransomware attacks were mainly directed against individuals whose information systems were poorly protected, this proliferation is today affecting all sorts of players and increasingly large organizations, even though they are better equipped in terms of computer security: Fleury Michon in April 2019 [4], the M6 group in October 2019, the Rouen University Hospital in November 2019, the Elior catering group in June 2020 [5], the Mr Bricolage supermarket chain in September 2020 [6] and the CMA CGM maritime freight group, also in September 2020 [7], are a few examples. Moreover, the health crisis has reinforced the phenomenon and cyber-attacks have particularly targeted health institutions and the sensitive data they handle (for example, in September 2020, the Düsseldorf University Clinic, forced to transfer certain patients to another hospital, or the American hospital chain UHS, part of whose IT system has become unusable).   Negative consequences can be quite substantial or even disastrous: a freeze on activities, data leaks, including potentially sensitive personal data, chain of liability due to contractual breaches, financial damage, internal and external reputational damage, etc...  

What does the law say about the possible liability of corporate victims?

French law offers a wide range of tools to both (i) prevent the risk of cyber-attacks ( notably with respect to the status of organizations recognized as being of vital importance, or that of essential service operators implementing the so-called "NIS" Directive of July 2016 or the ANSSI and CNIL guides to help companies with their data security programme[8] ...) and (ii) arrest the perpetrators, in particular through coordinated cybersurveillance action at European or French level or actions available in criminal proceedings.   But what about the liability of corporate victims towards their ecosystem?   In the specific context of civil procedure, case law has sometimes accepted the qualification of force majeure for a ransomware affecting the activities of court officers, allowing for the lifting of the sanction imposed on an appeal lapsing out of time[9].   Yet, more generally, in the case of commercial contracts impacted by a ransomware attack, case-law does not accept this classification for the benefit of corporate victims who, unable to carry out their activities in a regular manner, could fail to meet their obligations. Indeed, a ransomware attack meets neither the requirement of unforeseeability nor, a priori, that of irresistibility provided for in Article 1218 of the Civil Code.   In a ruling rendered on February 7th 2020 [10] , the Paris Court of Appeal held that "a computer virus is neither unpredictable nor irresistible and therefore does not constitute a case of force majeure or even a fortuitous event exonerating from liability (...) that in the presence of fully exploitable backups, the infection of the respondent's computer system by the virus would not have had the harmful consequences observed".  

What legal measures should be taken to prevent and respond to such attacks?

Even if force majeure is not qualified, the implementation of appropriate measures is typically critical to minimize any direct or indirect damage and thus any possible liability that may arise from an attack by ransomware and thus preserve as far as possible the good contractual relationship.  

 All of this has implications both internally and externally, e.g. by means of:

  Raising employees' awareness on a regular basis (cyber-attacks often originate from human failure due to imprudence). Depending on the company's degree of complexity, it will be recommended that employees be hired under an IT charter setting out the necessary principles of prudence.   Managing contracts with customers, suppliers and other partners efficiently. They must be planned, negotiated and even updated to protect the company and minimize its liability risks, particularly through force majeure clauses. Indeed, the parties involved in a contract between professionals are free to deviate from the definition of article 1218 of the Civil Code. Within the limits of the applicable public policy provisions, they will therefore be able to shape situations in which their liability can be excluded if the context of the negotiation so provides, bearing in mind that force majeure is not recognized in all legal systems, including in the EU, and that it may sometimes be a matter of pure will on the part of the co-contracting parties.    

When an attack occurs, a number of legal measures will have to be undertaken:

  • Open a police incident report, allowing actions and events related to be traced, and in particular: the time and date of the event, the name of the person who initiated the action or who provided information about the event, the description of the event;
  • File a complaint as soon as possible in order to activate an investigation that may lead to the identification of the perpetrators, the decryption key, and possibly in the end to the repair of the damage. In this respect, the new "THESEE" platform on Internet fraud[11] is intended to receive complaints from victims after the publication in June 2020 of two decrees defining its operating procedures[12] ;
  • Contact as soon as possible your insurer to analyze the company's coverage;
  • Notify the CNIL within 72 hours of the leak of personal data and check whether individuals whose data has been affected should be informed and if so, implement this information;
  • Analyze the impact of the attack on current contracts with customers, suppliers and other partners, starting with major contracts; according to this analysis, contact the co-contractors concerned to study the concrete scope of the impact of the attack and the curative measures to be taken in the interest of each company;
  • In a medium or longer term, "learn the lessons" from the crisis by adapting, if necessary, its contracts or model contracts or even the company's insurance policies.

What other organisational or technical measures are recommended?

Recent case law has shown that among all the preventive measures required of companies, data back-up is crucial, but it is not the only action to be taken.   Thus, the guide published by the ANSSI in August 2020, proposes both preventive and corrective measures to demonstrate a proactive attitude on the part of the victim, and thus potentially avoid, or at least diminish, his liability due to the consequences of ransomware. These measures reflect previous publications by the ANSSI or the CNIL in its guide on data security.  

The following are some measures taken from this new guide in the area of prevention:

  • Organize a regular data backup, disconnected from the information system in order to prevent any encryption of them, like other files. Prepare a recovery and continuity plan for computer activities, and carry out regular tests on the restoration of backups;
  • Keep software and systems up to date, use and maintain an anti-virus software;
  • Seal off the information system separating the different network zones in order to limit the risk of propagation of ransomware and to secure the workstations;
  • Limit user rights and application authorizations, set up a robust password policy in accordance with CNIL recommendations, i.e. a minimum of 8 characters with at least 3 of the 4 types of characters;
  • Control internal internet access through the implementation of a secure Internet gateway to block illegitimate flows;
  • Set up a logging policy covering the various sources of the information system to record events generated by the hosted services, in order to detect compromises and react quickly;
  • Raise staff awareness through training in good digital security practices.
  • Evaluate the opportunity to subscribe a cyber insurance policy, which would provide financial coverage for damages;
  • Set up a strategy to prevent cyber-attacks and a crisis management system to ensure business continuity and a subsequent return to a normal state;
  • Set up or develop a communication strategy in response to a cyber crisis and implement it from the very beginning in order to limit the impact of the crisis on the image and reputation of the victim entity. This communication and acknowledgement of the attack will help reassure the ransomware victim's co-contractors, notably on the measures implemented to stop the attack and minimize its effects and allow the fastest possible return to normal activity.

With regard to the measures to be taken when the attack has occurred:

  • Do not pay the ransom! : payment does not guarantee that the decryption key will be obtained, and encourages cybercriminals to continue their activity. Moreover, the key itself may contain a virus. In some cases, depending on the applicable law, payment of the ransom may even constitute an offence;
  • Disconnect backup media as quickly as possible after ensuring that they are not infected, and isolate infected equipment from the information system by disconnecting it from the network;
  • Do not switch off machines whose files have been encrypted: switching off the power can reduce the chances of recovering the encrypted files from the equipment's memory. It is preferable to use an extended sleep mode in order to stop the malware activity while preserving the memory for later analysis, and to leave unbooted equipment switched off;
  • Keep data encrypted, as a decryption solution can be discovered and made public later: new responses to cyber-attacks are discovered daily, which is why it is necessary to keep systems and antivirus software up to date;
  • Set up a dedicated crisis unit at the highest level of the organization, independent of the operational working groups that will have steering and execution responsibilities. The purpose of this unit will be to respond to strategic issues, possible legal actions, monitor any regulatory notifications that may be made, and deal with queries from various customers and partners;
  • Using service providers specializing in responding to security incidents;
  • Deploy the communication strategy defined in the context of preventive measures, both externally and internally (in particular to prepare employees for possible media solicitations).
As can be noticed, a whole set of measures exists to slow down the occurrence of ransomware or to try to control the consequences once the attack has been carried out. And for those companies that have not yet included cyber-attack prevention plans in their procedures, it is recommended to do so quickly!     [interne id="63239"][interne id="112436"]     1] https://www.nextinpact.com/article/44187/cybersecurite-pour-guillaume-poupard-anssi-plus-personne-ne-peut-dire-je-ne-savais-pas. 2] Ransomware attacks, all concerned - How to anticipate them and react in the event of an incident? ANSSI, August 2020. 3] https://www.cnil.fr/fr/rancongiciels-lanssi-et-le-ministere-de-la-justice-publient-un-guide 4] ANSSI guide on ransomware demands of August 2020, cited above. 5] https://www.lemagit.fr/actualites/252489422/Sodinokibi-ce-ransomware-que-le-groupe-Elior-peine-a-digerer 6] https://www.usine-digitale.fr/article/mr-bricolage-est-touche-par-un-ransomware.N1011389 7] https://www.linformaticien.com/actualites/id/55206/cma-cgm-victime-d-un-ransomware.aspx 8] ANSSI's computer hygiene guide: https://www.ssi.gouv.fr/guide/guide-dhygiene-informatique/ ANSSI and AMRAE guide to digital risk management: www.ssi.gouv.fr/uploads/2019/11/anssi_amraeguide-maitrise_risque_numerique-atout_confiance.pdf. EBIOS Risk Manager Guide and its supplement: www.ssi.gouv.fr/guide/la-methode-ebios-risk-manager-le-guide CNIL guide on data security : https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle.pdf. 9] For example: Nîmes Court of Appeal, 28 July 2020, no. 19/04433; Paris Court of Appeal, 12 February 2020, no. 19/17629. 10] Paris Court of Appeal, 7 February 2020, no. 18/03616. [11] https://www.pre-plainte-en-ligne.gouv.fr/ https://www.zdnet.fr/actualites/thesee-le-projet-de-plainte-en-ligne-a-le-vent-en-poupe-39905997.htm 12] https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042056637/ - https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042056623/.  
To go further