1.
Spencer Fane LLP | spencerfane.com 1
Incident Response Planning
Shawn E. Tuma
Co-Chair, Data Privacy & Cybersecurity Practice
Spencer Fane LLP
Lifecycle of Responding to a Ransomware Attack
Technology and the Law
November 21, 2020
Columbia University Executive Master of Technology Management

2.
Spencer Fane LLP | spencerfane.com 2
Bricker Beverages – the dreaded call
You are CIO of Bricker Beverages.
It’s Friday night at 8:00 PM. You get a panicked call from one of
your team leads, who has been receiving alerts that a large
number of files are being corrupted.
What do you do?

3.
Spencer Fane LLP | spencerfane.com 3
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA

4.
Spencer Fane LLP | spencerfane.com 4
The dreaded diagnosis
Your team’s investigation discloses alien file extensions that
belong to a form of zero-day ransomware, so that publicly
available encryption keys won’t decrypt the data.
Folks in your distribution network are calling – they can’t
access the portals for placing orders.
What do you do?

5.
Spencer Fane LLP | spencerfane.com 5
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach

6.
Spencer Fane LLP | spencerfane.com 6
The demand for payment
Your CFO receives an email explaining the ransom demand
(which is in the amount of 2/3 of your insurance coverage and
the size of one quarter’s revenues. The CFO is promised that
upon receipt of payment, the decryption keys can be access
via links provided in the email.
Law enforcement is not familiar with the reputation of the
Threat Actor.
What do you do?

7.
Spencer Fane LLP | spencerfane.com 7
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR
and Potential
Notification

8.
Spencer Fane LLP | spencerfane.com 8
The payment
The insurer has approved payment of the negotiated ransom.
The Threat Actor has demanded Bitcoin and your negotiator
advises that the Threat Actor does not appear on the sanctions
list. The negotiator arranges payment.
What do you need to anticipate?
What do you need to do?

9.
Spencer Fane LLP | spencerfane.com 9
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR
and Potential
Notification
+8 Hours
Confirm Proof
of Life
Payment
Transaction
Obtain
Decryptor
Test Decryptor

10.
Spencer Fane LLP | spencerfane.com 10
The aftermath
Bricker Beverages Facebook account is active. The Threat
Actor has posted an announcement that Bricker Beverages
was ransomed and that its data is in the possession of the
Threat Actor. Sophia and Diana Bricker are getting calls from
the media. Consumers are contacting Bricker via Facebook
messenger, Instagram, and Bricker’s website, asking if their
information has been leaked. Some demand that their data be
deleted. Negative tweets are appearing on Twitter.
What do you need to do?

11.
Spencer Fane LLP | spencerfane.com 11
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR
and Potential
Notification
+8 Hours
Confirm Proof
of Life
Payment
Transaction
Obtain
Decryptor
Test Decryptor
+12 – 72+
Hours
Begin Data
Decryption
Process
Follow-up with
TA if Problems
Obtain Interim
Signals from
Forensics

12.
Spencer Fane LLP | spencerfane.com 12
The breach
The forensics team confirms that data has been exfiltrated. It
has not been published by the Threat Actor.
What do you need to do?

13.
Spencer Fane LLP | spencerfane.com 13
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR
and Potential
Notification
+8 Hours
Confirm Proof
of Life
Payment
Transaction
Obtain
Decryptor
Test Decryptor
+12 – 72+
Hours
Begin Data
Decryption
Process
Follow-up with
TA if Problems
Obtain Interim
Signals from
Forensics
< 2 – 4+
Weeks
Restoration of
Operations
After Action
Review
Implement
Additional
Security
Complete
Forensics &
Obtain Report
Determine
Incident or
Breach
Notifications &
Reporting if
Breach

14.
Spencer Fane LLP | spencerfane.com 14
Can you relax?
Bricker’s network files have been decrypted and restored. Its
systems are operational again.
What do you need to anticipate?
What do you need to do?

15.
Spencer Fane LLP | spencerfane.com 15
Ransomware Timeline
Hour 1
Initial
Discovery
Basic Intel
Activate IR
Plan & IR
Team
Triage Security
+ Backups
Do Not Wipe
Drives
Start
Preserving
Evidence
Do Not
Communicate
with TA
< 12 Hours
Notify
Insurance
Carrier
Engage
Security
Experts
Engage Data
Recovery
Experts
Report to Law
Enforcement
Notify
Employees
Notify Key
Business
Partners
Begin Data
Recovery +
Restoration
Confirm Not
Obvious
“Breach”
12 – 72+
Hours
Implement
Interim
Security
Negotiate with
Threat Actor
OFAC
Clearance
Carrier
Approval for
Payment
Begin
Forensics
Plan for PR
and Potential
Notification
+8 Hours
Confirm Proof
of Life
Payment
Transaction
Obtain
Decryptor
Test Decryptor
+12 – 72+
Hours
Begin Data
Decryption
Process
Follow-up with
TA if Problems
Obtain Interim
Signals from
Forensics
< 2 – 4+
Weeks
Restoration of
Operations
After Action
Review
Implement
Additional
Security
Complete
Forensics &
Obtain Report
Determine
Incident or
Breach
Notifications &
Reporting if
Breach
1 – 48 +
Months
Individual
Notification
Escalations
Business
Partner
Escalations
Regulatory
Investigations
Litigation

16.
Spencer Fane LLP | spencerfane.com 16
Initial
Discovery
Basic Intel +
Activate IR
Plan & Team
Triage Security
+ Backups
Security
Experts
Data Recovery
+ Restoration
Forensic
Examination
Incident or
Breach?
After Action
Review
Most
Common
Causes
Ransomware Lifecycle

17.
Spencer Fane LLP | spencerfane.com 17
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

18.
Spencer Fane LLP | spencerfane.com 18
DOWNLOAD:
https://www.spencerfane.com/wp-
content/uploads/2019/01/Cyber-
Incident-Response-Checklist.pdf

19.
Spencer Fane LLP | spencerfane.com 19
Most Common Causes & Solutions
• This is random – scanning web for Internet facing RDP access
• Virtual Private Network (VPN) with Multifactor Authentication (MFA)RDP Access
• Email phishing tool
• Workforce training and simulated phishingPhishing
• Install patches timely
• No unsupported software
Unpatched /
Outdated Software
• Multifactor Authentication (MFA)
• Longer passphrasesPasswords
• 3-2-1 Backup Process
• Something comparable – you may end up with only your offline backup
Backups, Backups,
Backups!

20.
Spencer Fane LLP | spencerfane.com 20
Most Common Causes
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

21.
Spencer Fane LLP | spencerfane.com 21
Average Ransomware Payments
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

22.
Spencer Fane LLP | spencerfane.com 22
Company Size Distribution
Source: https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

23.
Spencer Fane LLP | spencerfane.com 23
Incident Response Considerations from a
Breach Coach
As we sit here today:
1. Have you collectively brainstormed to think about your greatest cyber risks?
2. Do you have an Incident Response Plan (IRP)?
3. Do you know when to activate the IRP?
4. Does each member of the Security Incident Response Team (SIRT) understand his or her role and responsibility under
the IRP?
5. Do you have redundancies for those roles and responsibilities?
6. Do you know who is the “head coach” and, what if that person is unavailable?
7. Do you know what external parties are needed under the IRP?
8. Do you have easy access to all internal and external parties’ contact information, with redundancies, including personal
cell numbers?
9. Do you have relationships already established with those third parties?
10. Do you have those third parties pre-approved under your cyber insurance policy?
11. Do you have your insurance policy, policy number, and claims contact information handy?
12. How will you access all of this information if your network is down?
13. Have you practiced a mock scenario to test your preparedness? What about if your “head coach” is unavailable?
14. Have you performed After Action Reviews (AAR) and revised your IRP for lessons learned?

24.
Spencer Fane LLP | spencerfane.com 24
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-20
• Best Lawyers in Dallas 2014-20, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)