Kamran Salour is ready for one of the first questions his law firm’s clients often ask after they are hit by a ransomware attack launched from a foreign country: “How do we arrest these guys?”
“It’s a visceral reaction—let’s get these guys,” said Salour, a partner at Lewis Brisbois Bisgaard & Smith LLP in Costa Mesa.
Typically, the answer is “no” they can’t because the attackers’ identities are unknown and “if we were able to identify them, they’re beyond jurisdiction from the U.S.”
Salour rejoined the firm in Costa Mesa, which ranks No. TK on this week’s list of largest law firms in OC, last year as a partner in the Orange County office and as co-chair of its Data Privacy & Cybersecurity Practice, after a stint at Troutman Pepper.
Salour regularly works with businesses to design proactive cybersecurity measures, create pre-incident response plans, and comply with applicable laws and regulations.
When clients experience cyber incidents, Salour helps them navigate the incident response process. That includes implementing response notification procedures, responding to regulatory investigations, managing state and federal litigation, as well as evaluating and modifying policies to protect against a future event.
Salour’s team also publishes a monthly newsletter called CyberCapsule.
Ransomware
The response process includes directing forensic investigations, developing post-incident response notification plans, and responding to regulatory investigations. Salour helps his clients defend against claims in state and federal litigation resulting from data security incidents.
That often involves ransomware—“bad actors” breaking into a computer to steal information and hold it hostage until the victim pays money.
“On the legal side, I help identify as well as comply with legal obligations that may result from a cybersecurity event,” he told the Business Journal on Feb. 27. They can include regulatory statutory and contractual obligations.
He also helps to manage the response to a cybersecurity attack, making sure that all parties, sometimes including the FBI, are working together and helping to minimize the impact on the victim organization.
Salour says the inability to have authorities arrest the foreign attackers “certainly adds to a level of frustration.”
Russia, Iran
The list of top foreign cyber outlaws stays fairly constant: Russia, North Korea, Iran and China.
Domestic attacks are a different story since the victims often have already notified the FBI.
“There are multiple pieces,” he said including insurance companies, forensic experts and sometimes the FBI.
“I help make sure that all those parties are working together and align to make that process go forward,” Salour said.
Last Resort
He said the client sometimes must be told to pay the ransom as a last resort, though that too can be risky when seeking to retrieve the “encrypted” data.
The work includes getting the insurance company to approve a payment to the “threat actors,” as well as seeking assurance that a “decryptor key” to get the data back will be provided.
“Typically, that is the last resort,” he said of paying the ransom. “Those are difficult conversations.”
That means the victim goes forward with a payment to a criminal with the hope that the criminal is in fact going to have a key that’s functional, deliver that key, and that the key is going restore the organization’s operations.
There have been major shifts in how the bad guys operate.
“A lot of these threat actor groups now are operated as ransomware as a service, where they’re almost licensees or franchisees of the threat actors’ playbook. So, they don’t necessarily have the same loyalty to the process as the original threat actor oddly enough.”
Notifying FBI
Depending on the case, Salour may need to notify the FBI or a state attorney general.
He credits the FBI with bringing down many of the attackers’ operations, though the groups also pop up again right afterward.
“The only time that we have to notify the FBI is if we’re making a payment to the threat actor. There’s a best practice to notify the FBI,” Salour said.
Salour estimates that 60% of his cyber practice involves ransomware, while 35% involves hacked e-mails and 5% is various other crimes, including theft of laptops with sensitive data.
“Most of the time we’re dealing with some pretty sophisticated threat actors,” he said, adding that a multi-layer approach to cybersecurity is the best way to minimize the impact if a bad guy does get into the system.