By: Patricia B. McMurray, JD, Samuel L. Felker, JD, CIPP/US and Gina G. Greenwood, JD, CIPP/US Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
Over the past year, no information security concern has demanded more media and corporate attention than ransomware. The evolution of this threat from an ineffective nuisance to a sophisticated business model generating hundreds of millions of dollars for hackers has been impressive to say the least, and the number and frequency of attacks are on the rise. Petya, Bad Rabbit, Wanna Cry, Crytolocker and other ransomware cybersecurity attack have infiltrated many company's IT systems.
What is Ransomware?
Ransomware is a category of malware or malicious software that disables the functionality of a computer in some way. After infecting a computer, the ransomware program displays a screen message that demands payment, usually in bitcoin (or other cryptocurrency) in order to avoid traceability. Sometimes the scammers add pressure by including a countdown clock and threatening to destroy data unless payment is made by the deadline. Ransomware has evolved over time, using various techniques to disable a computer, but the most recent iteration either locks the computer display, disallowing any access to programs or actually encrypts and/or removes files. The malware, in effect, holds the computer captive and demands a monetary ransom as an extortion. The hackers promise to provide the "key" to unlock the computer and restore functionality once payment is made. Ransomware generally infects IT systems in a similar manner as other types of malware. Commonly, the user clicks on an infected popup advertisement or on an infected link within an email and is directed to an infected website. To provide perspective about the scope of this problem, PhishMe recently reported that a staggering 93 percent of phishing emails were infected with ransomware in Q1 of 2016. With a simple click on a link or by opening an attachment, malware can enter the network, quickly infecting files and encrypting data.
If that isn't scary enough, ransomware hacking techniques are becoming more sophisticated and dangerous. According to Bill Dean, digital forensics expert and Senior Manager for LBMC Information Security, ransomware attacks often involve encrypting with an "unbreakable" code the entire system – including local user created files, local system backups (volume shadow copies), network shares to which the infected user account has modify rights (often causing major devastation) and any locally attached USB drives. In addition, an undocumented "feature" of most current ransomware variants is that cloud-based storage is also at risk. Cloud storage solutions often synchronize the local user files to the Cloud provider. Dean warns that if the ransomware encrypts the local files that are to be synchronized, and there are not multiple versions in the cloud, the cloud-synchronized files will also be encrypted.
What is the Future of Ransomware?
By performing a detailed analysis of ransomware samples, Dean and his colleagues have determined that these attacks are currently geographically focused on certain countries. Additionally, due to the price tolerance (and likelihood of payment) of different countries, the amount of ransom fee demanded will actually vary based on the location of the machine that is infected, with most ransomware attacks commanding relatively small amounts in ransom to encourage quick, no-fuss payment. Attackers also target the file types most likely to glean payment. According to Dean, ransomware is getting highly sophisticated with the ability to avoid detection and lie in wait, attack later, and extract and remove data – causing true data theft scenarios.
How to Defend Against Ransomware Attacks
There are currently no "silver bullets" to prevent ransomware infections. With the elusive methods of constant changing of attack signatures, conventional controls – such as anti-virus software – are not enough. However, there are preventative measures that can be taken by organizations to build resilience against ransomware attacks. The FTC recommends:
- Train and Educate Staff. Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
- Use Good Cyber Hygiene. Practice good security by implementing basic cyber hygiene principles:
o Assess the computers and devices connected to networks to identify proactively the scope of potential exposure to malware.
o Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software and web browser protection.
o Implement procedures to keep security current.
o Update and patch third-party software to eliminate known vulnerabilities.
- Create Backups. Back up your data early and often. Well-prepared organizations with reliable backup systems may be able to restore systems from those backups with minimal data loss or business interruption.
o Identify business-critical data in advance and establish regular and routine backups.
o Keep backups disconnected from your primary network so that you can rely on the backup in the event of an attack.
- Plan Ahead. Prepare for an attack. Develop and test incident response and business continuity plans. We recommend your response plan detail attorneys, IT and forensic vendors and experienced law enforcement agents and their 24/7 cell phone numbers - and incorporate vendors approved by your cyber insurance policy.
Additionally, in the unfortunate event of a ransomware attack, we recommend that businesses formally assess the damage after an attack by conducting a forensic examination; however, companies should not allow the IT system / logs to be wiped clean or otherwise be modified. Your business will need to preserve the firewall, network and server logs as evidence of what happened. This is critical to be able to prove whether there was or was not a breach that requires reporting to consumers, the media and state/federal government. Preparing in advance for a ransomware attack is critical to surviving and navigating a ransomware attack. An attack is not always fatal but mismanagement of an attack can be.
Preparing in advance for a ransomware attack is critical to surviving and navigating a ransomware attack. An attack is not always fatal but mismanagement of an attack can be.
For the detailed steps your organization can take to prepare for a ransomware attack, see Ransomware: What to Do When Your Files Are Held Hostage, developed by analysts at LBMC Information Security.
If you suspect you have been hacked or victimized by cybercriminals, you should immediately contact qualified counsel to assist in your investigation, resolution and in any required reporting to state or federal agencies such as the Consumer Protection Section of the Louisiana Attorney General, if the breach of the security of the computer systems includes personal data ( see LA R.S. 51:3071 et seq ).
These materials are to be used for informational purposes and should not be construed as specific legal advice. These materials are not designed to cover every aspect of a legal situation for every factual circumstance that may arise regarding the subject matter included.
This publication is for reference purposes only and association members or other readers are responsible for contacting their own attorneys or other professional advisors for legal or contract advice. The comments provided herein solely represent the opinions of the authors and is not a guarantee of interpretation of the law or contracts by any court or by the Louisiana Real Estate Commission