Ransomware Attacks are Here to Stay – How You Can Prepare
By now, you have likely heard of the massive, international ransomware cyberattack that was first reported on May 12, 2017. According to Europol, the European Union’s police agency, the attack has already affected more than 200,000 computers in more than 150 countries. The attackers have been targeting an array of victims around the world, including hospitals, universities, logistics and transportation companies, telecommunications companies, automakers and government entities, among others. The attackers have even made their way to Hollywood, allegedly pirating an upcoming Disney® movie and demanding that Disney pay a significant ransom or risk having segments of the movie released to the public until the ransom is paid.
The “WannaCry” malware involved in this attack specifically targeted computers running the Microsoft Windows® operating system by exploiting a vulnerability in such system. The vulnerability was first identified by the U.S. National Security Agency and subsequently stolen and leaked to the public (Microsoft released a patch for this vulnerability for supported systems in March, but some users failed to install the patch, and users running versions of Microsoft that no longer receive mainstream support did not receive the security update. Microsoft has since issued an emergency patch for unsupported, outdated versions of Windows.)
This year projects to be a record-breaking year for cyber-attacks. Malicious software (malware) commonly known as “ransomware” is quickly overtaking all other forms of malicious cyber-threats, as file-encrypting ransomware attackers have apparently moved their focus from consumers to mainstream commercial enterprises. With this shift in focus, the size, scope and potential damage that can be caused by ransomware attacks has significantly increased.
Eastman & Smith has been following the ransomware threat for some time. This article offers some pointers to our business clients and others who may be unfamiliar with the growing threat of ransomware and its potential detrimental impact on your business and legal compliance efforts.
What is Ransomware?
As ransomware has transitioned from consumers to commercial victims (who can typically pay higher ransoms), ransomware attackers are now promoting “ransomware as a service” (RaaS) platforms which enlist other would-be assailants to equip them in the spread of ransomware in exchange for a share of the ransom fees paid by the victims of the RaaS platforms. Thus, ransomware masterminds and their less-sophisticated cronies are wreaking havoc on legitimate businesses at an unprecedented rate, causing losses which threaten to outpace the ability of governmental enforcement agencies, the insurance and legal industries to provide reasonable or cost-effective solutions – especially where the insured business fails to maintain reasonable safeguards to prevent malware attacks. (We are aware of several cyber risk policy models which require such reasonable safeguards as a condition to coverage availability.)
How Does Ransomware Actually Work?
Once ransomware is delivered and executed, it scans local and connected storage areas in the victim’s network for files to encrypt. Once encrypted, files often cannot be accessed again without an encryption key or other software patch made available by the attacker when the ransom is paid. The malicious software essentially holds the victim’s data hostage until the victim pays the ransom or risk the files being unusable, destroyed or sometimes worse, disclosed to the public. A monetary payment (a “ransom”) is typically demanded, payable in bitcoin, with a sample test key being delivered before such payment to illustrate that the attacker has the ability to unlock all of the affected files across the entire system after the ransom is paid. The testing and delivery of the bitcoin ransom is frequently accomplished by third party consulting firms having expertise in validating the test key and access to the bitcoin/block-chain oriented payment mechanisms (with which many businesses are unfamiliar). Such consultants are frequently the second set of expensive technicians engaged by the victim, only after a team of technical support experts have failed to decrypt the malware or otherwise recover or restore access to infected data. Such third-party resources are expensive and typically require payment in advance for their services. Better cyber insurance coverages typically will engage such third party experts and pay for the services on behalf of the covered insured.
In addition to the threat of destruction or inability to use data, attackers are increasingly presenting a threat of “doxing” (to publicly release the private information gained in the attack). Doxing can be particularly troubling to businesses operating in regulated industries such as healthcare or financial services, or for professionals who are obligated to maintain confidentiality (such as physicians, attorneys or CPAs).
According to a September 2016 Statista survey the following sectors are most likely to be affected by ransomware attacks:
- Services Industries
- Public Administration
- Insurance and Real Estate
- Wholesale Trade
How to Prepare for a Ransomware Attack.
Businesses and individuals should be very concerned about the growing threat of ransomware attacks -- particularly if they operate in regulated industries such as healthcare -- where penalties may be imposed if confidential information is disclosed in an unauthorized manner. In addition, businesses which depend on their ability to quickly deliver data or data-dependent services cannot typically risk interruption of their data access (or that of their customers), and such time considerations usually weigh heavily on the victim’s decision to pay the ransom after initial decryption and recovery efforts fail (which is often the case, especially where the victim has failed to maintain adequate technical safeguards – discussed separately below). While no cybersecurity plan is full-proof, business leaders should exercise reasonable efforts to prevent ransomware attacks from rendering their data unusable, and to deal with such attempts if they arise. These efforts include:
- Maintain a disaster recovery plan and a cybersecurity incident response plan. A ransomware attack could turn into a data breach and trigger data breach notification requirements under applicable state and/or federal law.
- Make sure all software, operating systems and firmware is patched and up-to-date. Always install system or security updates as they become available. Implement a patch management strategy.
- Routinely backup files remotely on a hard drive or server, not connected to the Internet, or in a cloud and continuously verify the reliability of the backups. Beware, some ransomware can infect cloud-based backups when systems regularly backup to the cloud in real-time. If you have Microsoft’s volume shadow copy service (VSS) enabled you may be able to recover any automatic or manual backup copies or snapshots of files, but some ransomware variants can encrypt these shadow volume copies and some delete shadow volume copies.
- Install and download firewalls, unified threat management products, email and spam filters, Microsoft’s Enhanced Mitigation Experience Toolkit, antivirus software and/or ad blockers. Ransomware products sometimes operate in a manner that is undetected by email filtering and antivirus software. Anti-virus and other anti-malware solutions should be scanning your computer and computer systems regularly and updating automatically.
- Train all employees and staff. Emphasize anti-phishing training. The U.S. Computers Emergency Readiness Team advises persons to always be careful and vigilant when clicking on links in emails, even if the sender appears to be known, and to use caution when opening attachments, especially those in unsolicited emails, being particularly wary of compressed or zip file attachments. Only download software from trustworthy sites. Training should be ongoing in order to reinforce anti-phishing activities as new threats and techniques are identified.
- Disable macros in Microsoft Office applications and do not enable macros from files transmitted by email. Use Microsoft Office Viewer to open, view and print files transmitted by email.
- Limit or restrict administrative access for work stations and users to an “as-needed” basis.
- Implement software restriction policies to prevent the execution of programs in common ransomware locations, such as temporary folders or compression/decompression programs. Use application whitelisting.
- Separate networks and data to mitigate damage in the event of a ransomware attack. Keep sensitive data on a different server or network segment from email.
- Install security information and event management software product or other network or server monitoring service to warn of any infections and allow analysis of security data.
- Install decryptor tools (available for some ransomware variants) or malware removal tools (used to salvage files) to be used in the event of a ransomware attack.
- Consider seeking cyber insurance coverage and discuss with legal counsel the extent of the coverage (i.e., whether a policy will cover the ransom if paid by the insured, whether it will cover the cost of consultants needed to negotiate payments to attackers, whether it will cover the cost of consultants to evaluate whether data can be decrypted or restored, whether it covers legal costs) and the duties of the insured in order to be entitled to coverage.
- Companies that rely on or provide data in the ordinary course of business, specifically those subject to confidentiality and privacy regulations, should carefully review their standard terms of service to confirm whether their “force majeure” (excused performance for acts beyond their reasonable control) provisions explicitly excuse third party acts and omissions of this type or provide parties with a cancellation or termination right in such event.
What to do if Your Best Efforts Fail to Prevent a Ransomware Attack.
Despite prevention efforts, ransomware attacks may still occur. In the event your business is the victim of a ransomware attack, your technical team should immediately determine and isolate the infected computer and disconnect it from the Internet and any network. Additionally, you should determine the extent of the infection, taking offline all affected devices, and locking down any shared network drive and checking file servers for any attacks. If you maintain cyber insurance and such incident is a covered event, call your insurance agent or carrier representatives as soon as possible. Your coverage may provide a cyber-threat response team or other resources to help you attempt to decrypt the infection, negotiate for payment of the ransom, validate the decryption key, and even deal with potential disclosure of confidential information through public relations methods.
Prudent management executives will question whether it is legal or otherwise permissible to pay the ransom in order to decrypt files, avoid disclosure of confidential or other sensitive data, or to permit the business to honor its contractual commitments. Company policies and procedures may address this aspect. Executives should consult leadership to confirm whether there is an established policy addressing the possibility of paying the ransom, versus the risks associated with failing to pay the ransom. When in doubt, legal counsel can be consulted to formulate a legal response plan and guide management through this process.
The Federal Bureau of Investigation encourages ransomware victims to report ransomware incidents to your local FBI office and/or file a complaint with the Internet Crime Complaint Center. The FBI does not support paying the ransom as it may not be effective and provides incentive to the attacker and copycat attackers to target other victims. However, FBI Alert No. I-091516-PSA (found here: https://www.ic3.gov/media/2016/160915.aspx) recognizes that “executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers."
Leadership may also consider consulting public relations professionals to manage the impact of a successful ransomware attack on potential interruption of business, inadvertent disclosure of information, potential payment of the ransom and related impact on the company’s public and marketplace image.
Eastman & Smith is well-versed in assisting our clients in preparing for and addressing the growing threat of ransomware attacks. If you have any questions related to ransomware attacks, please contact David S. Jackson, Alyson J. Letsky or your Eastman & Smith attorney.
Disclaimer: The article in this publication has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.