The rise of ransomware – preparing for and preventing attacks

January 2017 | SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

In the past year, ransomware attacks have taken over as the fastest-growing cause of data security incidents. Graduating quickly from an obscure anomaly to national news, this increasingly prevalent form of cyber extortion now affects thousands of individuals and businesses every day. Underscoring the pervasiveness of this disruptive and damaging digital menace, the Federal Trade Commission kicked off its 2016 Fall Technology Series with a workshop on consumer protection issues related to ransomware. Moving into 2017, ransomware is set to continue evolving, posing ever-more complex security challenges for companies around the world.

An introduction

As its name implies, ransomware is a type of malicious software that infects a computer or system not only to exploit or damage the target, but also to encrypt or otherwise deny access to the data contained therein. The victim is presented with a ransom message at login, stating that their data is being held hostage and demanding payment to regain access.

Ransom payments typically must be made using a digital currency such as Bitcoin, and almost always require the victim to use a payment portal on the Darknet. This allows the attackers to remain anonymous and makes the transactions virtually untraceable. Many ransom demands include a schedule of late fees or penalties to prompt victims to act quickly. Some also threaten public disclosure of the encrypted sensitive information if the ransom is not paid. As a tactic intended to spur payment, raising the spectre of public leaks also serves as a hedge against targets that have robust backups and thus might otherwise ignore ransom demands.

Ransomware may be spread in a variety of ways, including through email phishing (including both ‘spray-and-pray’ and targeted spear-phishing campaigns), ‘malvertising’, brute force attacks, exploitation of un-patched known vulnerabilities, and even SMS messages. Although most forms of ransomware are delivered via email, newer variants may lurk on hacked websites and can infect machines through social engineering or so-called ‘drive-by downloads’, which execute when a user visits a malicious website or loads a compromised webpage, regardless of whether the user clicks on links or enters information.

The purveyors of ransomware may target individuals or businesses, but the potentially devastating effects of a ransomware attack on a business can create unique leverage. Businesses stand to suffer substantial losses when struck by ransomware, and the ransom payment often is the least of them. Ransomware can bring business operations to a screeching halt, expose customer and employee personal data to thieves, damage the company’s reputation, and even disrupt customer access to vital services, such as healthcare or utilities.

In addition to business lost while the system is infected and data is unavailable, the company often must engage an outside forensics IT consultant to assist with remediation and restoration. Even in the best case scenario, when a ransom payment results in release of the data and no further demands from the criminal, a company’s systems must be examined to ensure that the attack vector has been eradicated. Certain types of ransomware, for example, not only lock up data on the machines they infect, but install additional malware such as Dridex to steal login credentials stored on the computer. In the aftermath of an attack, the company must determine whether personal data was affected, thereby triggering a security breach notification obligation under state or federal law. And if the attack can be attributed to lax security measures, a regulatory investigation or other legal action may result.

A brief history

By most accounts, ransomware first emerged in the late 1980s and was spread by floppy disk. The tactic attracted a certain amount of attention from IT professionals during the 1990s and early 2000s, but ransomware was not observed ‘in the wild’, spreading uncontained and actively infecting the general public, until 2005. Ransomware was first deployed on a mass scale in 2012, when a common scam featured what appeared to be a letter from law enforcement stating that the user’s data had been locked due to copyright infringement or another computer crime, and demanding payment for its release.

Over the past two years, ransomware has become the subject of mainstream media attention and has shown up on the radar of many who had not previously heard of it. Throughout 2015 and 2016 we have seen a growing number of reports concerning high-profile attacks on healthcare organisations, both in the US and abroad, as well as on companies in the retail and banking sectors and government agencies.

In the early days of ransomware, attacks were relatively simple and comparatively harmless, perhaps disabling the use of a keyboard or mouse and demanding payment to restore functionality. Payment was often unnecessary as widely-available malware removal tools could fix the infected computer, and the annoyance of malfunctioning peripherals posed little risk to data on the computer.

Not so today. Novel varieties of ransomware are now emerging almost daily, with new criminal actors entering the market. Ransomware targets and methods have become more pernicious as well, affecting Linux and Mac systems and mobile devices, in addition to Windows-based machines. Newer ransomware also includes features designed to evade preventative security measures and hinder post-attack remediation. Ransomware has overtaken advanced persistent threat (APT) hacking in terms of prevalence, and is now seen as the most vexing cyber threat to organisations around the world.

Ransomware-as-a-Service (RaaS), a relatively recent twist on the highly popular and profitable Software-as-a-Service model, has expanded the scope of the problem by opening the market to individuals who lack the coding or scripting expertise necessary to develop their own ransomware. An inexperienced cyber criminal can now download and configure their own version of a ransomware program developed by someone else, with the developer taking a cut of the profits from ransom payments made by victims.

To pay or not to pay?

When confronted with a ransomware attack, most individuals and companies at least consider paying the ransom. The amounts at issue often are quite low, with the average demand being around two Bitcoin, or approximately $1500 at the time of writing. For a company threatened with business interruptions or significant data loss, ransom payments may be seen as the most expedient solution and a small price to pay to restore normalcy.

But the question of whether or not to pay a ransomware demand is complicated by a variety of factors. In the early days of the ransomware epidemic, anecdotal evidence indicated that, more often than not, data would be returned if the ransom was paid. However, there has never been any guarantee of a favourable result, and stories of successful ransom payments have grown scarce. Given that a ransom payment does not ensure a positive outcome, and may result in subsequent demands or even future targeting, the consensus seems to be trending against payment.

Even when the results were more predictably favourable, it was considered inadvisable to pay for a number of reasons. Although law enforcement generally does not give any explicit advice in this regard, officials have indicated that they are aware of numerous cases in which a ransom payment was made, but the data was not returned. More seriously, paying a ransom may violate Office of Foreign Assets Control economic sanctions prohibiting payments to certain designated organisations, including terrorist groups. The anonymity of these transactions prevents victims from knowing who they are paying to release their data, so companies that go this route run the risk of violating laws and regulations that restrict certain monetary transfers.

Defending against ransomware

It may not be possible to prevent a ransomware attack by a dedicated actor, but there are a number of steps companies can take to harden their defences against such attacks, and to mitigate the potential fallout if an attack occurs.

First and foremost, companies should implement robust backup and recovery policies and procedures that require backups to be maintained separate from the main network, preferably off-site. Companies often feel forced to pay ransom if they are otherwise unable to recover the data because their backups are insufficient. Further, a disaster recovery plan that does not guarantee quick restoration of normal operations may also increase pressure to pay a ransom, as lost business opportunity costs mount. Counsel should not assume that clients have these issues covered, as many large and reputable companies have suffered significant damage due to incomplete or inadequate backups of their sensitive corporate data and poor recovery protocols.

Another key to preventing a ransomware infection is thorough data security training and education of the workforce regarding threats and likely lines of attack. Since fraudulent emails are one of the main vectors by which ransomware is transmitted, sending simulated phishing emails to employees can be a simple and effective tool to assess vigilance and raise awareness.

Finally, a number of technical and administrative solutions may be implemented to help reduce risk. For example, companies can disable the use of vulnerable plugins in web browsers, deploy intrusion prevention and endpoint security software, use up to date antivirus signatures, and ensure security patches are installed promptly to guard against known vulnerabilities. To combat the scourge of increasingly convincing email forgeries, companies should consider using identity verification technologies at both the personal and enterprise levels to boost protection.

Melinda McLellan is a partner at Baker & Hostetler LLP. She can be contacted on +1 (212) 589 4679 or by email: mmclellan@bakerlaw.com.

Melinda McLellan

Baker & Hostetler LLP