Responding to Ransomware

By Robert Braun
September 26, 2018

Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.

Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data.  Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.

There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment.  At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data.  The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.

1. Back Up Data and Store It Properly

Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues.

2. Continually Train Employees to Recognize Attacks

Cyber criminals cause havoc in systems when they can access internal administrator accounts. There are a number of simple but effective steps that can be implemented as a defense: First, terminate all default system administrator accounts; there is no reason that the username or password provided by a manufacturer to all of its customers should be retained.

Second, limit the number of system administrator user accounts. Hackers seek out administrative credentials, and reducing the number of credentialed users reduces the vulnerability of a firm.

Third, and most importantly, train employees to be wary of the many social techniques, most notably “phishing,” that criminals use to gain access to a system. Help alert personnel to suspicious emails, downloads and websites that may allow hackers access to your system, both on the company’s systems and on their personal computers, smartphones and tablets; individuals are often targeted through social media, and understanding the potential dangers of a social media profile can protect a company. Create a culture where external suspicious activity is freely reported (as opposed to one in which employees fear punishment for inadvertently creating a vulnerability).

3. Plan for an Attack, and Respond Accordingly

Cybersecurity response plans need to be up to date and tested. Organizations should run “fire drills” to ensure that all parties, from the C-suite to IT to line employees, know what to do and who to contact in the event of a suspected breach. While ransomware attacks have the drama of a deadline and a specific payment, accompanied by anxiety-provoking pop-ups, they are just like any other breach, and prevention is addressed in the same way. Ensure that your “table top” exercises and breach drills are adequate to respond to evolving threats. Specifically include ransomware attacks in your employee training, so that all members of your organization know how to mobilize and respond. Additionally, ensure that your malware systems can notice ransomware at the file and process level. Make sure that macros and executable files such as .exe or .js are properly policed.

The sums demanded by ransomware criminals may pale by comparison to the loss estimated by other cybersecurity breaches, but they deserve attention. Attacks are increasing, and their consequences can be dire. Ask the City of Atlanta or the UK healthcare system. Ransomware has crippling immediate and long-term implications for any IT system. Sometimes the culprits are mere criminals, but sometimes they are foreign governments. Either way, those in charge of securing a data system would be well advised to cross off “if” and look to “when” in planning a ransomware defense. Don’t leave your data open to a hostage demand.

 

Image Source: Deposit Photos

The Author

Robert Braun

Robert Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs.

For more information or to contact Bob, please visit his Firm Profile Page.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 8 Comments comments. Join the discussion.

  1. Anon September 26, 2018 9:44 am

    partly because of the ease and anonymity of crypto-currencies

    I am disappointed that this is not explored. How are crypto-currencies (or their technical underpinnings of blockchain) even remotely tied to ransomware?

  2. JCD September 26, 2018 5:46 pm

    Cryptocurrencies facilitate anonymized financial transactions, thus giving ransomware perpetrators an easy way to actually receive ransom payment. Cryptocurrencies also facilitate money laundering, making it easier to be able to launder and eventually actually bank/spend illicit funds.

  3. Benny September 27, 2018 5:28 am

    “Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data”

    Actually, criminals rely on credibility to keep up the cash flow. If word get around that criminals do not respond after payment, no one is going to pay up. In fact, creating bogus negative reports about the perpetrators credibility can significantly reduce their impact.

  4. Anon September 27, 2018 7:16 am

    JCD,

    So if I understand your reply, it is not the tech itself that is enabling, but rather the “untracibility” of the cash-equivalence that is the vehicle being used.

    Is that a correct interpretation?

  5. Christian Chase September 27, 2018 3:33 pm

    As an I.T. professional I can add a few helpful hints:
    At a minimum, you should be making images of your computers at least every week, but daily snapshots are better. Should a hacker get in and attempt to ransom your data – simply unplug your machine and reimage it. Afterwards, change your passwords. Passwords these days should be at least 10 characters long and include uppercase, lowercase, numbers, and special symbols, but truth be told – it is now password length of password complexity. The longer the stream of random digits – the harder it is for them to hack you. If you are depending on default passwords (in any part of your system) to keep you safe – you’re dead meat. They will get in your system and ruin your day. Another trick is to principal of “Least Privilege.” Users should have to lowest level permissions that still allows them to do their job. Finally, It should be someone’s responsibility in your organization to ensure that a hardy, industry standard antivirus software is deployed and regularly updated. If you have sensitive data in your organization’s network; do use bottom-shelf antivirus freeware. You’re holding up a sign saying, “Hack Me!” Penny Wise and Pound Foolish…

  6. Pro Say September 27, 2018 5:05 pm

    Thanks Christian.

    How does one make an image of their computer? I assume you’ve not talking about backing all you file up?

  7. JCD September 28, 2018 8:43 am

    Anon – I think traceability as the primary factor is a fair characterization, although I am far from an expert in this area.

  8. Anon September 28, 2018 10:32 am

    Thanks JCD,

    Is it “traceability” per se, or is it visibility?

    I distinguish the two because blockchain promises to capture “pure” traceability in the sense that the distributed ledger is immutable and the “trial of breadcrumbs” is “locked in” is part and parcel of the new tech (whether or not that locked in traceability is visible is a different question).

    Additionally, I am interested in the unfolding effects (I too am far from an expert in this area), in an number of related avenues to blockchain.

    Some of those related areas include “visibility” of what becomes “baked in” to the chain – in distinction to any attempts to modify the chain (which clearly are thwarted in the “immutability” and “distributed” nature), skimming information from the chain without trying to disrupt the chain MAY have serious impacts for both data security as well as data privacy.

    For data security, the impact to security would be the NON-chain effects that any information-in-the-chain may be forthcoming. For example, a data breach for a retailer such as Target is not limited in its effects for shoppers AT Target, but has collateral effects across systems (e.g., outside of a “Target blockchain”), exterior to the actual items breached.

    For data privacy, I have to wonder what happens when privacy information may be entered into an immutable chain, for which (due to its distributed nature) NO ONE entity then controls and can enact any type of “right to be forgotten” aspect of any Euro-like GDPR requirement.

    I think that some of the “ballyhoo” that I see is more to “visibility” which carries with it immediate “Pro’s” AND “Con’s.” And this is precisely why I was hoping for more exploration into that aspect.

Post a Comment

Respectfully add to the discussion.

Name *
Email *
Website