Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.
Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data. Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.
There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment. At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data. The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.
1. Back Up Data and Store It Properly
Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues.
2. Continually Train Employees to Recognize Attacks
Cyber criminals cause havoc in systems when they can access internal administrator accounts. There are a number of simple but effective steps that can be implemented as a defense: First, terminate all default system administrator accounts; there is no reason that the username or password provided by a manufacturer to all of its customers should be retained.
Second, limit the number of system administrator user accounts. Hackers seek out administrative credentials, and reducing the number of credentialed users reduces the vulnerability of a firm.
Third, and most importantly, train employees to be wary of the many social techniques, most notably “phishing,” that criminals use to gain access to a system. Help alert personnel to suspicious emails, downloads and websites that may allow hackers access to your system, both on the company’s systems and on their personal computers, smartphones and tablets; individuals are often targeted through social media, and understanding the potential dangers of a social media profile can protect a company. Create a culture where external suspicious activity is freely reported (as opposed to one in which employees fear punishment for inadvertently creating a vulnerability).
3. Plan for an Attack, and Respond Accordingly
Cybersecurity response plans need to be up to date and tested. Organizations should run “fire drills” to ensure that all parties, from the C-suite to IT to line employees, know what to do and who to contact in the event of a suspected breach. While ransomware attacks have the drama of a deadline and a specific payment, accompanied by anxiety-provoking pop-ups, they are just like any other breach, and prevention is addressed in the same way. Ensure that your “table top” exercises and breach drills are adequate to respond to evolving threats. Specifically include ransomware attacks in your employee training, so that all members of your organization know how to mobilize and respond. Additionally, ensure that your malware systems can notice ransomware at the file and process level. Make sure that macros and executable files such as .exe or .js are properly policed.
The sums demanded by ransomware criminals may pale by comparison to the loss estimated by other cybersecurity breaches, but they deserve attention. Attacks are increasing, and their consequences can be dire. Ask the City of Atlanta or the UK healthcare system. Ransomware has crippling immediate and long-term implications for any IT system. Sometimes the culprits are mere criminals, but sometimes they are foreign governments. Either way, those in charge of securing a data system would be well advised to cross off “if” and look to “when” in planning a ransomware defense. Don’t leave your data open to a hostage demand.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.