Extent of Problem
Ransom demands typically range between $100 to $300 and are sometimes demanded in virtual currency, such as Bitcoin. The Federal Bureau of Investigation (FBI) and some industry analysts estimate that malicious actors can profit by almost $33,600 per day, or $394,400 per month, using ransomware.
The increasing profitability of ransomware has contributed to its proliferation. In 2016 alone, the FBI’s Internet Crime Complaint Center received 2,673 ransomware complaints with losses of over $2.4 million.
The latest proliferation of ransomware has affected mostly Microsoft Windows–based devices. This is because WannaCry and Petya both use an exploit, known as “Eternal Blue,” developed by the U.S. National Security Agency (NSA) and subsequently stolen and released to the public. Eternal Blue targets a vulnerability in the Microsoft Windows operating system and allows ransomware, like WannaCry and Petya, to infect devices.
Against ransomware, prevention is the best defense. To that end, companies should implement strong technical, procedural, and administrative controls that leverage people, processes, and technologies. The U.S. government, for example, recommends the following protocols.
Companies should institute training and awareness programs. Companies should consider a training and awareness program around common ransomware lures. For example, phishing emails are often the source of ransomware incidents. Training employees to identify and report phishing emails can be beneficial in closing off an avenue of entry for the ransomware.
Companies should scan and block malicious emails. Companies should implement technical email filters that prevent malicious email from reaching users. Incoming and outgoing emails should be reviewed to detect potentially malicious traffic and prevent the transmission of ransomware.
Companies should stay up to date with patching. If there is one good lesson to be learned from the WannaCry and Petya outbreaks, it is this: continuously patch. Patches are software updates issued by vendors. In the WannaCry and Petya outbreaks, Microsoft issued a patch that would have closed the Eternal Blue vulnerability in the Windows operating system and thereby prevented the proliferation of the ransomware. However, many companies had a poor patching program that left them vulnerable—a sickening reality for those companies given the realization that a simple software update could have prevented the infection.
Companies should block traffic as needed. Ransomware can sometimes originate from known malicious sources. Blocking all traffic to and from these malicious sources can be pivotal in preventing ransomware attacks. Additionally, certain strains of ransomware operate in a very specific manner that requires the use of very specific protocols. By blocking such traffic, infection and the potential effectiveness of the ransomware may be curtailed.
Companies should have a solid backup system. An often-overlooked aspect of IT operations, routine data backups play a critical role in recovery from ransomware incidents. When companies implement a robust backup and recovery scheme, the impact of a ransomware event may be mitigated. For example, instead of paying the ransom or having to recreate data, data can be recovered from the backup. Many companies may think that they have a backup process established but fail to verify the integrity and viability of those backups and, more importantly, fail to test the restoration process to ensure that recovery from backups is feasible.
Prevention is easier said than done, and many companies are still likely to experience a ransomware incident. In those cases, companies should have an incident-response plan in place that can mitigate the effects of ransomware. For example, companies should consider the following strategies.
Companies should engage legal counsel. One of the first actions that any company should take is to engage legal counsel who is familiar with responding to ransomware incidents. Engaging legal counsel early will allow companies to fully understand any legal and regulatory issues that may arise and possibly ensure attorney-client privilege around subsequent activities.
Companies should isolate systems. Ransomware infections can start with just one computer and spread to other computers in an organization. Isolating an infected system (for example, by taking it off the network) can prevent the transmission of ransomware to other computers. In some situations, simply powering down a device may be effective as well. However, some security experts note that powering down a device may lead to the loss of crucial forensic data that may be valuable in an incident analysis.
Companies should change passwords. Some ransomware variants are known to capture credentials (e.g., user ID and password). Companies hit with ransomware should change all passwords after isolating the infected system or after having recovered from an incident.
Companies should implement their response plan. Implementing an incident-response plan is often the normal course of action in a ransomware incident. Companies should have an incident-response plan in place that is operational and has been tested. A smooth and operationally viable incident-response plan can minimize the confusion arising from, and the potential adverse impacts of, a ransomware incident.
Companies should engage law enforcement. Law enforcement can be an excellent resource when responding to ransomware incidents. The FBI, for example, has specialized expertise and can provide legal authority and tools that are otherwise unavailable to companies. Law enforcement can be invaluable in successfully mitigating a ransomware incident and should be considered. However, companies should consider speaking with legal counsel first to understand the potential implications of engaging law enforcement.
Companies should engage forensic experts. As an alternative to (or even in connection with) engaging law enforcement, companies can engage cybersecurity firms to perform computer forensics. Cybersecurity firms may be able to assist companies in finding the root cause or the source of the incident and, in some cases, perhaps even a solution to recover from the incident without paying a ransom (e.g., by using a decryption key).
To Pay or Not to Pay: That Is the Question
The biggest question from companies in the throes of a ransomware incident is whether to pay the ransom.
Most law enforcement personnel do not encourage the payment of the ransom, and rightfully so. First, paying a ransom does not guarantee the recovery of data. Furthermore, some companies pay the ransom only to find that the malicious actors request additional money. Finally, paying the ransom only incentivizes such activity, emboldening attackers to repeatedly target the company knowing that the company is likely to pay.
That said, the principled philosophy of “never negotiate with terrorists” sometimes has to yield to pragmatic concessions. Some companies may find themselves in the direst of circumstances—their backups have failed, their expected data loss is insurmountable, or the impact to their business is too large. In such situations, a company’s last resort may indeed be to pay the ransom.
Whether to pay the ransom may be a question of business necessity and must be evaluated on a case-by-case basis, taking into consideration the risks inherent in such an action.
The threat of ransomware continues to evolve and proliferate. Companies should be ready with preventive measures that can save them from being victimized. In addition to preventive measures, companies should also be ready to tackle a ransomware incident. Done correctly, preparation can be just as effective as prevention. Ransomware attacks do not have to end in payment of a ransom.
Sid Bose is an associate with Ice Miller LLP in Indianapolis, Indiana.