Ransomware: Modern Day Extortion

Expert advice to help your clients prevent and respond to this threat.

Ransomware is increasingly becoming a major cybersecurity threat. Names like “WannaCry” and “SamSam” pepper the news, and many organizations struggle with responding to this one-two punch of malicious software and extortion.

But exactly what is “ransomware”? How does it affect organizations? And what steps should you, as corporate counsel or an attorney advising businesses, or even as the operator of a business yourself, consider so that you and your clients can avoid becoming victims?

Ransomware Defined

Ransomware is a cyberattack that combines malicious software (malware) with extortion. Cyber criminals typically infect laptops, personal computers, or mobile devices with ransomware using the same delivery means as computer viruses and other forms of malware.

How Ransomware Spreads

Cyber criminals may infiltrate their victims’ systems by:

  • Tricking individuals into opening an email attachment or clicking an embedded link. Spearphishing attacks target these messages to specific individuals or their roles in an attempt to make them appear legitimate.
  • Enticing individuals into visiting a particular website and downloading content that contains the malware, such as free games, pornography, or other apps.
  • Infecting otherwise legitimate, but vulnerable, websites or software packages that then deliver the malware.
  • So-called drive-by attacks where criminals exploit web browser or other software vulnerabilities so that users with unpatched software only need to visit a malicious or infected website.

An Especially Serious Form of Ransomware: Crypto

Crypto is an especially serious version of ransomware because it can destroy data. Especially at-risk organizations include hospitals, law firms, local governments, and even law enforcement agencies.

Crypto ransomware operates by encrypting data files stored on computers and mobile devices, making the data unreadable or indecipherable without a decryption key. Cyber criminals install the malware and in essence lock the files while simultaneously demanding the target pay a ransom to obtain the decryption key to regain access.

Crypto ransomware can spread rapidly throughout an organization by:

  • Discovering and encrypting files on devices connected to the originally infected computer, including:
    • USB drives or other portable media
    • Shared network drives or shared file folders
    • Cloud storage
  • Searching for other computers, including servers and databases, networked with or accessible from the originally infected computer

Helping Preventing Cyberattacks

Good cybersecurity hygiene can help protect against ransomware attacks. Understanding good data security practices is important for both you and your clients. Four key ways to protect against cyberattacks like ransomware include:

  • Application whitelisting, which permits only known, safe applications or software to execute on your systems or hardware;
  • Prohibiting external network connections to unknown or potentially hostile locations that may host command and control servers;
  • Limiting administrative rights on end-user devices and access to crucial files and other data to only those with a demonstrated need to know; and
  • Segmenting networks to limit the malware’s spread, if a single device becomes infected.

For more examples of information security controls, see the Practice Note: “Common Gaps in Information Security Compliance Checklist” available on Practical Law.

Detecting and Responding to Attacks

No matter how robust the preventative measures you have in place, attacks can still occur, especially since people are often the weakest link. When an attack occurs, a rapid detection and response system will help minimize the impact and speed recovery from a ransomware attack. Five steps organizations can take to help do that include:

  • Developing and regularly testing a comprehensive data backup and restore process, including backups for business-critical data that are not network-accessible to general end user devices.
  • Developing and regularly testing a cyber incident response plan.
  • Training workforce members to:
    • Identify potential attacks;
    • Isolate infected devices, such as by disconnecting network connections;
    • Immediately report incidents; and
    • Avoid performing their own investigations or otherwise sharing incident-related information without authorization.
  • Implementing continuous monitoring and centralized logging controls to:
    • Quickly identify and remediate risks;
    • Alert information technology staff to potential events; and
    • Maintain an event history to help identify when and where attacks occur.
  • Being prepared to assess whether an attack triggers data breach notification or other regulations.