Ransomware:   An Increased Cybersecurity Threat For Businesses

Ransomware:   An Increased Cybersecurity Threat For Businesses

In its recently released Ransomware:   An Increased Cybersecurity Threat For Businesses, the Online Trust Alliance reported that cybercriminals are increasingly targeting businesses with ransomware realizing the value of the data they hold hostage.   Ransomware is malicious software that encrypts files and demands a ransom payment, usually in Bitcoin (a form of digital currency that is created and held electronically), in order to gain back access to files and data.

Ransomware can infect a computer the same way a virus does.   Users may accidentally download the malware by:

  • Clicking a link in an email that appears to be from a legitimate business;
  • Downloading attachments on those emails;
  • Installing software via automatic prompts; or
  • Clicking advertisements on popular websites.

Ransomware can encrypt not only the affected computer’s hard drive but also all external and shared drives to which the infected computer has access. Without payment, the key is indecipherable and the systems remain encrypted, resulting in loss of sensitive or proprietary information, disruption of business, financial loss, and reputational harm.

According to Security Magazine, ransomware infections have been steadily rising over the last two years and are expected to increase in 2016. Locked Web Site ImageHaving initially targeted individuals or small businesses, ransomware attacks have become more sophisticated, with cybercriminals targeting a broader range of victims with sensitive data, including schools, hospitals, and even government agencies.  Hollywood Presbyterian Medical Center in Los Angeles was recently held hostage by ransomware attackers.  After 10 days of not having access to patient records and having to send patients to nearby hospitals, the Medical Center paid the 40 Bitcoins ransom demand, worth $17,000, to restore its electronic medical records system.

Sophisticated ransomware viruses use an anonymity network to make finding the source nearly impossible; hence turning to the police or FBI is of no resolve.  Many law enforcement agencies advise victims to pay the ransom in order to gain access to file and data.  Paying the ransom, however, does not guarantee that you will regain access to locked files and data.

Two of the most prevalent ransomware families are Cryptowall and FakeBsod.  However, the new Locky virus, which appeared in mid-February, is already being reported as a major cybersecurity incident.  Locky is sent via email with an infected document that appears to be an invoice requiring payment.  When the document is opened, it requests permission to run a Macro.  If allowed, the infected macro installs the ransomware and encrypts the victims’ files.  Hundreds of thousands of devices have been affected with the Locky ransomware.

Protecting Against Ransomware:

The rise of ransomware attacks highlights the need for businesses to take greater security precautions to protect its operating systems and valuable data.  Protecting against ransomware can be difficult since attackers actively alter their programs to defeat anti-virus detection.  Thus, your best defense is to regularly backup all files and data to an offsite location.  Recommended security protections include:

  • Backup regularly and keep a recent backup copy offline.  Perform at least once-daily backups and regularly test the ability to restore those backed-up files from offline sources that are not connected to any devices.
  • Do not enable macros in document attachments received via email.  Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure.   Many ransomware, including the new Locky virus, rely on persuading you to turn macros back on.
  • Be cautious about unsolicited attachments. If in doubt, do not open any attachments.
  • Limit administrator access and use.   Do not stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Install the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself.   Moreover, the viewer software does not support macros, thus you cannot enable them by mistake.
  • Patch early, patch often. Malware that does not come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for cyber criminals to exploit.
  • Scan all emails and web downloads with antivirus software.
  • Block user access to malicious or vulnerable websites.
  • Monitor and block outbound connections to TOR / anonymity networks.
  • Educate users/employees. Implement phishing training for all employees, underscoring the danger of opening attachments or links in unsolicited emails, even if they appear to come from within your organization, and of installing automatic software prompts.

Michelle Tyde is a Partner in Culhane Meadows’ Atlanta office.  Michelle specializes in technology and outsourcing transactions, as well as data security and privacy issues.  She is Certified Information Privacy Professional (US) through the International Association of Privacy Professionals and an adjunct professor with Emory Law School.

This Blog/Web Site is made available by Culhane Meadows, PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.