make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Ransomware: More Than a Technical Issue – Do You Need to Disclose?

01/03/2017  |  By: Bill Dean, CCE, GCIH, GCFA, GPEN, Senior Manager

Share

Social Logo Social Logo Social Logo Social Logo

Over the past couple of years, there has not been an information security concern that has demanded more attention from organizations than ransomware. The evolution of this threat from an ineffective nuisance to a sophisticated business model generating hundreds of millions of dollars has been impressive to say the least. While the argument for disagreement exists, my opinion is that ransomware has been one of the best things to happen to information security in recent memory. What other security threat has received such visibility across all industries, forcing organizations to closely analyze their information security, incident response, and business continuity capabilities? The first half of this article will cover the past, present, and predicted future of ransomware attacks.  The second half will provide insights and perspective regarding recent pronouncements that may affect your organization’s responsibilities when ransomware infections occur.  HHS released some recent guidance regarding ransomware and, several US states updated their data breach notification statutes.  Both of these actions merit consideration as they may impact your organization’s legal obligations after a ransomware infection.

The initial attempts of ransomware were little more than a nuisance for most organizations. Upon infecting a system, the malware attempted to simply “lock” the computer screen, indicating that law enforcement would act if payment was not provided within a defined time period. Computers infected with this early type of ransomware weren’t really disabled, and law enforcement would not be arriving anytime soon. Most anti-virus platforms could remove any issues that may have occurred and eradicate the infection. In addition, the payment options were very complex for most people, if they chose to attempt to comply. As a result of these limitations, ransomware’s “scareware” tactic was pretty much a failure. While the first version of this threat produced a very low return on investment, it was obvious that this enterprising idea had potential. However, for this attack to harvest fruit, the attackers needed to create a real urgency that forced action by those infected. Since its initial iteration, ransomware has certainly overcome those initial shortfalls!

The current ransomware families (yes, there are many different variants) have exceeded even the most motivated fraudster’s expectations. Ransomware has quickly established itself as the predominant malware that threatens most organizations. In addition, PhishMe found that 93 percent of phishing emails were infected with ransomware in Q1 of 2016. The ransomware attacks cybersecurity pros are currently combatting involve encrypting everything possible with an unbreakable code: local user created files, local system backups (volume shadow copies), network shares to which the infected user account has modify rights (often causing major devastation), and any locally attached USB drives. In addition, an undocumented “feature” of most current ransomware variants is that cloud-based storage is also at risk. Here’s how: cloud storage solutions often synchronize the local user files to the cloud provider. If the ransomware encrypted the local files that are to be synchronized, and there are not multiple versions in the “cloud”, the cloud-synchronized files will also be encrypted.

By performing a detailed analysis of ransomware samples, we have been able to determine that these attacks are currently geographically focused on only certain countries, while others are excluded based on the location of the computer. Additionally, due to the price tolerance (and likelihood of payment) of different countries, the ransom fee demanded will actually vary based on the location of the machine that is infected. Further, the attackers’ “market analysis” has identified which file types infected users are most likely to pay a ransom to recover.  Ransomware has become a big business indeed.

With the success that the current ransomware families have had, we can be assured that future enhancements will continue to be made to increase profitability. As information security professionals, our job is to combat the current threats as best as possible as well as to try to anticipate the next steps the attackers will make. While I hope to be incorrect, below are some “features” that are likely to appear in future ransomware variants:

  • Support of Additional Operating Systems – The Microsoft Windows operating systems are currently the primary target for ransomware attacks. With the market share that Apple OS X is gaining, this platform will likely be a future target.
  • Better Mobile Support - While there have been some attempts at mobile support for ransomware, it has been weak at best. With users now storing more personal pictures and videos on mobile devices, this could be a profitable feature addition from a consumer perspective. There will likely be an “app for that” in the near future.
  • More Targeted Attacks – The majority of ransomware attacks today are “opportunistic”, in that the infected user is part of a large phishing email distribution list or is inadvertently redirected to an infected ransomware distribution site while performing legitimate Internet surfing. In the future, the attacks may be more targeted with the goal of obtaining higher ransom opportunities. The attackers may even recruit disgruntled employees to assist in determining the critical files that are not being backed up that would warrant much larger ransom payments. For their assistance, the insider would receive a portion of the ransom.
  • Easier Payment Methods – Most ransomware variants today require payment in bitcoin, an untraceable Internet currency.  The use of bitcoin for payment can be difficult for most people, as very few of us have bitcoin in an account today or know how to transact using it. To increase the likelihood of receiving a ransom payment, the bad guys know that they need to improve this transaction. For those victims that are return customers, maybe a loyalty program for discount rates on the future ransoms paid!

While I may be able to describe the current state and opine on future of ransomware, I am not qualified to address the potential legal obligations of an organization that has experienced a successful ransomware attack. For the legal approach, I defer to Sam Felker from Baker Donelson.

Legal Guidance in Responding to a Ransomware Attack

When a ransomware attack occurs, here are some immediate legal issues to consider:

Is Breach Notification Required?  An immediate issue is whether the victimized business must notify effected parties and government agencies, like in many typical security breach incidents where customer information is stolen or compromised.  For health care clients, Baker Donelson previously issued an alert on the HHS's Office of Civil Rights Ransomware Guidance, linked here for your convenience.  In short, OCR opined that a ransomware attack is a notifiable breach unless a HIPAA covered entity can prove otherwise, greatly raising the bar for forensic analysis of, response to and documentation of such security events.   For all business enterprises, it is important to consult state laws regarding breach notification to see if the specific facts trigger a duty to notify, but that is a state-by-state analysis, as the laws of various states differ significantly.  The duty to notify may also depend on factors such as the size of the incident, the systems that were effected and whether the customer information was stolen or merely encrypted.  If you suffer an attack, it is best to get your legal counsel involved immediately, as many state breach notification laws have short deadlines for notice and other actions.

Should you contact law enforcement?  Another issue that frequently arises is whether to contact law enforcement authorities and get them involved.  That is a personal client decision, as many businesses are reluctant to have the federal government involved in its business.  For the record, the Federal Trade Commission urges businesses to immediately notify law enforcement (FBI or Secret Service) in the event of a ransomware attack.  The FBI also makes the same recommendation because it has substantial experience with these attacks and may be able to assist.  See the FBI link here. The FBI Guidance also discourages the payment of ransom because the agency believes it encourages criminal conduct and there is no guarantee the ransom payment will unlock the encrypted files. 

Does insurance typically cover losses related to ransomware? Clients frequently ask whether their general insurance policy will cover losses related to ransomware attacks.  The answer: it depends.  Many standard general liability policies will not cover the type of losses that frequently occur with ransomware, like business interruption and damage to brand, and some policies have specific exclusions for ransomware losses.  Other losses, like damage to computers and software systems, may be covered.  This is an area where clients need to consult their attorneys and insurance professionals in advance of a loss to make sure they are protected.  Sometimes obtaining protection from ransomware losses requires adding a specific coverage rider, but it is better to find out sooner rather than later whether there is coverage.

There are currently no “silver bullets” to prevent ransomware infections. With the elusive methods of constant changing of attack signatures, conventional controls, such as anti-virus software, are not enough.  However, there are preventative measures that can be taken by organizations to build resilience against ransomware attacks.

Ransomware Preparation Checklist

For the detailed steps your organization can take, download our “Ransomware Defense Checklist” developed by LBMC Information Security’s Managed Security Services analysts.