Ransomware Is On the Rise

XPAN has published numerous blog posts over the years devoted to cybersecurity generally, and ransomware specifically. “Nowhere to Run, Nowhere to Hide“, ” Is Nothing Sacred? Recent Hackings on Our Governmental Entities“, and ” When Will We Learn????” to name just a few. We also speak on the topic of ransomware. And, despite the fact that organizations are constantly being plagued by the specter of ransomware, it seems like a problem with no solution. This week, we decided to break-down some of the basics of ransomware, to help businesses be better prepared  for when an attack strikes.

How does ransomware work? 

Ransomware is a type of malicious software. The software prevents the organization from accessing its computer systems or computer files until the hacker’s ransom is paid. Usually this involves the software encrypting the files, which renders them inaccessible. Once paid, the hacker (at least in theory) will give the organization the encryption key to unlock its systems/files. But, companies should be cautious, because not all hackers can restore your system, and it is still very important to understand how they got into your infrastructure in the first place.

How does this malicious software gets into a computer system? 

Often, although not always, through simple human error. This is why cybersecurity is as much a people problem as it is a technology problem.

A hacker sends a spam email that contains a link. The recipient of the email clicks on the link and BAM, the malware is deployed. Another way is through exploit kits. Exploint kits do not require a recipient to click an email, instead the hackers upload malicious code into a compromised website. 

What happens once the software is in?

And, regardless of the how, usually panic ensues, as the malware infects the entire computer system rendering it useless until the ransom is paid. As a special added bonus, even if the ransom is paid, sometimes the encryption key is flawed and the data is unusable anyway. Regardless, many times the fact that ransomware is deployed in a system can create a per se obligation to report a breach (such as under HIPAA if the data is not encrypted).. 

The Chubb Cyber Index recently reported:

“Malware claims, which include ransomware, have risen to 18% of all cyber claims in 2019 from an average of 12% over the past five years.”  

In addition, the Index stated that ransomware accounts for 40% of all manufacturing cyber claims in 2019.  And, while the number of victims have decreased in the past two (2) years, the losses each victim suffers has increased. For example, 1,493 victims with losses estimated at $3,621,857 in 2018. Whereas there were 2,673 victims in 2016, but the losses were less. This means that the hackers are getting better at extorting more money out of fewer victims.

What are the main sectors at risk for ransomware attacks?

Really, all industries are prime targets for a ransomware attack; if you have data, you are a target. But, not all companies are equally as enticing for attackers. In 2019, there have been 140 ransomware attacks targeting public state and local governments and healthcare providers (espeically smaller healthcare providers), making them this year’s prime target. One attack even shut down a network of Alabama hospitals.  Immediately after the attack, the hospital system was closed to all new patients, except for the most critical cases.  The attack forced the hospital to switch operations to manual mode, using paper copies instead of digital records. 

In addition to the Alabama hospitals, 400 dental practices across the US were also crippled at the end of the summer as a result of a ransomware attack. Similar to Alabama, the practices could not access their digital records that included patient charts, schedules, x-rays, or payment ledgers. The affected offices said it was “devastating” to their practices because they are not able to see patients while their systems are down. 

What can businesses really do to combat this problem?  

First and foremost, training. Training is inexpensive and shows employees what to do and what not to do. Using computer-based training can seem like a good idea, but most employees are barely paying attention. Involving them in interactive training and simulations can be invaluable. And while using technology is essential, organizations can sometimes have trouble devoting resources toward cybersecurity, making education and training (by far) the biggest bang for your cybersecurity buck. Policies and training alone will not make you 100% safe (let’s face it: nothing in today’s world really will), but it shows a reasonable dedication to cybersecurity and data privacy. It also involves your employees, in a real and substantial way, in feeling they are critical to the security of the company. 

Second, make sure your organization has a good and reliable backups. A backup may allow your organization to pull and restore its files without paying the ransom.  One trick to having a good backup is ensuring its separate viability. A good hacker will infect a backup and delete that before deploying ransomware into the rest of the system to try and force the company to pay the ransom. It is also key that you regularly test the backup to make sure that the data is being accurately and appropriately captured and can be pulled into a live system. 

Third, create policies around your backups, email use, PII (personally identifiable information) storage, etc. Not only does this establish a reasonable approach, having written policies that employees can follow provides guardrails and accountability. 

If nothing else, these techniques will make your organization more prepared to face a threat; and, as you know, Luck Favors the Prepared.  

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.