Certain ransomware variants encrypt the data on the server, while others are capable of destroying or exfiltrating data outside of the affected system. Most recently, in May 2017, the wannacry ransomware made headlines when it infected computer systems globally.
Beyond the Ransom
Historically, ransomware has been used by cybercriminals to extort money from unsuspecting businesses and individuals. It was very simple: The data of affected businesses or individuals was held hostage until the owner of the data paid a ransom in exchange for a decryption key to unlock the data.
Fast forward to today and the ransomware game has changed significantly. The objective is no longer just about the money. The mission is now to cause widespread disruption. In fact, the cybercriminals from the notpetya global ransomware attack that occurred on June 27, 2017, walked away with only $10,000. However, the attack caused severe damages to many businesses, with some businesses losing between $200 million and $300 million in damages resulting from the interruption.
Preventing Attacks
Because the goal of ransomware is to encrypt your files and effectively disable access to them, the first and best line of defense is to make sure you back up your data regularly. It is recommended that the backups occur at least daily. Also, the backup should be encrypted.
In addition, exercise extreme caution when opening unsolicited attachments. Ransomware is often embedded in documents included as attachments to email. Train (and then retrain) your staff to recognize a suspicious email to mitigate the chance that an unsolicited attachment will be opened.
It is also recommended that you limit the number of users who have access to your system to only those individuals who absolutely need access to perform their job functions. Doing so inherently reduces your exposure.
Finally, don’t put all your eggs in one basket. In other words, segregate your programs through the use of secure firewalls and separate servers. This can help prevent an infection from spreading across all your data, thereby shutting down your business.
These are just a few preventive measures you should take to prevent an attack. There are certainly other measures you can and should take to enhance overall compliance and prevent unauthorized access. These include implementing a written information security plan, performing external penetration testing, implementing privacy and security policies and procedures, implementing and periodically testing an incident response plan, and conducting regular and periodic training for your employees.
Now What?
If you fall victim to ransomware, you should immediately notify your cyber liability carrier and legal counsel. These resources will be able to assist you in navigating the attack. With many ransomware attacks, it is necessary to engage a forensic IT firm to conduct an analysis of the affected system to determine the extent of the impact and whether the particular ransomware variant is capable of accessing or exfiltrating data, which is a critical factor in a ransomware risk analysis. Your cyber liability insurance carrier and your legal counsel can put you in touch with such a firm. To retain attorney–client privilege over the results of the forensic investigation, the forensic IT firm should be retained by your legal counsel on your behalf.
