[BreachExchange] Is Your Business Prepared for the Ransomware Epidemic?

[Audrey McNeil]

http://www.natlawreview.com/article/your-business-
prepared-ransomware-epidemic

Earlier this month, the Federal Trade Commission (FTC) kicked off its fall
technology series with a workshop on the growing threat of ransomware.
Ransomware is an increasingly common and insidious form of malware that
locks away data, holding it hostage in an attempt to extort money from
system owners.

According to some experts, ransomware is the most profitable form of
malware in history. While not a new phenomenon, the threat presented by
ransomware has reached epidemic status in 2016:

54 percent of 540 businesses surveyed were attacked by ransomware in the
past 12 months, with health care and financial services the most common
targets.[1] Banks have begun to prepare for ransomware infection by
stocking tens of thousands of dollars in Bitcoin so that they can pay a
ransom if necessary.[2]

The FBI reported that an average of more than 4,000 ransomware attacks were
recorded each day in 2016, up from approximately 1,000 ransomware attacks
each day in 2015.[3]

One survey showed that 72 percent of companies could not access their data
for at least two days after a ransomware infection and 32 percent were
locked out for five or more days, resulting in significant losses due to
downtime.[4]

Almost 1.2 million new variants of ransomware were detected in Q1 2016
alone.[5]

Many organizations, including hospitals[6] and police departments,[7] have
paid significant sums to hackers to unlock encrypted data,[8] with an
estimated $375 million in ransoms paid out so far this year.[9]

Paying a ransom does not guarantee data recovery.[10] One cybersecurity
firm found that 7 percent of businesses who paid a ransom did not have
their data restored.[11]

Given the increasing prevalence and sophistication of a ransomware attacks,
organizations should take steps now to reduce the risk of infection and
minimize the impact of an attack. Basic steps include: 1) incorporating the
risks of ransomware and other malware into the organization's security risk
analysis and risk management program; 2) implementing technical, access,
and other procedures to guard against, detect, and limit the effects of
malware, including ransomware; 3) training personnel on how to recognize,
avoid, and report cybersecurity threats; and 4) maintaining and regularly
testing the effectiveness of the organization's data incident response and
business continuity programs, including the scope and frequency of data
backup and recovery processes.

 Health Care as a Case Study

Nowhere are the dangers presented by ransomware more evident than in the
health care industry, which has become an increasingly common target for
ransomware attacks. Ransomware disruptions to health care systems can have
particularly severe and even life-threatening consequences, increasing the
chance that affected organizations will pay a ransom.

Indeed, hospitals faced several highly publicized attacks in 2016:

Hollywood Presbyterian Medical Center in Los Angeles paid hackers $17,000
in Bitcoins after Locky, a ransomware variant, took its computers offline
for more than a week in February.[19]

Methodist Hospital in Henderson, Kentucky was also struck by Locky in
March, although it was able to bring its systems back online within a few
days by restoring from backups.[20]

When ransomware took down MedStar's systems in March, it delayed lab
results, interfered with treatments, and prevented access to electronic
medical records in ten hospitals and more than 250 outpatient centers in
Maryland and the Washington, DC area.[21]

Kansas Heart Hospital was attacked in March and elected to pay a ransom.
The hackers, however, only unlocked some of the encrypted data and demanded
a second payment to unlock the rest, which the hospital declined.[22]

Health care organizations also face heightened regulatory consequences from
ransomware infection. The Department of Health and Human Services (HHS)
considers the mere presence of ransomware (or any malware) on covered
organizations' systems to be a "security incident," which triggers incident
response and reporting mechanisms.[23]

Further, if electronically stored protected health information (PHI) is
encrypted by ransomware, a breach of PHI is presumed to have occurred.[24]
This potentially triggers breach notification requirements to the Secretary
of HHS, the affected individuals, and—in some cases—the news media.[25]

What is Ransomware?

Ransomware is a devastating form of malware that encrypts or otherwise
"locks up" computer systems and data, preventing use or access. After data
is encrypted, ransomware typically informs the user of the infection and
threatens to delete the commandeered data if a monetary ransom is not paid
within a short time. Particularly dangerous strains of ransomware transfer
copies of encrypted data back to the deploying hacker, while others pretend
to be ransomware but destroy data outright rather than encrypting it.[12]

Ransomware typically enters a system due to an end-user clicking a link in
an email, visiting an infected website, or opening an infected email
attachment.[13] However, emerging strains of ransomware can also spread
without user interactionthrough server or software vulnerabilities or be
distributed automatically by malvertising.[14] Once inside a system,
ransomware will often attempt to spread to other connected systems, making
early detection and response critical to preventing a widespread infection.

The Consequences of a Ransomware Infection

Ransomware presents three primary areas of risk to organizations:

System Downtime. Ransomware infections can render entire systems and
networks unusable. Most infected organizations suffer two or more days of
system downtime that can cause disruption and significant operational
losses.[15]

Data Loss. An infection can result in temporary or permanent loss of
data.[16] While the risks associated with such losses vary depending on the
details of the organization and the affected data, the consequences can
range from mild to severe harm to the organization and its affected
customers or clients.

Legal and Regulatory Exposure. Because ransomware can access, destroy,
alter, and even transfer data to third parties, an infection can trigger
security incident or data breach reporting requirements. Affected
organizations may also face lawsuits and enforcement actions under privacy,
data breach notification, and data protection laws.[17]

The harms associated with a ransomware infection can be significant.
Victims of ransomware reported that the attacks cost them $209 million in
just the first quarter of 2016.[18] As these numbers only reflect the
fraction of ransomware attacks actually reported to the FBI, losses for
that period are likely much larger.

How to Prepare for Ransomware Threats

Prevention and preparation are critical when it comes to ransomware
protection. Organizations can reduce the risk of ransomware infection and
mitigate its effects by taking several basic steps now, such as:

Risk Analysis. Conducting regular risk analyses to identify vulnerabilities
and threats to critical information is an integral part of any information
security program. The risks associated with malware and ransomware should
be incorporated into the organization's risk analyses.

Incident Response and Business Continuity Planning. A swift, organized
response to a ransomware infection is critical in limiting or mitigating
associated harms. Having an "actionable" data incident response and
business continuity plan in place, as well as a crisis communications plan,
can significantly improve an organization's response to a ransomware
attack. Regularly testing these plans through table top and other exercises
is the key to making them actionable. A ransomware attack is a great topic
for a table top exercise.

Regular Backups. Ransomware's defining characteristic is denying access to
data. Maintaining regular segregated backups can minimize disruption to
operations in the event critical files are encrypted or deleted. Some
variants of ransomware can remove or disrupt linked or live backups, so
organizations should at least consider maintaining fully-segregated and/or
offline backups of critical or protected data. By testing their data backup
and recovery processes in advance of an attack, organizations can identify
unexpected limitations in the frequency or effectiveness of these systems
and take steps to shore these up in advance.

Workforce Training. Employee errors are the most common infection vectors
for most malware. Employees are also in a position to provide early warning
of ransomware infections. As a result, employees and other workforce
members should be trained and encouraged to identify, avoid, and promptly
report not only suspicious emails, but suspicious computer activity in
general. For example, organizations can send "test" emails to periodically
assess their employees' ability to identify and properly report "phishing"
campaigns and other attack vectors.

Technical Safeguards. Technical safeguards, such as anti-malware programs,
can be used to block suspicious emails and attachments before they are
opened. Disabling macros in email attachments may prevent an incident in
the event an infected document is opened. Limiting installation
permissions, implementing software restriction policies and whitelists, and
ensuring software and firmware are regularly updated with security patches
can help prevent malware from installing itself on systems. Protecting,
monitoring, and reviewing access logs for Internet-accessible devices can
detect suspicious activity, such as data exfiltration attempts. Finally,
organizations should implement mobile device management practices and
software to address the risk of infection or data loss through employee
mobile devices, such as cell phones, tablets, and laptops.

Access Controls. Ransomware typically only has access to the files,
permissions, and resources of the particular compromised user account. All
organizations should implement access controls using the principle of
"least privilege" to limit access to data so that user accounts are only
able to access information and network resources necessary to carry out
their duties, and so that not every compromised user infects the whole
system. Additionally, firewalls, password protections, and other measures
should be used to limit access to critical information and systems. These
measures reduce the likelihood that an infection will reach sensitive data
or spread throughout a network.

Vendor Management. Vendors that have access to an organization's networks,
systems, or data can introduce malware and ransomware just like any other
user. Organizations should review vendors' security and compliance
practices prior to engagement and periodically thereafter, and should
ensure that vendor contractual obligations include security standards,
incident notification requirements, and appropriate allocations of
liability in the event of a breach or other security incident.

Insurance. Some cyber-insurance policies now offer cyber-extortion and
similar coverage that may apply to these types of incidents. Organizations
should consider reviewing coverage options with their insurance provider or
broker.

Note that these measures form only the foundation of a data security
program. Organizations may be subject to other sector-specific legal or
contractual security requirements and should take additional steps as
necessary to protect themselves and their data based on their own
operations and related risk profile.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160929/28188c17/attachment.html>