“Oops, your files have been encrypted!”
Last month, employees around the world found this message on their computer screens. A massive cyberattack has used variants of the WannaCry ransomware program to infect more than 230,000 computers in 150 countries, demanding bitcoin ransom payments in 28 languages. Across the globe, many factories, hospitals, offices, government agencies and other entities shut down or were seriously affected.
No country was immune, with Russia, Ukraine, China and EU countries hit hardest. Fortunately, the malware contained an inherent “kill switch,” coding defects and a nonautomatic payment scheme, so that most businesses could remedy the problem, and only about 200 payments totaling $50,000 in ransom had been collected on the three WannaCry bitcoin accounts.
The danger has not been abated, however, as experts fear new strains of the ransomware will be more robust. For now, WannaCry should serve as a wake-up call to all of us.
A company facing a ransom demand is in a quandary and should consult with computer experts and legal counsel on the pros and cons of paying a ransom.
Most do not pay. As cyberjournalist Brian Krebs notes, law enforcement or white hat cyber resources may have already worked out a way to break or sidestep the encryption, sometimes posting the keys to unlock the malware online, free of charge. Payment of a ransom via bitcoin is a unique transaction and is no guarantee the attacker will release the data to you. Further, payment often results in your company finding itself in the crosshairs of other malefactors looking for companies willing to pay.
In some cases, however, the stakes could be so high you may want to assume the risk of payment.
Other legal disputes will invariably follow this massive WannaCry attack, as parties try to determine responsibility for their related losses and liabilities. If, for example, your business entrusted a vendor or other business with sensitive information, that party may have contractual or other obligations to have prevented or mitigated the ransomware harm. Also, cyber insurance may cover some or all of the damages, depending on policy language and its interpretation.
In addition to restoring your company’s access to your data, a ransomware infection may trigger notification or other regulatory obligations under state or federal law. These obligations frequently turn on the nature of the ransomware, the type of information affected (protected health information or personally identifiable information), the method of infection and the steps you take to mitigate the incident. The Health and Human Services Department, responsible for enforcing the Health Insurance Portability and Accountability Act, has published guidance regarding the potential impact of a ransomware infection on breach notification obligations.
HHS also has provided resources regarding the WannaCry ransomware incident through three updates. You can view them here, here and here.
Here are two of the best defenses to ransomware and similar threats:
1. An information security plan.
Adopt and maintain one. It should serve as your guidebook for data security and practices. An information security plan should not be for the exclusive use of the information technology department, although they will use it most often. It should contain summaries and directions that all employees can follow.
The plan should contain procedures for up-to-date software and a process for timely installing security patches. WannaCry targeted computers using Microsoft Windows XP, for which Microsoft has not issued security patches the last three years (but it has since issued a special security patch). Many businesses have found they had an old PC somewhere running Windows XP, and WannaCry found and exploited it.
Ransomware and other malware most typically enter a company’s system through “phishing” emails, upon which employees unwittingly click and download the infiltrating program. Anti-phishing programs and software are out there, but none is perfect. By training your workforce and adopting a culture of computer hygiene and threat awareness, you can reduce your exposure.
2. An incident response plan.
If you have an incident response plan and team as part of your overall business recovery strategy, you will not be starting from square one when you become the victim of a breach or malware attack. In the process of adopting a plan, companies often realize existing, previously unknown, vulnerabilities.
As part of a comprehensive response, you should have an up-to-date inventory of your key data, as well as the backup status for all your systems. By testing the recovery of data from backup in different scenarios, you will have a preview of time and success/failure rates for the various threats.
In developing the response plan, you may have different personnel, vendors and other resources in place for different threats, whether it’s a dedicated denial of service attack upon your website, a lost or stolen laptop or flash drive, or ransomware.
Tedrick Housh III, a partner in Lathrop Gage’s Kansas City office, can be reached at firstname.lastname@example.org. Stacy Harper contributed to this column, and she can be reached at email@example.com.
Search sponsored by:
Guitars built from the ground up in west Springfield are played worldwide.
You might know that whiskey means “water of life,” but do you know the difference between a blended whiskey and a single malt? How about the differences between Irish Whiskey, Scotch and Bourbon? …
Andrew Spurling with GFI Digital dispels five common myths around the selection and maintenance of your office copier from what your machine up-time expectations should be to how you can vet copier …
Jonathan Dodd and Brian Kubik started a partnership many years after they first met in grade school, finding trust to be the most critical piece to finding a business partner. The business plan for …
Be a learner, not a knower. Brad Thomas, President of Silver Dollar City Attractions says, “the knower will fall alseep at the wheel and miss some incredible something that’s impacting the world …
“I think that we live in a very unique time. We’ve experienced this information revolution, and now we are inundated with all these options, almost to paralysis,“ says Tez Ward, Financial …
How do you gain an edge in the networking game? “At events, you’ve got to realize that we’re all business people, trying to sell our wares, our services and network with people.” says Bruce …
Do you wish you could cross post to all your social media networks? If This Then That allows you to automatically post photos you’ve taken or turn off your lights when you leave home. David Brazeal …
If you’re not a contractor and you’ve never worked with a contractor the selection process can be daunting. Learn three key things you should look for when hiring a building contractor. Sean …
“I think positivity and the vision that all things are possible is really important,” says Vanessa Brandt, Vice President/Managing Director - Account Service at Marlin. “I think if you’re a …
Did you know that remembering an angry experience for five minutes can suppress your immune system for up to six hours? “We have some mindsets about negativity. We think that if we vent, we’ll …