“Oops, your files have been encrypted!”
Last month, employees around the world found this message on their computer screens. A massive cyberattack has used variants of the WannaCry ransomware program to infect more than 230,000 computers in 150 countries, demanding bitcoin ransom payments in 28 languages. Across the globe, many factories, hospitals, offices, government agencies and other entities shut down or were seriously affected.
No country was immune, with Russia, Ukraine, China and EU countries hit hardest. Fortunately, the malware contained an inherent “kill switch,” coding defects and a nonautomatic payment scheme, so that most businesses could remedy the problem, and only about 200 payments totaling $50,000 in ransom had been collected on the three WannaCry bitcoin accounts.
The danger has not been abated, however, as experts fear new strains of the ransomware will be more robust. For now, WannaCry should serve as a wake-up call to all of us.
A company facing a ransom demand is in a quandary and should consult with computer experts and legal counsel on the pros and cons of paying a ransom.
Most do not pay. As cyberjournalist Brian Krebs notes, law enforcement or white hat cyber resources may have already worked out a way to break or sidestep the encryption, sometimes posting the keys to unlock the malware online, free of charge. Payment of a ransom via bitcoin is a unique transaction and is no guarantee the attacker will release the data to you. Further, payment often results in your company finding itself in the crosshairs of other malefactors looking for companies willing to pay.
In some cases, however, the stakes could be so high you may want to assume the risk of payment.
Other legal disputes will invariably follow this massive WannaCry attack, as parties try to determine responsibility for their related losses and liabilities. If, for example, your business entrusted a vendor or other business with sensitive information, that party may have contractual or other obligations to have prevented or mitigated the ransomware harm. Also, cyber insurance may cover some or all of the damages, depending on policy language and its interpretation.
In addition to restoring your company’s access to your data, a ransomware infection may trigger notification or other regulatory obligations under state or federal law. These obligations frequently turn on the nature of the ransomware, the type of information affected (protected health information or personally identifiable information), the method of infection and the steps you take to mitigate the incident. The Health and Human Services Department, responsible for enforcing the Health Insurance Portability and Accountability Act, has published guidance regarding the potential impact of a ransomware infection on breach notification obligations.
HHS also has provided resources regarding the WannaCry ransomware incident through three updates. You can view them here, here and here.
Here are two of the best defenses to ransomware and similar threats:
1. An information security plan.
Adopt and maintain one. It should serve as your guidebook for data security and practices. An information security plan should not be for the exclusive use of the information technology department, although they will use it most often. It should contain summaries and directions that all employees can follow.
The plan should contain procedures for up-to-date software and a process for timely installing security patches. WannaCry targeted computers using Microsoft Windows XP, for which Microsoft has not issued security patches the last three years (but it has since issued a special security patch). Many businesses have found they had an old PC somewhere running Windows XP, and WannaCry found and exploited it.
Ransomware and other malware most typically enter a company’s system through “phishing” emails, upon which employees unwittingly click and download the infiltrating program. Anti-phishing programs and software are out there, but none is perfect. By training your workforce and adopting a culture of computer hygiene and threat awareness, you can reduce your exposure.
2. An incident response plan.
If you have an incident response plan and team as part of your overall business recovery strategy, you will not be starting from square one when you become the victim of a breach or malware attack. In the process of adopting a plan, companies often realize existing, previously unknown, vulnerabilities.
As part of a comprehensive response, you should have an up-to-date inventory of your key data, as well as the backup status for all your systems. By testing the recovery of data from backup in different scenarios, you will have a preview of time and success/failure rates for the various threats.
In developing the response plan, you may have different personnel, vendors and other resources in place for different threats, whether it’s a dedicated denial of service attack upon your website, a lost or stolen laptop or flash drive, or ransomware.
Tedrick Housh III, a partner in Lathrop Gage’s Kansas City office, can be reached at firstname.lastname@example.org. Stacy Harper contributed to this column, and she can be reached at email@example.com.
Search sponsored by:
SBJ shadows the Springfield chamber president.
David San Paolo, co-owner of Redneck Nutz, says when they built their website, they thought customers would flock to it. When their orders were less than expected, they decided to try selling their …
Success can result in your business or nonprofit growing faster than anticipated, creating new problems to solve. “We had great growth and the growing pains were really difficult,” says Amy …
Employers look at the personal social media pages of perspective employees. Glenn Pace, a professor in the management area at Missouri State University, cautions that what you post can have a …
“I love the idea of bringing a group of people together and bringing out their strengths to realize something that maybe we couldn’t have done alone,” says Kelly Lee, Business Program Manager …
Jessica Ollis says managing a household prepared her for running a business with her spouse. Jessica, who co-owns Spring Branch Kombucha with husband Chris Ollis, says they probably couldn’t have …
Brad Thomas, President of Silver Dollar City Attractions, says “Purple Cow: Transform Your Business by Being Remarkable” by Seth Godin is one of his all-time favorite books. Thomas says the book …
Eric Schroeder, acting Corporal with the Springfield Police Department says they sometimes get calls from businesses asking for safety talks on active shooter situations. While the police department …
What do you do when you underestimate demand for your product on opening day? Jennifer Leonard and Curtis Marshall, co-owners of Tie and Timber Beer Company, figured it out quickly after running out …
Jonathan Garard, owner of Grooms Office Environments, says his tips can be broken into two categories — doing the right thing and keeping people as the central focus. Don’t let work get in the …
When Katie Baker, owner of The Gracious Plate, received an award from Feast magazine, She didn’t anticipate how it would affect demand for her prepared meals. “I went from hoping that people …