Ransomware Threats Highlight Evolving Cyber RisksManaging Director and National Cyber Product Leader at Marsh
There’s an email message from a trusted vendor in your inbox. After clicking a link in the email, your computer freezes. Suddenly, a message pops up: “Your files are encrypted. Pay ransom within 24 hours in exchange for a computer key to decrypt your files.” If you don’t pay, your data will either be destroyed or simply kept out of reach through the malicious encryption software.
This is ransomware, a form of malware that cybercriminals are increasingly using to extort individuals and businesses. As seen in recent attacks on hospitals in the U.S. and Germany, ransomware has targeted industries that rely on computer access for extremely sensitive functions. For example, more than data is at risk for health care organizations; patients’ lives may be put in danger. And the threat goes well beyond health care.
‘A National Cyber Emergency’
While news media and others have focused on large privacy breaches involving millions of credit cards, ransomware is no less of a threat to businesses. In March, the Federal Bureau of Investigation (FBI) asked companies and computer security experts for assistance in combating the latest iteration of ransomware, called MSIL/Samas.A. The FBI also issued a set of indicators that companies can use to determine if they have been infected with MSIL/Samas.A, which seeks to encrypt data on an entire network as opposed to a single computer. One security expert described this evolution of ransomware as “becoming a national cyber emergency.”
The uptick in such “disruptive attacks”—as recently noted by security firm FireEye—has manifested in a greater frequency and growing sophistication of attacks on businesses; the sources of those attacks include everything from amateurs to suspected nation states, according to FireEye. According to McAfee Labs, four million samples of ransomware were identified in the second quarter of 2015, compared to fewer than 1.5 million samples that were identified in the third quarter of 2013.
As these new forms of ransomware are developed, their approaches are growing more subtle. For example, one form of ransomware now being used against businesses presents itself as a basic crypto-locker threat—“pay us a ransom in exchange for decrypting your files”—but actually seeks deeper access into targeted systems. This nastier form of ransomware can be used by cybercriminals not only for extortion, but also as a way of infiltrating a wider array of systems and data.
The bottom line: The threat of ransomware is here to stay. and more attacks and sophisticated ransom demands are expected in 2016.
A business should consider that paying a ransomware demand could put it greater risk of being targeted again.
Responding to Ransomware Demands
FBI officials recently noted that paying a ransom may be the easiest way for a business to resolve a ransomware attack. A Los Angeles-area hospital in February did just that, paying $17,000 in bitcoin following an attack; the hospital explained that this was the “quickest and most efficient way” to restore normal operations.
But each ransomware incident is unique. Businesses should carefully consider all of their options, in conjunction with IT and security teams in the event of an attack. In some cases, the potential data loss may not justify a ransom payment. A business should consider the possibility that paying ransom once could put it greater risk of being targeted again.
Preventing Ransomware Attacks
While there is no simple fix for ransomware, there are some basic measures an organization can take to protect against or mitigate the impact of ransomware:
- Keep all software up to date. Recent ransomware has been targeting not just basic data on individual computers, but deeper and more pervasive access into systems. As part of an overall cyber risk prevention strategy, IT administrators should ensure that operating systems, antivirus software and web browsers are updated regularly. Web browser security settings should also be in force, for example, to block pop-up ads and potentially vulnerable plug-ins.
- Back up all files regularly. Unfortunately, many businesses don’t do this as often as they should. The loss of access to data on a computer is substantially less painful if the data can be recovered without having to pay the ransom.
- Educate your organization. Security experts agree that the easiest and most effective line of defense for ransomware and other threats is an aware user. Employees, meanwhile, should be trained on how to spot potentially dangerous emails and to not open attachments or click on links in unsolicited emails—even those that appear to be from trusted sources. Staying informed about the latest tools and techniques that cybercriminals are using can help organizations to educate users and defend against the attack itself.
Although cyber insurance is not a solution to ransomware or the broader array of cyber risks, it should be an integral part of any organization’s risk management program. Many cyber insurance policies can be customized to provide coverage for cyber extortion, including ransom, investigative expenses tied to ransomware threats or other threats that restrict or hinder access to computer systems. In some cases, kidnap and ransom policies—which are separate from cyber insurance—can also provide cyber extortion coverage, including ransom demands.
Organizations should review specific language in these policies and consult with their insurance advisors to avoid potential gaps or overlaps in coverage and to ensure they have the right insurance to protect them in the event of a ransomware attack.
To paraphrase an information security cliché: There are two types of organizations, those that have suffered security breaches and those that don’t know they have been breached. It is critical that organizations move the conversation of ransomware and other cyber threats from another problem to solve to a risk that needs to be managed.