Over the weekend a massive ransomware cyberattack (known as “WannaCry”) hit over 200,000 victims in more than 150 countries. As I’ve said before, I believe that the frequency of these attacks will increase, and the ransom demands will grow. Given that many experts believe that the scope of this latest attack may continue to spread on Monday as people return to work, here are some basic tips.
What is ransomware?
Ransomware is a type of malware that blocks access to data (typically by encrypting it) until a ransom is paid to the hacker.
Hospitals and other healthcare facilities are among the favorite targets of ransomware attacks, and understandably so- they provide critical care and rely on accurate, up to date information (patient records, drug histories, surgery plans, etc.). To avoid delays, harm to patients, and lawsuits after a ransomware attack, many victims have paid the ransom.
Of course, virtually every business today relies on computers and access to data. This latest ransomware attack’s victims included not only hospitals in the United Kingdom, but also FedEx in the United States, train stations in Germany, a Spanish telecommunications company, and universities in Asia.
And, ransomware attacks are not limited to large organizations. While large organizations have taken steps to improve their cybersecurity practices, and also have the economic resources to recover from a ransomware attack, small and medium-sized businesses that haven’t are now easy targets for cybercriminals, and often can’t survive the economic impact. Many small and medium-size businesses believe they’re too small to be a target of cybercriminals. However, most cybercriminals today use automated attacks to blindly hit thousands of targets at once, regardless of size.
How to defend against ransomware
- Use anti-virus software: Anti-virus software can protect against known variants of ransomware. Use it.
- Update your software: Set all of your software (e.g., operating system, web browser, anti-virus, etc.) to update automatically. Software companies don’t release security updates (or patches) until they learn about vulnerabilities, and unfortunately they often learn about vulnerabilities the hard way- by hackers exploiting them. Any software updates should be implemented as soon as possible.
- Be careful of what you click or download: Watch out for emails that prompt you to click on a link or download an attachment. Doing so may infect your computer, and the rest of your network, with ransomware.
- Train your employees: Regularly train your employees on cybersecurity, including phishing attacks and social engineering.
- Back it up: Data backups may be the only thing that can save you from a ransomware attack. Backup your sensitive and critical data as often as you can. After you complete each backup, disconnect the external drive with the backup from your computer (or, if backing up to a cloud, log out of the cloud) so that the hackers can’t encrypt your backups as well.
- Incident response plan: Have an incident response plan that will help guide you through the necessary decisions and processes that will likely follow a ransomware attack. The plan should address, for example, which law enforcement agency will be contacted, and whether or not the ransom will be paid. It should also identify key external contacts, such as legal, forensic, and public relations. This will allow for a faster, more organized, and more comprehensive response, which may help mitigate the impact of a ransomware attack.
What can you do if you’re the victim of a ransomware attack?
- Restore your files from a backup: If you’ve backed up your files, restore your data from the backup and be thankful that you had the backup.
- Contact law enforcement: Providing information to law enforcement agencies, such as the FBI, could help with an ongoing investigation and help prevent future attacks.
- Decide if you will pay the ransom: While law enforcement doesn’t recommend paying the ransom, in some circumstances it may be the only practical choice a business has. However, paying the ransom doesn’t guarantee you’ll get your data back- the hacker may demand even more money once it is known you’re willing to pay up.
- Contact your attorney: A ransomware attack can have significant legal implications for the victim. These may include:
- Breach notification laws: As of today, 48 states have laws that may require notification to not only those affected by the breach, but to government agencies as well. Notably, the state law that applies is usually based on the residence of the individual affected, not the location of the business. That could leave a business scrambling to meet the different legal requirements (including deadlines) of multiple states at the same time.
- Federal Trade Commission (FTC) enforcement: Section 5 of the FTC Act prohibits “unfair” or “deceptive” acts or practices. Enforcement actions under the “unfair” theory have included instances where a business with inadequate cybersecurity has a data breach. In November of 2016, the FTC stated that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” Enforcement actions under the “deceptive” theory have included instances where a business has misrepresented (1) their cybersecurity measures, and/or (2) how they used or disclosed customers’ personally identifying information (PII). These types of enforcement actions could occur when, for example, a business’s website privacy notice does not accurately reflect the business’s privacy and cybersecurity practices (such as reasonably defending against ransomware).
- Lawsuits: The legal fallout from a ransomware attack can lead to lawsuits filed against your business by third parties or business partners whose data was impacted by the attack. It can also lead to a shareholder derivative case, as well as litigation with your business’s insurance company over coverage for the incident.