Ransomware: To Pay Or Not To Pay?

2016 has been a good year for Internet businesses. Unfortunately, one of those fast-growing internet businesses is ransomware, a malware that infects computer systems and denies users access to those infected systems. Users are unable to regain access until they pay a "ransom" to the party that infected their systems.

The FBI reported that there were 2,453 ransomware complaints to the Internet Crime Complaint Center (IC3) in 2015, a number likely to increase significantly in 2016. Hospitals, school districts, state and local governments, police offices, and numerous businesses have all been the victims of ransomware attacks this year.

The Two Types of Ransomware
Ransomware is typically delivered through opening attachments or clicking on links in malicious emails. Instead of sending obvious malicious emails that most users avoid and spam filters block, attackers include personalized information in their emails to make them appear legitimate. Attackers have also begun placing ransomware on legitimate websites, so that merely visiting one of these websites can infect your computer.

There are two primary types of ransomware. The first locks a computer or mobile device so that a user cannot utilize its systems. This type generally displays a message that the user has either committed a crime or done something improper, but offers to unlock the computer or device in return for payment of a "fine."

The second type of ransomware encrypts files on any local, attached, or backup drives, and potentially any connected devices, and generates a demand for payment in exchange for a decryption key. Attackers may also threaten to publish or disseminate the encrypted data if a payment is not made.

Attackers typically demand payment in Bitcoin because of the perceived anonymity associated with this virtual currency. The size of the ransom, however, is usually not excessive, ranging from a few hundred to a few thousand dollars.

Ultimately, whether to pay a ransom is a business decision. If the organization does not possess a viable backup of the encrypted data and has an immediate, critical need for access to this data (as in the case of many healthcare facilities), or the encrypted data is extremely confidential or proprietary and cannot be recovered or replicated without incurring significant cost, the most efficient and effective course of action for the organization may simply be to pay the ransom and assume the risk that the attacker will restore access.

Six Steps to Avoiding Attack
The best course of action, however, is not to be a victim. Organizations should adopt preventive measures before their systems become infected with ransomware, and the United States Computer Emergency Readiness Team (US-CERT) has issued an alert with a list of recommended preventive measures.

First, organizations should back up all critical data and systems on a regular basis. For optimal protection, backups should be both offsite and offline. Ransomware may infect backups connected to the network, and backups should also be tested for accuracy.

Second, organizations should keep the operating system and other software on their systems constantly updated with the latest patches. Unpatched vulnerabilities in operating systems and software are a common entry point for malware.

Third, organizations should employ up-to-date and multiple antivirus programs to maximize the likelihood of preventing an infection.

Fourth, organizations should educate all employees that ransomware attacks rely on malicious email attachments or links in phishing emails. Employees should be trained to verify the legitimacy of an email before opening an attachment or clicking on a link in the email.

Fifth, organizations should not enable any macros that originate from email attachments. If a user opens an email attachment and enables a macro from the attachment, embedded code may execute malware. Organizations may also want to install advanced email spam filtering which will block email messages with attachments from suspicious sources.

Finally, organizations may wish to utilize application whitelisting, which lists the legitimate applications that may be run on a system but blocks other unauthorized programs. An ounce of prevention may go a long way.

Originally published in LegalTech News on October 17, 2016.