Cyber extortion is a growing and rapidly evolving risk.
One of the more insidious forms of cyber extortion — so-called ransomware attacks — are on the rise. The FBI estimates that the first quarter of 2016 saw businesses and individuals pay $209 million to hackers to unfreeze files (compared with $25 million for all of 2015).
What is ransomware?
Ransomware is malicious software that encrypts a victim’s data or system so they cannot gain access to it on their computers, and then offers to unlock it in exchange for payment. Often, these attacks enter an organization’s computer system via an unwitting employee. Increasingly, sophisticated attackers gain access to systems remotely.
Either way, we expect the trend to continue as criminals employ increasingly sophisticated tools and tactics, and law enforcement struggles to track perpetrators via the virtual payments.
As more and more companies fall victim to these attacks (despite investing in security monitoring software and employee training), affected organizations must decide how to respond.
To pay or not to pay
There is no hard-and-fast rule on whether or not to pay the demanded ransom. This should be a situation-specific decision. Organizations need to consider — at a minimum — the following variables:
1. The specific data at issue.
Has the ransomware prevented access to select files, to an individual user, or to the entire network? The degree of the data’s value and/or potential disruption to a company’s ongoing operations may very well be the most critical factor in deciding how to respond to a ransom demand. Compromised client data can also be complicated as an organization needs to consider if the potential reputational damage and associated legal costs outweigh the cost of the payment demand.
2. The amount of the ransom.
Ransom amounts have historically been in the range of one to five bitcoins (the ransomware attackers’ preferred method of payment). However, recent headline-grabbing attacks have involved much larger amounts. The higher the amount demanded, the closer that number may be to the cost of paying a computer forensics firm to defeat the malware and restore access to the data and/or system. Ultimately, the latter may be a more prudent option.
3. The perceived sophistication of the ransomware.
Attackers are deploying many variations of ransomware. Some may be known to have inherent vulnerabilities in their encryption algorithms, making them prime candidates for decryption with the assistance of computer forensic experts for a nominal fee. Other strains can be cracked by using free decryption tools. However new ransomware is constantly being introduced on the black market, some with incredible sophistication and capabilities such as the ability to locate the most critical data on the network and destroy any backups.
4. The impact to operations.
An inability to access data or the overall network will affect all companies differently. A small retailer, for example, may be able to operate well enough during this period by manually recording payment information and processing those transactions following the outage. However, the cost of downtime to a manufacturer or financial institution, for even an hour, may be exponentially higher. Healthcare or transportation providers may not be legally or contractually permitted to perform some or all services during such a period. Even if they are permitted to operate, the increase in potential liability may be too high.
5. Is the data backed up?
Experts universally agree that the best defense against ransomware attacks is to back up all data. Since certain ransomware is now able to detect and delete backups, it is highly recommended to store that backup on what is referred to as an “air gapped” computer or server, which is one that is secure and isolated from all other networks. When done properly, such prudent steps can allow an attacked company to definitively conclude that payment is unnecessary.
Cyber liability and Kidnap & Ransom policies may respond to ransomware claims. (Photo: iStock)
When payment is the chosen course of action
If the five-factor analysis on the previous page results in a decision to pay the ransom, the following steps should be taken:
Work with your insurance broker and determine which policies may respond: In addition to Cyber liability insurance policies, there may be some coverage under Kidnap & Ransom and/or Property policies. Coverage may be available for the cost of legal counsel, computer forensics, data restoration, business interruption, and the ransom itself. Most policies require notification to the insurer as soon as practicable and/or within a set period of time, and also require consent before engaging outside vendors or incurring expense. It is therefore imperative to address this step immediately upon discovery of an attack.
Notify law enforcement and work with outside legal counsel: Dealing with criminals should be left to professionals. Law enforcement may be able to identify the attacker or their affiliated crime ring, and at a minimum confirm whether the attacker has made good on past promises to supply the decryption key following receipt of the ransom. While highly unlikely, there is a chance law enforcement catches the criminal and recovers the decryption key at no cost to the affected company.
Use this opportunity to better prepare for future threats: Ransomware attacks can serve as an abrupt wake-up call. Organizations can make the best of an otherwise bad situation by creating an incident response plan and, if such a plan is already in place, running simulated attacks or “tabletop exercises” to test the organization’s level of preparedness. This is also an opportune time to review all potentially applicable insurance programs and arrange for a pre-vetted list of crisis response vendors.
Dan Twersky is a claims advocate within the Claims & Legal Group for the Financial Lines Practice of the Corporate RIsk and Broking Segment of Willis Towers Watson. This article first appeared on Willis.com and is reprinted here with permission. Opinions expressed in this article are the author's own.