Briefing

Held hostage: the ransomware threat

Posted by: Michael Patrick and Alicia Mendonca | Date posted : 31/03/2017

4,000 ransomware attacks per day in 2016, a 300 percent increase from 2015. These are some terrifying statistics recently released by the US Government. For businesses, it is estimated that an attack occurs every 40 seconds.

The threat

Ransomware is malicious software which either blocks access to or encrypts your data until a ransom is paid.  While this form of cyber attack has been around since 2005, experts agree that it is becoming more prevalent and more sophisticated.  The most common model, crypto ransomware, uses unbreakable encryption.

For businesses, large and small, public or private, ransomware can have a devastating effect. Once a single device is infected, your entire computer network can be taken hostage, making it impossible to conduct any business until you pay up. Even where you have a back-up system in place, it can take time to get your network up and running again, resulting in days of lost revenue.

Ransomware attackers usually gain access through a phishing email with an infected link that, when clicked on, will quickly spread throughout the entire system.  The software then displays a message, worded to create maximum panic, warning the user that their system has been locked and that they can only access their files if they pay a fine before the deadline.  The premise is simple: if you refuse to pay the fine you lose your data. If you don't have a back-up system, this loss could be permanent.

With these serious repercussions in mind, it is important that businesses know how to prevent, prepare for and respond to a ransomware attack.

The targets

While companies of all sizes are at risk from ransomware, it is small and medium-sized businesses that most frequently fall victim to these attacks. It has been estimated that  42% of them were affected in 2016. Businesses who do not have back-up files often feel forced to pay up instead of losing their information. Research conducted by Malwarebytes found that 58% of UK companies have paid ransom money to recover their information. Meanwhile, 34% of companies reported losing their data because they did not pay. There is no guarantee that paying ransomware attackers will result in the successful recovery of your data.

Responding to an attack

There is a limited window from the point when the first device is infected where you can stop it spreading to the entire network. Government advice recommends:
• Isolate the infected device immediately.
• Secure your backup data and take systems offline.
• Change all system passwords (after removing the system from the network).
• Contact law enforcement.

On a practical level, while contacting law enforcement may be necessary for insurance purposes, there may be little the police can do to assist the individual business, although the intelligence may ultimately assist in identifying those responsible.

Once a ransomware attack has occurred the clock will be ticking, so swift action is essential.  This is where an up to date crisis management plan will be invaluable. All businesses should ensure they have a crisis management plan and that it includes cyber security issues. Risk management is an ongoing process and should not be left until in the inevitable crisis (big or small) strikes. Businesses should work with their professional advisors to keep these plans updated.

It is important to quickly establish which data has been compromised, which data is backed up and how much can be safely restored.  You can then weigh up the loss to the business if you refuse to pay the ransom and lose the data, against the financial cost of paying the ransom. It is worth noting that a 2016 survey of victims who paid ransomware fines found that only 71% had had their files restored. 

Whatever action is taken, there is the additional risk of reputational harm if the breach reaches the public domain, leading to a drop in client/customer confidence. It is important that your crisis management plan includes a communications strategy for dealing with stakeholders, the press and the public.

Do you need to notify your regulator of a ransomware attack?

For telecoms and internet service providers, the Privacy and Electronic Communications Regulations (PECR) require that the ICO is notified of a relevant data breach within 24 hours. For other organisations, there is no current obligation under the Data Protection Act 1998 (DPA) but this will change in May 2018, when the General Data Protection Regulation (GDPR) comes into force. From this point, companies will have to notify the ICO of most data breaches within 72 hours. Failure to do so will result in severe criticism and may result in heavy financial penalties.

Business would do well to let the ICO and the police know about a ransomware attack as soon as possible, to show that they are doing everything in their power to mitigate the attack and safeguard customer information. The likelihood of being sanctioned will be much lower if the company can show the proper safeguards were in place and that an up-to-date crisis plan was followed once they were hit with the virus.

Once the GDPR is in force, companies face fines of up to 4% of their global turnover or €20m (whichever is greater) for serious data breaches. A failure to show that you had sufficient security in place and that you took appropriate steps (including notification) once the breach occurred will most likely increase the fine. 

Prevention

Companies hit by a ransomware attack are likely to be the subject of regulatory sanction or public criticism if they cannot show that they took adequate steps to safeguard customer/client data, which is why backing up files and encrypting data is essential.

Given the impossibility of unlocking your data if the ransom is not paid, prevention is clearly key.  However research carried our by Citrix suggests that 20% of medium to large businesses in the UK still have no contingency plans in place to deal with a ransomware attack. In the event of a breach, a lack of prevention and preparation will not be looked on sympathetically by the ICO.

The usual cybersecurity measures apply to preventing ransomware attacks: up-to-date antivirus software, a cautious approach to attachments and sufficient training for all employees to help them identify phishing scams. It is also crucial to back-up files on a regular basis, preferably offline. This ensures that companies do not risk permanent loss of information if they are hit with an attack. Back-up files should be encrypted, so that no one can access them without permission.

For businesses, staff training and frequent updates to the cybersecurity policy are essential. Without sound level of awareness and good practice throughout the organisation, preventing a cybersecurity attack like a ransomware infection is almost impossible. Again, all staff should have crisis training so that they know what to do if they suspect a breach has taken place, even if it is simply to report that they have received a suspicious email or communication.

Summary

It is impossible to be completely protected from a ransomware attack. However, the right security, training, and preparation can help to minimise risk and mitigate loss. With sufficient protection and procedures in place, businesses are better placed to protect their data from the ransomware threat. Coupled with an up-to-date crisis plan, businesses will be less likely to suffer long-term damage from a cyber-attack.

If you require further information on anything covered in this briefing please contact Michael Patrick (michael.patrick@farrer.co.uk) or Alicia Mendonca (alicia.mendonca@farrer.co.uk) or your usual contact at the firm on 020 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, March 2017