4,000 daily attacks since 1 January 2016, a 300 percent increase from 2015: these are the terrifying ransomware statistics recently released by the US Government (1).
Ransomware is malicious software designed to either block access to or encrypt data until a ransom is paid, usually in the form of digital currency 'bitcoin'. While this type of cyber attack has been around in some form or another since 2005, experts agree that it is not only becoming more prevalent, but more sophisticated. The latest iteration – "crypto-ransomware" – uses unbreakable encryption.
The criminals typically gain access through email or social media, inserting a malware infected link that, when clicked on, will quickly spread throughout the system. A message will then be displayed, worded to create maximum panic, advising the user that the system has been locked/encrypted and that to access their files they will need to pay a fine before a specified deadline, at which point the fine will increase. The premise posed by the attackers is simple: if you refuse to pay the fine you lose your data, permanently.
Although no organisation can ever hope to be completely safe, the chief lesson here is one of data security. This does not simply run to the right virus shields and anti-malware software (alongside staff training), and insisting on effective remedies and assurances in contracts with third-party network and storage providers, but also in ensuring effective and secure back-up (the 7th Principle of the Data Protection Act 1998 governing loss of personal data as well as unauthorised access).
Examples of recent attacks
Government entities are frequently targeted by cybersecurity criminals. In January 2015, Lincolnshire County Council was forced to shut down its entire IT system after receiving a £1m ransomware demand. This year, a Freedom of Information request revealed that 30% of UK Councils had suffered a ransomware attack in 2015, with one council reporting 13 separate attacks in that year. Of these, 65% reported that they had not paid a ransom.
However, research shows that most victims of ransomware attacks in the UK do pay up. Research conducted by Malwarebytes(2) found that 58% of UK companies have paid ransom money to recover their information. Meanwhile, 34% of companies reported losing their data because they did not pay.
While paying ransomware perpetrators is never to be recommended, some victims who do not have back-up files will choose to do so instead of losing their information. This goes especially where the information is of vital importance, such as health data. In May 2016, Kansas Heart Hospital paid to get its files back a ransomware attack in the US: however, in a further twist of the knife, the perpetrators did not restore full access to the hospital's files, decrypting only part of the data. The hospital decided not to pay a second ransom.
Healthcare facilities are often targeted by cybercriminals. Earlier this year, ten hospitals in Maryland were hit by a single ransomware attack: the hospitals managed to bring their systems back online without making a payment, but not before being forced to shut down their entire network.
One of the most notorious ransomware infections to hit the IT world was CryptoLocker. Between September 2013 and June 2014, CryptoLocker infected approximately 500,000 devices around the world and extorted an estimated $3 million from victims who agreed to pay rather than lose their files.
US government agencies were among the victims targeted. In 2013, two NASA computers were hit by the infection but, as NASA has a fully backed-up data storage system, no ransom was paid. The US government agency, Health and Human Services, suffered over 20 CryptoLocker-related incidents across its computers and police departments were also targeted.
CryptoLocker was disabled after law enforcement agencies collaborated on an international scale in what was known as "Operation Tovar", to seize the computers and servers in control of the virus. Several individuals were charged by the US Justice Department for their involvement in the attack. Since then, two major viruses have emerged: CryptoWall and TeslaCrypt. Public and private security forces tend to work together to tackle ransomware infections as and when they arise.
Responding to an attack
But should companies be paying these criminals, and what is the guidance coming from the UK government? The answer to the second question is disappointingly little, the last substantive guidance having been issued some 18 months ago.
In the United States an interagency initiative has resulted in a detailed technical guidance document, 'How to Protect Your Networks from Ransomware'(3). On infection, the US guidance recommends isolating the affected devices immediately, immediately securing backup data or systems by taking them offline, changing all system passwords (after removing the system from the network) and contacting law enforcement.
On a practical level, while contacting law enforcement may be necessary for insurance purposes, there may be little the police can do to assist the individual business, although the intelligence, fed into wider intelligence, may ultimately assist in identifying the criminals responsible.
Once a ransomware attack has occurred the clock will be ticking, making swift decision making essential. At this point an up to date crisis management/business continuity plan will be invaluable. A core team comprising of the IT experts and management will need to move quickly to establish the amount of data compromised and how much is backed up and can be safely restored. The management can then weigh up the loss to the business if it refuses to pay the ransom and loses the data, against the financial cost of paying the ransom to the criminals. Payment of course coming with the risk that the data will still not be released or that the criminals will strike again, having identified a vulnerable target. A 2016 survey indicated that out of those surveyed, only 71% had had their files restored(4). Whatever action is taken, there is the additional risk of reputational harm if the breach reaches the public domain, leading to a drop in client/customer confidence.
Where the business does decide to pay a ransom, research from F-Secure(5) suggests that it may be possible to negotiate with the criminals. In a test scenario using a fake account, the company found that three out of four ransomware 'families' were prepared to negotiate, resulting in an average 29% discount from the original fee. While a risky proposition to test in real life, payment deadlines were also found to be flexible.
A report from digital experts Citrix(6) also found that a surprising third of UK companies are stockpiling digital currency such as bitcoin in case a ransomware demand needs to be paid, with 35% of large firms (2000 employees and over) willing to pay over £50,000 to regain access to their data.
Is a ransomware attack a data breach requiring notification to regulators?
For telecoms and internet service providers, the Privacy and Electronic Communications Regulations (PECR) require that the ICO is notified within 24 hours of a relevant data security breach. For other organisations, there is currently no mandatory legal obligation under the Data Protection Act 1998 (DPA) – which there will be under the forthcoming General Data Protection Regulation, effective on 25 May 2018 – but the ICO states that it is ‘good practice’ to do so, and further advises that there should be a presumption to do so in cases of 'serious' breach (measured by its capacity to cause prejudice to data subjects).
This present 'discretionary' approach to data breach reporting is not simply a paper tiger, however: self-reporting is often highly advisable in order to avoid aggravating criticism and penalties should the breach come to the ICO's attention by other means (whether from the cyber-criminals or the members of the public affected, who it is also advisable to notify in such situations if their data is compromised). Serious data breaches carry the potential for six-figure fines and public enforcement decisions by the regulator.
A data security breach is defined by the ICO as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”(7). Ransomware attacks alter data, grant unauthorised access to it, and sometimes result in data destruction. This clearly constitutes a data security breach, and the malicious and organised nature of these attacks mean widespread harm to data subjects may be likely.
Communications service providers should therefore notify the ICO immediately following an attack; whilst other organisations should strongly consider whether they need to notify both the regulator and those affected, at least as soon as they have adequate information to do so meaningfully, especially if customer or other third-party data is compromised.
However, the ICO has made it clear that customers (and generally the ICO itself) do not need to be notified of data breaches where the personal data was encrypted. It would follow that customers do not need to be told about a ransomware attack on encrypted data, unless their important personal information has been lost or destroyed, or there is any reason to believe the encryption was ineffective or worked around.
The fact that few victims of ransomware in the UK have been named in the press, despite research by Malwarebytes indicating that 54% of British businesses have been affected, suggests that most ransomware attacks are not notified to the public. This may not mean attacks are going unreported to the ICO, but the regulator may be satisfied in most cases that (by reason of encryption or otherwise) that no further action is needed. There is a separate reporting form for where organisations suffer malicious or criminal breaches (under section 55 DPA) which is less exacting then where an organisation is owning up to systemic error or carelessness.
Business should not therefore be reluctant to let both the ICO and the police know about a ransomware attack as soon as possible, to show that they are doing everything in their power to mitigate the attack and safeguard customer information. The likelihood of being sanctioned will be much lower if the company can show the proper safeguards were in place, meaning that no fault was involved and personal data was protected, that an up-to-date crisis plan was followed once they were hit with the virus.
Given the impossibility of retrieving blocked or encrypted data if the ransom is not paid, prevention is clearly the ideal; but given the growing IT sophistication of the attackers, mitigation is perhaps the more realistic option. However the Citrix research suggested that 20% of medium to large businesses in the UK still have no contingency plans in place to deal with a ransomware attack. The same survey found that 48% of British businesses fail to back up their data at least once a day.
The usual cybersecurity measures apply to preventing ransomware attacks: up-to-date antivirus software, up-to-date computer software, and staff training (e.g. a cautious approach to attachments, links and images in emails and being on the look-out for phishing scams). Another important measure is to back-up files on a regular basis, preferably offline. This ensures that companies do not risk permanent loss of information and that they have a log of what information has been compromised. Back-up files should be encrypted, so that only suitable individuals on a 'need-to-know' basis are able to access them without permission.
It is also recommended that individuals check file extensions on Windows before opening an attachment, to make sure the file is in a trusted, recognised format. For businesses, staff training and frequent updates to the cybersecurity policy are essential. Without sound level of awareness and good practice throughout the organisation, preventing a cybersecurity attack like a ransomware infection is almost impossible.
Finally, as with the Maryland hospital network, it will very often be a third-party provider of network or storage services that is attacked. However, where such companies are acting as a data processor of an organisation's own data, liability for what happens to any personal data will rest with the original "data controller" organisation. Therefore it is important, and indeed a legal requirement, to have adequate contractual safeguards in place to ensure the continued security of such data outside the organisation (which, depending on the nature of the data and the role in question, may require conferring a duty to encrypt and back up).
Companies hit by a ransomware attack are likely to be the subject of regulatory sanction or public criticism if they cannot show that they had taken adequate steps to safeguard customer data, which is why the above steps are essential considerations.
Looking at the bigger picture, both the public and private sector have realised that fighting ransomware infections requires collaboration. The No More Ransom project is an initiative launched by the Dutch National Police, Europol, Intel Security and Kaspersky Lab to bring together law enforcement and the private security companies to fight ransomware. Its website, nomoreransom.org, provides public information about the dangers of ransomware and helping victims to recover their data without having to pay cybercriminals. The website provides instructions on how to disable several known types of ransomware infection, and is frequently updated once new methods of disabling attacks are discovered. It also provides guidance on best practice and preventative measures. The initiative allows private and public sector bodies to share skills and knowledge to target cybercriminals and raise awareness about ways to combat and prevent these kinds of attacks.
Leading cybersecurity companies have also teamed together to form the Cyber Threat Alliance (CTA), sharing intelligence and information on attackers. The group aims to strengthen industry awareness so that customers are offered a better security service. Together, members of the CTA produced in-depth research into the CryptoWall version 3 threat, which had cost over $325 million in damages and attacked hundreds of thousands of devices around the world.
Such initiatives remain vital. Increasing cross-sector awareness is the best way to ensure sufficient protection and procedures are in place to restrict data loss and customer or business damage in the event of an attack. When the criminals have better tech than the victims, this is the only way businesses can build a meaningful level of protection from the ransomware threat.
(2) Understanding the Depth of the Ransomware Problem in the United States Osterman Research Survey Report: July 2016.
(4) Crypto-Ransomware: Survey of IT Experts, page 16, Jeffrey Henning, Researchscape International, February 4, 2016.
(7) Guide to the Privacy and Economic Communications Regulations Information Commissioner's Office, 20 May 2016.
A version of this article appeared in the August edition of Cyber Security Law and Practice.
© Farrer & Co LLP, September 2016