Out-Law Analysis 4 min. read
16 Feb 2017, 3:17 pm
However, there is no guarantee that paying ransoms will lead to the restoration of data by attackers. Organisations can take steps to prevent ransomware infecting their networks and systems but should equally put in place plans for responding to such attacks if they do hit.
Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series.
We previously looked at which people are typically behind cybersecurity breaches and the methods they use, as well as what the common vulnerabilities are and what good IT security looks like. We have also looked at how the legal landscape and regulatory fines are changing. Here we look at the rising threat of ransomware.
What is ransomware?
Ransomware is where hackers install malicious software (malware) on to computer systems to prevent businesses carrying out everyday operations or accessing data or other assets, and where those criminals demand a payment in return for restoring access to data and systems.
Often the malware will be used to encrypt files to make them unreadable to employees in an organisation, but more recently ransomware has also been used to delete files too. Ransoms are usually demanded in the form of bitcoin payments.
According to insurance market businesses Hiscox and Advisen businesses are, on average, asked to pay $10,000 to restore assets and systems targeted in ransomware attacks.
What types of organisations have been affected by ransomware?
Ransomware can affect all kinds of organisations. The UK has been one of the biggest targets for ransomware.
Hiscox and Advisen last year predicted that the number of ransomware attacks for 2016 would grow by 300% in comparison with the number of such attacks in 2015, citing a spike in the volume of ransomware incidents reported in the early part of 2016 as a sign of the growing trend.
In September last year, IT security company Trend Micro said that 44% of UK businesses have been targeted by ransomware attacks in the past two years. The level of threat was also confirmed in a survey carried out by another cybersecurity business, Malwarebytes.
Hospitals and universities are among the organisations to have been hit by ransomware attacks, even leading to operations having to be cancelled.
Data released under freedom of information (FOI) laws earlier this year revealed that 88 NHS trusts out of 260 across England, Scotland and Wales had experienced a ransomware attack in the past 18 months.
Other FOI data released last year showed that Bournemouth University had experienced 21 ransomware attacks within a single year.
The popularity of ransomware
Ransomware has become a popular form of cyber attack used by criminals as it entails very little work on their part and is, potentially, hugely profitable.
Since the well-publicised CryptoLocker attacks, which came to prominence in 2013, the use of ransomware has exploded. It is now one of the most common cyber threats faced by organisations. There is even evidence of criminals trading ransomware as-a-service for use by other criminals.
What is the impact on organisations?
The main estimated cost of ransomware attacks is not necessarily the amount of money that is demanded by criminals. Instead, more commonly it is the cost of business down-time that presents a bigger risk.
The Malwarebytes research revealed that about a third of businesses that had experienced a ransomware attack, across the US, Canada, UK and Germany, had lost revenue as a result of that attack, and a fifth of attack victims had had to stop operations entirely.
How do organisations get affected?
The most common way in which ransomware infects an organisation is where malware is triggered from phishing attacks – that is where staff click links or open email attachments, or visit websites infected by malware. Usually the malware, once installed, contacts an external "command and control" server, but some newer forms of ransomware do not even need to do so, such as Spora.
More recently there have been direct attacks on misconfigured systems that were exposed to the internet, whether internal or cloud-based.
How to respond to the risk of ransomware?
The first step is to look at defence – how to prevent ransomware from infecting your business.
Organisations should:
Where a ransomware attack hits, organisations should isolate their systems and stop any automatic back-ups. They should also get expert help, including from IT security experts and legal professionals. Organisations can consult informal guidance issued by the UK's Information Commissioner's Office (ICO) on addressing ransomware attacks too.
Should you pay?
Paying up does not always give victims of ransomware attacks back control of their data. Criminals sometimes do not decrypt data after payment or only restore access to some of the information before demanding a further payment to decrypt the remaining data, as happened with a US hospital. However, even when the victim has initiated a proper backup scheme, the time it takes to restore from the backup may be too long and, so to avoid the continued downtime, some businesses are still paying.
There is a growing collaborative effort among law enforcement agencies and cybersecurity experts in industry to fight ransomware. The 'No More Ransom' initiative is an example of this. The scheme was launched in July 2016 by the Dutch police, Europol, Intel Security and Kaspersky Lab.
The partners claim to have "created a repository of keys and applications that can decrypt data locked by different types of ransomware", meaning organisations that experience ransomware attacks may not need to pay a ransom to gain back control of their access to data.
Europol announced a growing number of partners are engaging with the initiative in a statement published in December last year.
Kuan Hon is an expert in cyber risk at Pinsent Masons, the law firm behind Out-Law.com.