Tracking Newer Data Sources for eDiscovery: GPS, Toll Transponders, and Beyond
April 6, 2016
The Art of the Litigation Hold: Lessons Learned for eDiscovery
April 27, 2016

The Evolving Threat of Ransomware and How to Protect Your Company

By now, most people are aware of the trending topic of cybersecurity. They have read about the Ashley Madison, Target, or Sony breaches that have occurred in recent years. These more widely publicized types of cybersecurity breaches involved personal identify information (“PII”) being hacked and either distributed to the public or possibly sold via the dark web. The idea is that this stolen information can be embarrassing or potentially used for identity theft purposes.

What is Ransomware?

In recent months, there has been a rise in activity of another form of cybersecurity breach using ransomware, a type of malware that infects a computer, shared drive, or piece of hardware. The most current iteration of ransomware variants will often occur when an employee opens an attachment of a seemingly harmless email or visits an infected website. The attachment or website will then encrypt not only the employee’s hard drive, but any available network files or shared drives to which that employee has access. What follows is a message informing the employee of the encrypted files and that a ransom must be paid (usually by bitcoins) with instructions on how to make payment. The employee and company find themselves in a dilemma if they aren’t adequately prepared. Do they pay the ransom so they can quickly get back to normal course of business? Or do they try to rebuild what has been locked up by the hackers?

Recent Attacks at Hospitals and Law Firms

Ransomware made a splash earlier this year when it was initially reported that medical records of the Hollywood Presbyterian Medical Center (“HPMC”) were unavailable for more than a week and certain equipment was unusable until a ransom of $3.4 million (9000 Bitcoins) was paid. This shocking news was later corrected, when the President and CEO of the hospital released a statement in order to confirm the actual amount paid was approximately $17,000 (40 Bitcoins). While the price paid to the hackers is newsworthy, the weeklong disruption of the ransom is even more so: some patients had to be transported to other hospitals and certain work had to be completed offline.

More reports of other hospitals affected by ransomware soon followed. Methodist Hospital in Henderson, Kentucky was victim to the Locky variant a month after the ransomware attack in Hollywood. The usual ransom demand for a Locky victim is 4 Bitcoins (approximately $16,000 at the time of the event). Similar to HPMC, this caused the hospital to declare an “internal state of emergency” where web-based services and online communications were limited or not available. MedStar Health, which is a chain of ten hospitals in the Washington DC area, reported a ransomware attack in March 2016. Messages went out to patients asking them to bring a list of current medications and list of allergies. For some, the ransomware attack meant appointments were rescheduled or canceled, as doctors were not able to access necessary medical records. It was recently disclosed that the MedStar Health ransomware attack came through an application server with a known design flaw and warnings. The flaw could have been circumvented if available patches had been installed by MedStar Health.

Hospitals aren’t the only organizations recently falling victim to hackers. A California law firm, Ziprick and Cramer, was the victim of a ransomware attack in 2015. This attack affected an employee’s machine and moved on to the firm’s servers. Luckily the firm had a successful backup plan, which allowed them to rebuild the compromised data and avoid paying the ransom demands. Another law firm wasn’t so lucky. The Brown Firm in Florida had its firm files held ransom for a week  in December 2015 until a payment of $2500 in bitcoins was made to hackers.

These examples are just a few of the many ransomware attacks reported in the news. There are more cases out there, and undoubtable even more that haven’t been reported.

How to Protect Your Company

The recent onslaught of ransomware attacks and the potential crippling affects to business has prompted the Department of Homeland Security (DHS) to release a joint cyber alert warning (TA 16-091A) on March 31, 2016, in collaboration with the Canadian Cyber Incident Response Centre (CCIRC). Of the many items addressed in this alert, DHS and CCIRC outline recommended steps to take to minimize ransomware’s impact. Those recommendations from TA 16-091A include:

  • Have a data backup and recovery plan in place for all critical information. Backups should be run and tested on a regular basis. The backup should be stored on a separate, offline device.
  • Leverage application whitelisting to prevent malicious software and unapproved programs from running.
  • Keep operating systems and software up-to-date with the latest patches.
  • Ensure anti-virus software is up-to-date. Establish settings so all software downloaded from the internet is scanned prior to executing.
  • Restrict users’ permissions to install and run unwanted software applications. Apply the principle of “Least Privilege” to all systems and services.
  • Avoid enabling macros from email attachments, as opening an attachment and enabling macros can trigger embedded code to execute malware on the machine. Companies and organizations should choose to block email message with attachments from suspicious sources.
  • Do not follow unsolicited web links in emails.
The joint cyber alert also includes links to other reference materials on avoiding emails scams, good security habits, safeguarding data, and avoiding social engineering and phishing attacks.

It is recommended to not pay the ransom, even if doing so is tempting due to lack of backups or business demands. There is no guarantee that the compromised machine, files, and other compromised equipment will be released from the encryption. There is also the risk that the hackers will obtain confidential banking information once the ransom is paid.

As ransomware continues to enter the vernacular of business concerns, more security-based firms offer services to assist companies in their time of need. It is recommended to research security firms and determine which one is best suited for the ransomware variant that may have affected your company or organization.

Interested in Cybersecurity? If so, read Driven’s previous articles on this topic, The Changing Threat Posed by Recent Cyber Attacks, and Data Breach Lawsuit Highlights: Standing & the Fading Impact of Clapper.

Kassi Burns
Kassi Burns
Kassi Burns is Driven, Inc.’s Litigation Support Manager overseeing Driven’s Litigation Support department. Prior to joining Driven, Kassi was a Project Manager at Special Counsel in Dallas, TX, working closely with a Fortune 500 corporate client for five years, and various other corporate and firm clients in multiple markets. Kassi received her J.D. from Tulane University Law School in 2006. She studied at the University of Canterbury in New Zealand as a Rotary Ambassadorial Scholar in 2001.