By Ann M. Ladd
A continuing series highlighting developments in privacy and security.
“Ransomware is on the rise by [fill in the blank] %.”
No, that is not a typo. We didn’t forget to fill in the blank. The minute we fill in the blank, the information will be out of date. Like it or not, ransomware is happening, and will continue to happen with increasing frequency. In fact, a recent survey indicates that 93 percent of phishing emails contain ransomware.
What is ransomware and what can you do to minimize the likelihood and impact of ransomware on your business?
Ransomware is a type of malicious software code (malware) designed to block access to your own data until you "pay up." Ransomware typically enters when a user responds to a phishing email or clicks on a link on an infected website. Once installed on one machine, the malware is designed to spread through other files and programs on the machine, and to other networked machines and systems, encrypting data as it spreads.
Experts point to the lucrative nature of ransomware, and the use of the decentralized (and therefore unregulated) cryptocurrency Bitcoin as a payment mechanism, as two of the factors fueling the rise of this phenomenon. Some of the most expensive ransomware incidents have occurred in the healthcare industry. The Department of Health and Human Services calls ransomware “One of the biggest current threats to health information privacy” and potentially “[a] serious compromise of the integrity and availability of ….electronic health information systems.”
So what can you do to reduce your risks from ransomware? As a first step, conduct a risk assessment so you know what types of systems and data are most likely to be impacted by ransomware, and establish a plan to mitigate or remediate those identified risks. Update the risk assessment each time you make changes to your systems, add programs, etc.
What kinds of things should you include in your plan? Here are some suggestions, based on guidance from the Department of Homeland Security, the FBI, HHS and security industry experts:
- Develop, AND TEST, a data backup and recovery plan for all critical information. Because network-connected backups can also be affected by ransomware, critical backups should be isolated from the network for optimum protection.
- Use application “whitelisting”- which allows only specified programs to run, while blocking all others.
- Patch, patch, patch! Vulnerable applications and operating systems are the target of most attacks.
- Maintain up-to-date anti-virus software and scan all software.
- Limit the ability of your users to install or run unapproved programs.
- Limit access to systems that contain sensitive data to those who need to have it.
- Read the US CERT publication on safely handling email attachments "Recognizing and Avoiding Email Scams.”
- Train your employees to follow safe practices when browsing the web. See “Good Security Habits” and “Safeguarding Your Data” for additional details.
You also should include procedures for dealing with ransomware in your incident response plans, including processes to:
- detect and conduct an initial analysis of the ransomware;
- contain the ransomware;
- eradicate the ransomware—check public resources for decryption keys (see https://www.nomoreransom.org/ for examples);
- mitigate or remediate vulnerabilities that permitted the ransomware;
- recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations
- conduct post-incident review activities. Ask whether you have any, regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into your overall security management process to improve incident response effectiveness.
Looking for more resources? Review the FTC guidance, and an educational video, on defending against ransomware.