Ransomware? Everywhere!

Locke Lord Privacy & Security Newsletter
January 2017

The definition of “ransomware” can sound pretty academic. For example, the FBI describes ransomware as “a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid.” However, the reality of ransomware is anything but textbook. It can hobble an organization’s operations, create financial loss, risk injury and more. Fortunately, there are some important steps an entity can take to reduce its risk, including considering insurance.

The nefarious practice of ransomware affects entities of all types and sizes. And business is booming for these attackers. According to a recent SentinelOne survey, about 50% of businesses suffered a ransomware attack in the last 12 months. “Ransomware has become one of the most successful forms of cybercrime in 2016 and is on the top of every security professional’s list of most prolific threats,” declares Jeremiah Grossman, chief of security strategy at SentinelOne. US government statistics show “ransomware attacks quadrupled in 2016, with an average of 4,000 attacks per day.”

The FBI “does not support paying a ransom to the adversary,” contending there is no certainty access will be returned. In addition, the FBI cautions that “[p]aying a ransom emboldens the adversary to target other victims for profit ….” The attacks are lucrative. As noted by a recent IBM Security Survey, “[t]he FBI reported that in just the first three months of 2016, more than $209 million in ransomware payments have been made in the United States – a dramatic 771 percent increase over a reported $24 million for the whole of 2015. The FBI estimates ransomware is on pace to be a $1 billion dollar source of income for cybercriminals [in 2016].”

Those significant figures are the totals from ransoms that are currently individually small or fairly modest. While information varies, the IBM Survey references an average ransom demand is $500. There have been publicized exceptions with demands even in the millions and with actual payments of “4- to 5- digit” ransoms. As the assaults mature, twists are emerging. SentinelOne cites the risk of perpetrators demanding a second ransom payment after receipt of the first. In addition, they describe the threat and perhaps the real risk of having materials leaked online if a ransom is not paid. Another variation is referred to as “Popcorn Time” in which the attackers ask for payment. But they also offer the alternative of a return of access for free if the victim agrees to send a malicious link to two or more people, serving up new prey to the attackers.

As ransomware gains momentum, some observers discuss whether the practice will get more sophisticated and possibly more expensive or whether it will cannibalize itself if other less disciplined hackers swarm in. The tension is between current success with modest ransoms followed by returned access and the prospect of much larger ransoms without a guarantee the attackers honor the deals. The former could be self-sustaining with it being cheaper for most entities to just pay. The latter could particularly motivate entities and law enforcement to refuse to pay. Regardless, cybersecurity company McAfee Labs foresees that there will be more technological and legal measures that could reduce the number and extent of such attacks.

Entities do have options. Experts stress the importance of backing up data frequently, considering isolating key information on a separate system, training employees to prevent introduction of ransomware, maintaining current virus protection programs, developing a ransom response plan, and more. While these steps may not be foolproof, they may reduce the risk of penetration and decrease the impact of losing access temporarily or permanently.

One additional measure is to evaluate purchasing insurance and organizations should discuss this option with their risk managers or other relevant staff and with a knowledgeable insurance broker. Various insurers offer differing products that may cover, for example, a ransom, investigation costs, response costs, or other sums, subject to the terms and conditions of the policy. The amount of the applicable deductible and available limits also varies. The underwriting process may include a review of and possibly requirements for a potential insured’s preparedness to identify and respond to a ransomware attack. Such policies likely require consent by the insurer before any ransom is paid. In addition, the policyholder may have to agree not to publicly disclose it has such insurance.