New research from security company Kaspersky Labs suggests that the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers.
Ransomware, or malicious software that infiltrates computer systems and uses tools like encryption to deny access or hold data “hostage” for a ransom, is becoming an epidemic. According to Kaspersky’s data, ransomware attacks increased threefold between January and September 2016. Forty-two percent of small and medium-sized businesses were hit with ransomware attacks, while individual consumer attacks escalated from one every twenty seconds to one every ten. Ransoms demanded typically range from $500 to $1,000, but some criminals have demanded as much as $30,000, and only one in five small- to medium-sized companies have been able to retrieve their data after payment.
The threat is so great that Federal Trade Commission (FTC) held a workshop on ransomware on September 7, 2016. In her opening remarks, FTC Chairwoman Edith Ramirez cautioned businesses to be aware of the dangers of ransomware, and to adhere to FTC recommendations.
As a follow-up to the workshop, the FTC released ransomware guidelines on November 10, 2016, including a video outlining the dangers. The guidance offers four important steps that the FTC believes businesses should adopt to minimize the risk of ransomware threats:
- Training and education. Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
- Cyber hygiene. Practice good security by implementing basic cyber hygiene principles. Cyberhygiene initiatives include important steps:
- Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
- Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
- Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
- Back up your data early and often.
- Identify business-critical data in advance and establish regular and routine backups.
- Keep backups disconnected from your network so that you can rely on them in the event of an attack.
- Prepare for an attack. Develop and test incident response and business continuity plans.
The FTC also advises victims of ransomware on three steps they should adopt in response to attacks:
- Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
- Restore your computer. If you’ve backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
- Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals’ email address) or payment information (like a Bitcoin wallet number). This may help with investigations.
Generally, authorities do not recommend that businesses pay the ransom. Too often they simply get higher demands, become targets again, or don’t get the data back.
It is also important for businesses to remember that ransomware attacks often constitute data breaches that may be reportable under federal or state data breach notification laws. Conducting tabletop exercises to educate staff and test preparedness is helpful.
The FTC’s recommendations are consistent with overall steps that the Commission and other experts have recommended to address data breaches. It’s important for business to pay attention to this sort of FTC guidance. The only thing worse than being held hostage by ransomware perpetrators is being held hostage and then also facing an FTC inquiry for alleged failure to adequately safeguard data.