Held to Ransom - Baskerville Drummond discuss ransomware
Held to Ransom
Ransomware is a type of malware (malicious software) designed to block access to a computer or its data unless a ‘ransom’ is paid. It might do this by locking your system or by encrypting your data. The ransomware typically enters a computer through a Trojan. An unsuspecting user can introduce a Trojan in a number of ways such as through opening an email attachment, clicking on a link in an email, visiting a bad or compromised website, downloading infected files or using a USB stick which was found lying in the car park or lobby.
Ransomware is not new with the first example in the late 1980s being spread using infected floppy disks which were sent to recipients by post. However, our reliance on digital information, more sophisticated coding, improved networks and the involvement of criminal gangs and possibly even foreign governments has made ransomware a growing threat.
What are the consequences?
If you are not adequately protected you will lose access to your data. Paying the ransom may result in your files being unlocked but this is not always the case. If you are lucky there may be software that can unlock your data without paying a ransom. Regardless of the end result it is certain that an attack will cost you time, money and possibly reputational damage.
Prevention is better than cure
You can never protect yourself completely but you can take actions to reduce the risk of being struck by ransomware.
Technical solutions can include software and/or services that detect spam, malware and suspect URLs (website links). These solutions can be onsite or in the cloud, the latter being a good solution for smaller organisations with limited security expertise internally. Antivirus software should also be installed and regularly updated. Software should be kept up to date with the latest security patches. Most importantly, data should be backed up at regular intervals with at least some backups being held offline.
Good internal policies and procedures are also important. Permissions to data should be restricted so that users can only access what they require. Staff training and frequent reminders of the typical risks can also play a part in the prevention of any attack. In particular, staff should be trained to recognise phishing scams and spam emails. You should also have a policy to cover an attack – will you be willing to pay up and what would be your financial limit? You might also consider taking out a cyber liability policy.
Cost and risk analysis
Every organisation should consider the costs associated with a ransomware attack in terms of lost data, resolution time, lost revenue and reputational damage. This information will be input into the organisation’s security preparations, disaster recovery planning and security budget.
What if you are a victim?
You should have a clear plan in place for the eventuality of being a victim of ransomware. You could pay the ransom (check the latest legal position first), especially if you think this will be cheaper than fixing the problem yourself. But your organisation should have already decided whether this is morally the right option and remember that payment will not guarantee a fix. Another option would be to re-create your systems from scratch but this would be expensive and can hopefully be avoided. The third option is to restore your system from a prior, clean backup. If this is your chosen path then the following will be important:
- Don’t panic – make sure you are clear about what has happened and the extent of the damage.
- Inform the police.
- Review your wider disaster recovery policy, including your plan for communications both internally and externally. Consider insurers, data subjects and regulators.
- Identify the source of the ransomware attack and try to remove this risk first.
- Find out what decryption tools are available on the market and use these first.
- Restore data from a clean backup, preferably one held offline. Ensure your backup(s) are not encrypted and scan these files for malware before using them.
- Lastly, take your time to make sure you have removed the malware and that your restored files are clean and uncorrupted before making your systems available again.
You can never have 100% protection from a ransomware attack but proper preparation can reduce the odds of being a victim and help you recover more quickly if it happens to you.