Put yourself in this picture: Your organization has a pretty good handle on data security. You have a secure firewall and good anti-malware software running on your systems. You monitor network traffic for suspicious activity. You’ve trained your staff in good cyber hygiene, and reviewed your business partner contracts to make sure they’re doing their part to protect sensitive data. It’s “patch Tuesday,” your automated scripts are installing the latest security updates to your software, and you’re feeling pretty good until a staff member calls and reports problems accessing a data file. The next thing you know, ransom messages start popping up on user screens all over the company demanding payment to access their own data. Suddenly, you can’t control the digital information that is the lifeblood of your business, operations grind to a halt, and you have to make some hard decisions.

If you haven’t experienced ransomware yet, it’s probably just a matter of time. For cyber criminals, it’s an almost-perfect crime. For organizations and individuals, it’s their worst nightmare, and it’s just getting started. This series of articles will look at the epidemic of ransomware: what is it, how does it get into your systems, and what you can do about it.

Holding data hostage

Since the medieval highwaymen and the heyday of Al Capone, criminals have used extortion to hold hostage the safety and property of others. Ransomware, the latest generation in that long criminal tradition, gains access to a computer system and makes either the system or the data inaccessible, then attempts to extort payment from the owner in return for returning access. Often there is a limited time to pay, after which the data will be permanently lost, and the payment is typically in some kind of untraceable cyber currency such as Bitcoin.

Ransomware began to make national news in February 2016, when the Hollywood Presbyterian Medical Center had to pay $17,000 in Bitcoin to ransom its system, followed by a string of attacks on other healthcare providers. But the problem is already widespread enough that a number of security experts have already declared 2016 the year of ransomware and digital extortion. Organizations of all types and sizes, from consumers to small businesses, law firms, and even police departments have fallen victim.

Like other protection rackets, ransomware is a high-profit strategy for criminals. There are multiple steps to monetizing personal data, intellectual property, or other sensitive information that is stolen outright. It is often “fenced” on the Dark Web, then the buyer has to turn it into a false identity that can be used to fraudulently obtain goods or services. With ransomware, on the other hand, the victim has to pay the criminal directly, the payment happens within hours or days in untraceable currency, and there is no chain of custody to point to the criminals because the data stays on the victim’s system the whole time. And PC Magazine recently quoted OpenDNS Security Analyst Kevin Bottomley’s finding that ransomware usually takes less than three minutes from infection to encryption time.” As Brian Contos, VP and Chief Security Strategist at Securonix, has said, “[Ransomware] is a volume business. It’s simple, relatively anonymous, and fast.”

Ransomware is big business

With quick payoff and no risks to the criminals, ransomware is spreading like the plague that it is. A McAfee report found that new ransomware samples grew by almost 50 percent between the first and second halves of 2014, then jumped by more than five times to more than two million samples in the first half of 2015. At that rate, hackers are releasing more than 100,000 new ransomware variants a day. No wonder security software vendors can’t keep up.

The FBI estimated that losses for victims from a single strain of the Cryptowall malware were close to $18 million. Multiply that by the millions of variants that are now being released each year, even allowing for less successful ones, and it’s clear that ransomware is taking a huge bite out of the economy. And ransom estimates alone don’t take into account the costs of business that may be lost during the hours or days that systems are locked, the costs of repairing or restoring systems — even if the ransom is paid, administrators will want to ensure that the ransomware is removed — or the dire costs, including possible loss of life, when critical systems such as healthcare or energy control networks are held hostage. TechNewsWorld reported recently that 72 percent of companies infected with ransomware could not access their data for at least two days because of the incident, and 32 percent couldn't access their data for five days or more, and the costs of downtime often exceed the cost of ransom.

Is hostage data breached?

A cruel irony of ransomware is that it could also be considered a data breach, even though the data never leaves the victim’s systems. At the recent 2016 Healthcare Compliance Association conference, Iliana Peters from the Department of Health and Human Services’ Office for Civil Rights (OCR) pointed out that HIPAA regulations define a data breach as “impermissible acquisition, access, use or disclosure of PHI (paper or electronic) which compromises the security or privacy of the PHI.” She then went on to note that data doesn’t need to be exfiltrated in order for an incident to be a notifiable data breach. In a ransomware attack, healthcare providers and others that handle protected health information will need to conduct the required four-factor incident risk assessment to decide whether breach response and notification are required. I suspect that OCR will be providing greater guidance in this somewhat gray area in the future.

Since ransomware on a mass scale is a new phenomenon, there is no precedent to tell us whether any given ransomware attack may ultimately be considered a data breach. But healthcare is not the only industry covered by a complex network of federal and state regulations regarding privacy and data breaches, so businesses shouldn’t rule out the possibility. Even as decision-makers and security staff are scrambling to deal with the immediate threat of a ransomware attack, privacy and compliance staff will have to consider carefully whether to treat the incident as a breach, with all the effort and additional costs that would entail.

Fighting the ransomware mob

The gangster Al Capone once said, “A crook is a crook, and there’s something healthy about his frankness in the matter.”  Ransomware attackers are evolving their tools and their business models fast, from ever more efficient malware to ransomware for hire and “customer service” capabilities that help victims unfamiliar with cyber currencies to make payments. They’re smart and agile, but in the end they are just crooks, and a concerted effort by security experts, law enforcement, and informed, prepared organizations will eventually stem the tide of ransomware. In the meantime, knowledge is your best defense, so in the rest of this series, we’ll look at different types of ransomware, where it comes from, how it works, and how you can fight it.

photo credit: IMG_9845 via photopin (license)