Data Protection Report - Norton Rose Fulbright

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is built to exploit the inherent value assigned to data security and control, by taking it away from the user. It does this by combing for critical system files and potentially valuable user data (word documents, excel spreadsheets, pdf files, outlook messages, and the like).  As these target files are identified, a strong encryption algorithm is applied to prevent infected computer systems from properly functioning while inhibiting bewildered users from accessing their own files, unless and until the attackers are paid to provide the decryption key.

This genre of digital thievery has been around since the glory days of the floppy disk.  For the past decade, however, it laid mostly dormant in the hacker’s toolbox until its recent resurgence—ripened in large part by the advent of the anonymous, irreversible Bitcoin payment. Victims of ransomware, challenged by complex and highly effective methods of encryption, quickly come to realize that the most expeditious (and sometimes the only) route to system restoration and data recovery entails bartering with the ransomware attackers for the decryption key.

Assuming the decision is made to pay the ransom (a dilemma addressed further below), transacting in Bitcoins is not quite as fluid or intuitive as the online checkout process to which most of us are accustomed. With that said, a handful of adventurous businesses are beginning to lay the foundation in hopes of bringing the Bitcoin to the consuming public. Companies like CoinJar and LocalBitCoins serve as Bitcoin brokers offering to facilitate participation in the Bitcoin trade to anyone with the will or inclination to give a dollar backed by the Federal Reserve in exchange for a virtual currency that is decentralized and valued according to a peer-to-peer network led by early adopters and black-market entrepreneurs. 

Hollywood Presbyterian went down this very path just last week, with the hospital’s President & CEO reporting that “[i]n the best interest of restoring normal operations” their ransomware attackers were paid ฿40 BTC—the Bitcoin equivalent of approximately $17,000 USD. The hospital hackers were of the “ethical” sort and ultimately made good on their end of the bargain, handing over the decryption key that enabled Hollywood Presbyterian to begin the decryption process and resume normal business operations.

This honor-among-thieves mentality serves as the enabling force of the ransomware community and economy: after all, victims would be far less inclined to make payment without some reasonable expectation of reciprocity on the part of the attackers.  In fact, some attackers attempt to nurture trust (and therefore payment) by showcasing the equivalent of a 5-star “Yelp review” for honoring their promise to decrypt. But equal and fair bargaining should not be assumed.

While some 50% of ransomware victims ultimately opt to cooperate with their attackers, the payment calculus is complicated by the reality that yielding to the terms of a ransomware attacker does not necessarily lead to system restoration. In some cases, the attacker will levy demands with no intention of ever providing a decryption method (assuming one existed); in others, files may become corrupted during the encryption process, making their recovery impossible even with a decryption key. Importantly, regardless of the ultimate success of one’s decryption efforts, system resources may remain subject to ongoing compromise.

For example, the deployment of ransomware may have been but a small part of a broader strategy. A repeat ransomware attack may be in the works to further exploit compliant victims with proven payment records; or perhaps the attacker installed other instances of malware designed to exfiltrate data for resale and/or fraudulent use. In any case, a forensic investigation may be necessary to determine the scope of access to system resources and to help prevent the attacker from returning a few days later with fresh ransomware and renewed demands. 

The good news is this: data-dependent businesses and industries (which these days is practically every business and industry) can take steps to preserve the integrity of sensitive data by drawing from the arsenal of safeguards and prophylactic measures that have developed in the resurging wake of ransomware attacks:

  • Defend Against the Initial Intrusion. Ransomware typically finds its way into a computing environment in one of two ways. Most commonly, a ransomware installation package is sent to potential victims by way of an unassuming email, where the malicious code will stay dormant until a user opens the communication to view it. Another scenario involves hacked internet websites, requiring only that a user visit the site to risk ransomware infection. In either case, once activated, the malicious installation package deploys an executable that installs the ransomware and begins the encryption process, starting with local files and spreading to any available remote- or network-connected resources. These points of attack may be defended by implementing robust administrative controls and protocols designed to educate individual users and limit their exposure to potentially harmful communications and internet websites.
  • Monitor, Detect and Block. Should malware somehow slip past the first line of defense, a well-designed computing environment can help to prevent the malicious code from functioning as intended or to the detriment of the host systems. For example, software solutions allow administers to delineate or “white list” a universe of programs and executables that are expected and allowed to run within the environment, while precluding the use of unknown processes not specifically pre-approved. Use of similar software controls would help to prevent a ransomware installation package from deploying its executable and, thereby, from initiating the encryption process.
  • Backup, Restore and Lockout. Where all else has failed and a ransomware infection has successfully taken hold of system resources and/or data, much if not all of the damage can be undone in short order where backup files are regularly created and maintained at an offsite location.  Of course, this assumes a victim has established a sound business-continuity and disaster-recovery plan that includes regular backup of critical files along with efficient restoration procedures intended to minimize the impact to business. Thoughtful network segmentation and other file-level access controls can help reduce the scope and impact of infection as well. But, above all else, proper preparation remains the most critical safeguard, and data-reliant businesses of all sizes and across all industries would do well to have a comprehensive (written) incident response plan in place well ahead of time, enabling a swift and effective approach in the face of any data crisis.
  • Pay the Ransom and Lockout.  In some cases it may be necessary to pay the ransom demand at issue.  Practical cost-benefit considerations come into play relatively quickly in these situations, especially where the perceived harm significantly outstrips a modest ransom demand (e.g., it is not unusual to have demands that are less than a thousand dollars).  However, there is a flipside risk that “unethical” extortionists may later access the system by the same means of their initial attack (or sometimes new backdoors they have installed) and repeat the attack.  As such, victims should endeavor to ascertain the attack vector, cut it off, and remediate other vulnerabilities that could lead to similar attacks going forward.
  • Attack the Extortionists’ Reputation.  A cool and collected analysis of ransomware attacks yields the following conclusion:  on some level the attackers are running a business that is completely dependent on their reputation. Attackers with a reputation for failing to decrypt affected data, or of repeating their attack, will be less likely to succeed in coercing payment from their victims.  On the other hand, extortionists known to honor their end of the bargain are more likely to get paid.  As such, if a victim is able to credibly threaten the reputation of a non-cooperative attacker, the victim may gain some leverage over the attacker and potentially motivate the attacker to follow through on its promise to provide a decryption method.  This may take the form of online reviews, or strategically placed messages on the dark web and in other forums.  If the ransomware problem persists (and it likely will), one could imagine a centralized reporting mechanism that would allow victims to search for their attacker and obtain intel on their “trustworthiness,” effectuating a more efficient, even-handed black-market economy.   

Overall, while chaotic and stressful, if proper pre-incident risk mitigation steps are taken and a calm and measured response ensues, most ransomware attacks are currently manageable.  In fact, extortion events involving a relatively small sum can serve to open a victim’s eyes to data security on a broader level and potentially lead to greater protection and less risk in the long run.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.