Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.
Ransomware Incident Response – Prevention, Readiness and Strategy
Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is built to exploit the inherent value assigned to data security and control, by taking it away from the user. It does this by combing for critical system files and potentially valuable user data (word documents, excel spreadsheets, pdf files, outlook messages, and the like). As these target files are identified, a strong encryption algorithm is applied to prevent infected computer systems from properly functioning while inhibiting bewildered users from accessing their own files, unless and until the attackers are paid to provide the decryption key.