In the past, ransomware was a tool utilised only by the smartest of hackers, in high profile and highly destructive planned attacks. While the effects have always been detrimental, the probability of being subject to a financially crippling attack was extremely low. Unfortunately, this is no longer the case. It is no secret that businesses and individuals alike are at risk of a cyber-attack, with nearly 50% of all businesses suffering a breach in some form or another.
What is Ransomware?
Ransomware is a form of malicious software, that once deployed, takes over a computer and threatens the owner with harm by denying access to data. The attacker will demand ransom from the victim, promising that once paid the data will be restored.
Users will be shown instructions as to how the payment should be made, which can range from a few hundred pounds, to millions of pounds dependent upon the size of the organisation. The payment will be demanded in some form of cryptocurrency, making tracing and prosecuting the perpetrators almost impossible.
Ransomware as a Service (RaaS)
The dark web has facilitated the ease at which ransomware technology can be purchased and deployed. Ransomware technology has evolved to make cybercrime accessible to anyone, no matter how limited their programming mastery may be. With kits being sold for as little as £10, and the potential financial gains being limitless, it is no wonder that we have seen such a dramatic spike in the number of cyber-attacks. Rather than hacks being laborious and calculated operations, the opportunity to launch large scale ransomware attacks has become a possibility for all. Consequentially, it is no longer only large-scale organisations that are targeted, but Small and Medium Sized Enterprises alike.
How Does it Work?
Most ransomware is designed to exploit security holes found in programme code and infect computers. Once it has taken over the computer it will encrypt some, or all the user’s files. By the end of the attack the files will be completely ‘undecryptable’ unless solved with a mathematical key known only by the attacker.
This of course opens the floodgates to a wealth of problems. Decrypting data is a highly technical and time-consuming activity, one that challenges even the most skilled IT professional. Therefore, amateur hackers are often unable to effectively decrypt the data, potentially leaving businesses with substantial financial losses, a damaged reputation, and the loss of critical operational data.
Legalities of Making Ransomware Payments
It is essential for businesses to fully understand the legalities of making ransom payments. There are strict legislations around ransomware transactions, and the punishment for non-compliance and/or inadequate due diligence, can result in heavy fines and potential imprisonment.
Making ransomware payments is legal and most commonly encouraged; however, there are certain caveats that must be considered. Situations in which a payment cannot be made are as follows:
- The payment breaches other legislation e.g. the payment ends up in a sanctioned territory;
- The payment breaches the terrorism act e.g. the payment ends up with a terrorist group.
Practical Steps to Consider When Dealing with Ransomware
The first recommended action following a ransomware attack is to contact a cyber security professional. This kind of support is offered by companies such as CyberScout with the purchase of all Safeonline Cyber products. CyberScout is the leading provider of identity and data defence services, whose trained professionals can:
- Develop swift and appropriate responses to an event;
- Deliver resolution services to impacted employees and customers and;
- Offer cyber-criminal advice.
This kind of forensic cyber response is often necessary to comply with legislation.
It is also recommended that the negotiation begins as soon as the attack does. Attackers often target more than one organisation at a time, and it is therefore essential that your data-decryption occurs before others. Sometimes decryption can take up to a week, so being number one in the queue will decrease the severity of the business interruption. In line with this thinking, it is essential that a relatively polite relationship is maintained with the attacker, (albeit through gritted teeth!)
Before the ransom is paid however, businesses must do their research. Can you trace the hacker back to a sanctioned territory or a terrorist organisation? This kind of information is not always obvious, but it is essential to ensure that legislation is being complied with, and the proceeding damage is minimised. Can the hacker really do what they are promising? Is the encrypted data worth the ransom money? Are you able to restore your data from backups prior to the attack? There are many questions that need to be addressed before one considers paying any extortionist.
If there has been a breach involving personally identifiable information (PII), then companies must remember to contact the ICO within 72 hours, and potentially the data subjects.
If you would like to discuss please get in contact at Cyber@Safeonline.com