What to Do If You Get Ransomware
Beginning on May 12, 2017, a global pandemic of ransomware began sweeping across the world – hitting over 200,000 machines in 150 different countries, including Russian government officials and the United Kingdom’s National Health Service. The particular strain of ransomware – WannaCry or WanaDecrypt0r – is particularly virulent, spreading from machine to machine via server message block (SMB) protocol, which is used for sharing access to files, computers, printers and other devices on networks.
WannaCry ransomware preys on users who are running unpatched and older “legacy” systems such as Windows XP, Windows 8, and Windows Server 2003. Microsoft released an update addressing the vulnerability in March 2017, but many victims across the world are using systems that are either no longer being supported with updates by Microsoft, or they are in large institutions that roll out software updates slowly.
What do you do if you get ransomware?
First, as all victims have already surely realized, they have two choices: pay or don’t pay. To aid in this decision, consider the following insights.
The WannaCry malware was developed by exploiting a vulnerability identified by the “Shadow Brokers,” a still-unknown group of attackers. In April 2016, Shadow Brokers managed to penetrate and steal troves of data and cyber weapons allegedly stockpiled by the NSA.
Shadow Brokers promised to sell their bounty to the highest bidder. So, victims of the WannaCry malware attack might assume that the group behind this plague is well-organized and professional. They may even be connected with known terrorist groups like the Islamic State or they could even be a state actor.
Believe it or not, that’s actually good news. Many ransomware outfits are quite professional and are not immune to the economics of game theory. If a victim of ransomware pays, but the hackers do not decrypt the data, word will spread and people will stop paying the ransom. While this may not be the case with smaller outfits and individual “ransomware as a service” users, the larger players tend to hold up their end of the deal.
Honorable criminals are few and far between. In most ransomware attacks, whether a victim receives his or her files back is a simple coin toss.
Second, when ransomware is triggered, payment is raised every few hours or so. After a set period of time, the victims’ files will be encrypted and the key to unlock they files will be lost. The process of acquiring Bitcoin, particularly in such a short timeframe, can be tricky. The ransomware program itself actually provides links to websites that will show a victim how to purchase Bitcoin. Currently, the price to decrypt files hit by WannaCry is running between $300 and $600. One Bitcoin ranges from $1500 to $1800 on the open market. But, future attacks based on the WannaCry platform could charge more – e.g., other criminals unassociated with the current attack may run updated versions of WannaCry.
Third, victims should determine what data is stored on the computer hit by ransomware. While ransomware attacks generally do not include sensitive data being accessed or stolen, after the incident has concluded, victims should conduct a network investigation to determine if a data breach occurred. In the event of a data breach, customer notifications may need to be made.
How do you prevent ransomware?
As we recently identified in our article, “3 Ways Modern Business is Failing At Cybersecurity,” businesses are woefully unprepared to defend against dedicated attackers. Fortunately, users can harden themselves against ransomware by following a few simple rules:
- Never, never, never click on links or attachments in emails that you were not expecting.
- Always run security updates and install patches regularly. No matter how annoying doing so can be, very advanced malware like WannaCry usually spreads through backdoors that can only be stopped by installing patches and updates.
- If your data is the most important aspect of your business, consider purchasing cyber incident insurance. Many businesses don’t realize that unless they have special coverage, most insurance will not cover data breaches, cyberattacks, loss of customer data, and other cyber incidents. Fortunately, certain insurance companies will write policies to cover attacks like WannaCry.
- Use backups. Backup your most sensitive data, whether through the cloud or a backup on site. Granted, using cloud backup requires users to place their trust in a third-party that may itself be vulnerable to attacks.
- Take proactive measures. Ultimately, the time to adopt proactive cybersecurity measures, such as the 2014 NIST Cybersecurity Framework (which we have written about extensively) is before ransomware strikes.
Ultimately, cyberattacks can be crippling. When a data breach or cyberattack occurs, many security experts agree that a victims’ first call should be to a data breach lawyer, who can coordinate with law enforcement, serve as a point person for network investigations, and assist with obtaining insurance coverage and determining legal reporting requirements.
Vernon Litigation Group is based in Naples, Florida, with additional offices in Orlando, Florida, and Atlanta, Georgia. Vernon Litigation Group currently represents victims of cybersecurity, securities fraud and whistleblowers in court, arbitration, mediation, and regulatory filings throughout the United States. Please contact us to discuss your rights if you believe an investment professional or investment firm has failed to act in your best interests or otherwise abused your trust. For more information, visit our website at http://www.vernonlitigation.com/ or contact Vernon Litigation Group by phone at 1-877-649-5394 or by e-mail at email@example.com to speak with Vernon Litigation Group.