The Growing Threat of Ransomware

By M. Scott Koller, Attorney and member of BakerHostetler's Privacy and Data Protection Team

More than just a nuisance, ransomware has become a legitimate threat to business operations and continuity.

On November 2, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued a warning to financial institutions about a possible increase in ransomware attacks targeting financial institutions. The alert encouraged financial institutions to review their risk management processes and business continuity planning to ensure they addressed the risks associated with ransomware and other cyber extortion crimes.

The warning by the FFIEC eerily foreshadowed the meteoric rise in ransomware. In the first three months of 2016 alone, the FBI estimates that cyber criminals have collected over $209 million from businesses, hospitals, and other institutions.

If that rate continues, ransomware is on track to become a billion-dollar criminal enterprise. Moreover, that figure only represents reported losses and does not include unreported incidents or tangential costs such as system downtime, reputational damage and remediation efforts. The true magnitude is likely much larger.

What is ransomware?
Ransomware is a type of malware that denies access to systems and data. The ransomware is typically delivered through a spear phishing email or malicious link and uses strong cryptography to encrypt files so that they cannot be accessed without a decryption key. In order to receive the decryption key and restore access, the affected individual or business typically has to pay a ransom.

Why has ransomware become such a problem?
In the early days of the Internet, computer viruses were a nuisance but were rarely destructive. They were side projects generally written for fun, to demonstrate the author’s skill, or for bragging rights over whose code could spread the farthest or quickest. Today, financial gain is the primary motivation for creating malware. In the case of ransomware, the potential gain is huge.

As a result, cyber-criminals have dedicated resources to constantly improve their malware, to develop the infrastructure to process and distribute ransomware, as well as to continuously modify the ransomware to avoid anti-virus software programs. Some ransomware developers have even offered ransomware-as-a service (RaaS), a derivative of the Software-as-a-Service (SaaS) business model used by companies such as and Zendesk. Essentially, ransomware developers create a user-friendly platform that outsources the distribution of the malware in exchange for a percentage of the profits. The financial incentives, in combination with the success rate of phishing emails and the wide spread acceptance of crypto-currencies, such as bitcoin, has helped ransomware become one of the faster growing cyber-crimes.

Why you should be concerned.
Recently, several high profile infections have brought attention to the ransomware epidemic including, most notably, Hollywood Presbyterian Medical Center, which paid a $17,000 ransom after it was locked out of its computer network in February. The infection made headlines because of the size of the ransom demand ($17,000 versus the typical $300-$500 demand) and because it targeted a hospital, effectively knocking it offline for at least a week and potentially jeopardizing patient care given the widespread 

use of electronic healthcare records.

This incident should serve as a wake-up call that ransomware is on the rise and that both individuals and businesses are potential targets. For individuals, the primary pressure point is the potential loss of data. However, as the Hollywood Presbyterian infection demonstrated, certain businesses, including financial institutions, are more susceptible because the ransomware acts as a denial of service. While these businesses have likely established back-up routines that allow them to restore encrypted data without paying a ransom, that restoration process takes time. For critical systems and time sensitive data, the costs associated with the downtime can quickly exceed the ransom demand. In the end, it is cheaper to pay the ransom, a reaction that only emboldens criminals to create new and more sophisticated ransomware.

In addition, investigations by our law firm have uncovered evidence of bad actors leveraging access to a single system to spread ransomware throughout an organization and network, going so far as to actively target backup systems, which remain the primary way organizations recover from these types of infections.

What can you do to protect against a ransomware infection?
The best defense against ransomware is a combination of security awareness training, technical safeguards and proactive security measures.

  • Ensure all systems have anti-virus software installed that is configured to automatically update and perform regular scans. But do not rely on anti-virus software alone. New variants are constantly being developed and specifically designed to avoid detection.
  • At its core, ransomware is a type of malware that requires some interaction with a user. Therefore, it is important that all employees receive security awareness training on ransomware and the types of phishing email used to propagate it.
  • Back up data on a regular basis and verify the integrity of those backups. Given the strength of the encryption used by the ransomware, backups will likely be your only recourse for restoring data if you do not pay the ransom. Remember to segregate your backups from the primary network to prevent the ransomware from encrypting that data as well.
  • Utilize group policy or other access controls to limit write-access to files, directories and network shares that are not specifically required for a user’s job function. Ransomware inherits the user permissions for the individual who activated it. By limiting a user’s access, you limit the ransomware’s ability to spread should an infection occur.
  • Consider the use of application whitelisting and limit users’ ability to run applications and/or install programs.
  • Conduct a mock exercise involving ransomware to test your incident response plan and gauge the speed and effectiveness of your ability to restore data.
  • Remember, ransomware is not only a threat to your network, but also to networks that you connect to or rely upon. Consider how a ransomware infection involving a critical vendor or service provider could impact your operations.
  • Review and consider the FFIEC’s Guide on Business Continuity Planning

As long as there is a financial incentive, criminal elements will continue to develop, improve and distribute ransomware. But with proper planning and preparati

on, you can reduce the likelihood of a ransomware infection and minimize the impact on your business operations.

About the Author
M. Scott Koller is member of Baker Hostetler’s Privacy and Data Protection Team in Los Angeles, California. Mr. Koller focuses his practice in the area of privacy, data security, and breach response. He advises clients regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. He can be reached at or 310-979-8427 Follow him on Twitter @scottkoller.