Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Regulatory intelligence

Should firms pay ransomware demands?

Todd Ehret  Senior Regulatory Intelligence Expert

Todd Ehret  Senior Regulatory Intelligence Expert

A cyber-attack against a California hospital grabbed headlines last week when the facility concluded that the best course of action was to concede and pay the hackers’ ransom demand. The attack called attention to a growing cyber security threat that even the FBI says can leave a victim little choice but to pay up.

The malware attack locked access to electronic medical records at Hollywood Presbyterian Medical Center. That effectively shut down the hospital’s computer systems for more than a week until it agreed to pay the attackers 40 bitcoins, with an approximate value of $17,000.

Ransomware has become one of the most common threats to all businesses as well as individuals. The problem is not unique to healthcare institutions. Schools, municipalities, and even local police and sheriff departments have forked over the ransom to hackers as a last resort in order to regain control of their computers or networks.

This should serve as a wake-up to all businesses and compliance professionals that no one is immune to the aggressive ransomware attacks. Below is an overview of this latest and very prevalent cyber threat to firms, a review of some simple safeguards, and some policies and procedures advice for compliance departments.

Ransomware attacks rapidly growing

Various sources, including network security and anti-virus firm Symantec, conservatively estimate at least $5 million annually is extorted via ransomware from victims, with an average ransom of approximately $200. The FBI estimates that between April 2014 and June 2015, it received 992 complaints related to the “CryptoWall” family of ransomware, with victims reporting losses totaling over $18 million. Individual personal computers are not the only targets. A growing number of victims are being hit with ransomware that locks down mobile devices as well and demands payments to unlock them.

Ransomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to users. Ransomware infects devices and systems via spam and phishing messages, botnets, exploit kits, compromised websites, and “malvertising.” Ransomware is often delivered using a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites. Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.

Once infected the hackers hold the data ransom by demanding payment for the decryption key necessary to unlock the data. The hackers will usually demand payment in bitcoin digital currency. Bitcoin has made ransomware even more popular in the hacking universe because it can be received swiftly and anonymously and is hard to trace. Prior to bitcoin, payment was made via pre-paid cash cards and SMS messages.

The attacks can be either broadly disseminated through spam emails and infected internet sites or targeted to specific individuals or businesses after some preliminary background research of publicly available information.

Stamford Hackathon suggestions

Last week at the Stamford, Connecticut Stamford Hackathon, an event sponsored by small business network security provider U.S. Computer Connections, presenters cited ransomware disseminated through social engineering as the newest and most prevalent threat to small business networks.

Examples of numerous businesses and individuals becoming subjected to various ransomware attacks were discussed. Although paying the ransom is not the first choice of action, a poorly designed network with inadequate backup capabilities may have few other options. In the examples discussed hackers demanded payment by bitcoins in amounts from $500 to $5,000.

Topics also discussed included network design, backup and data recovery solutions, IT and regulatory policies and procedures, employee training and education.

Some simple preventative measures include:

  • Implement a strong password policy requiring all users to regularly change passwords and require more complex passwords, i.e. mixture of lower and uppercase letters, numbers, and symbols.
  • Make sure all network patches and anti-virus software are updated regularly.
  • Review and audit all permissions in your network.
  • Update and deactivate all user accounts regularly.
  • Deactivate and off-board departing employees.
  • Wall off, or segregate users and certain sensitive data.
  • Change network and Wi-Fi passwords regularly.

FBI: Few alternatives to paying up

Companies infected with ransomware may have little practical choice but to meet the attackers’ demands, said Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI’s CYBER and Counterintelligence Program in Boston.

“The ransomware is that good,” Bonavolonta told an audience of business and technology leaders at a cyber security conference. “To be honest, we often advise people just to pay the ransom.”

“The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom,” Bonavolonta said.

The FBI’s Internet Crime Complaint Center (IC3) in June released a public-service announcement recommending steps similar to those mentioned above to keep the hackers away. It also recommended that perhaps the most important and simplest safeguard is to be skeptical of everything. Don’t click on any unfamiliar emails or attachments and avoid suspicious websites completely.

IC3 also advises subjects who suspect a ransomware attack to file a complaint with their local FBI field office.

Another simple suggestion regarding ransomware is to try stopping it before it starts. The simplest way to stop it before the program takes over is to pull the Internet connection immediately when you suspect you are becoming infected. Before ransomware can fully activate and encrypt your files it must first call back to the hacker-controlled server and get the encryption key. If one can stop the ransomware from phoning home, it won’t run.

About Thomson Reuters Regulatory Intelligence

This article was produced by Thomson Reuters Regulatory Intelligence, and initially posted on February 25, 2016. It was written by Todd Ehret, a Senior Regulatory Intelligence Expert.

There was a regulatory alert every 12 minutes in 2015. Our world-leading regulatory content, alerts and insight, complemented by our compliance learning and regulatory change management solutions, are enabling our customers to keep pace with the volume and rate of regulatory requirements. Learn more about our regulatory compliance intelligence platform.

More answers