Government Guidance for Preventing and Responding to Ransomware Attacks

Ransomware attacks are a significant and increasing threat to organizations of all kinds. Government agencies have recently issued guidance for preventing and responding to ransomware attacks. Organizations should consider that guidance and take appropriate steps to prevent, and prepare to respond to, ransomware attacks.

Ransomware

Ransomware is malicious software that prevents access to or use of an infected information technology device or system (an "IT Resource") or related data, and demands (typically through an on-screen warning or other form of ransom note) that a ransom be paid (often in virtual currency or other forms of untraceable payment) by a specified deadline to obtain a key to restore the infected IT Resource or data. There are two basic kinds of ransomware: "locker" ransomware (which prevents use of an IT Resource by locking the user interface) and "crypto" ransomware (which encrypts specific files or data so they cannot be used without the required decryption key).

Ransomware is often installed on an IT Resource through fraudulent techniques, such as a deceptive email with a malicious attachment or link (known as "phishing" or "spear- phishing"), surreptitious downloading from an infected website (known as "drive-by downloading") or an infected message on a social media site. Sophisticated ransomware can spread throughout a computer network (including to data stored in cloud services) before the ransomware activates, and can install other kinds of malware on the network.

A ransomware attack can cause significant financial loss and other harm to the victim organization, including: (1) temporary or permanent loss of use of IT Resources and data; (2) business disruption loss and resulting liability to customers and business partners; (3) costs to restore infected IT Resources and data, if possible, and to otherwise respond to the ransomware attack; and (4) harm to the organization's reputation and relations with customers and business partners.

While most hackers profit by using or selling stolen data, ransomware criminals profit by demanding ransom payments from organizations and individuals whose IT Resources and data are affected by the ransomware. The primary result of a ransomware attack is business disruption and loss of use of data to the victim organization, rather than harm resulting from unauthorized disclosure of data, but some ransomware attacks can result in hackers obtaining access to data.

Paying a ransom is risky because the payment encourages ransomware criminals and does not guarantee that required restoration codes will be provided or that the ransomware and other malware will be removed from the infected IT Resource. Nevertheless, ransomware victims often chose to accept those risks and pay the ransom to avoid the cost, delay and other adverse consequences of relying on alternative remedies (e.g. attempting to restore infected IT Resources and data) if any are available. For those reasons, the number and sophistication of ransomware attacks have increased over recent years and are predicted to continue to do so.

Government Guidance

On March 31 and April 1, 2016, the Canadian Cyber Incident Response Centre ("CCIRC") and the United States Department of Homeland Security Computer Emergency Readiness Team ("CERT") collaboratively issued related Alerts (CIRC AL16-005 and CERT TA16-091A) that recommend various measures to protect against ransomware attacks: technological measures (data back-ups, application whitelisting, up-to-date operating systems and application software, up-to-date anti-virus and anti-malware software and user restrictions based on the "least privilege" principle) and user education and training.

The Alerts discourage ransomware victims from paying a ransom. The CCIRC Alert warns: "Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information as well. In addition, decrypting files does not mean the malware infection itself has been removed". In contrast to that advice, a member of the FBI's CYBER and Counterintelligence Program reportedly acknowledged in October 2015 that the FBI often advises ransomware victims to pay the ransom.

In March 2016, the Alberta Privacy Commissioner issued an Advisory for Ransomware to provide recommendations for preventing ransomware attacks. The Advisory recommends that organizations ensure that they have an incident response plan that deals with ransomware, and that they educate users about the plan. The Advisory reminds that if a ransomware attack results in unauthorized disclosure of personal information in the organization's custody or control, then the organization might have a statutory breach reporting obligation under the Alberta Personal Information Protection Act. Breach reporting obligations were recently added to the Canadian federal Personal Information Protection and Electronic Documents Act, but those provisions are not yet in force.

Comment

Organizations should prepare to respond to a ransomware attack by establishing and testing a detailed incident response plan that will enable the organization to make important technical, business and legal decisions in a timely manner. Those decisions may include the following:

• Payment: Should the organization pay the ransom? An organization that is not capable of successfully defending against a ransomware attack may have no choice but to pay the ransom and hope that the ransomware criminal provides the required key to restore infected IT Resources and data. Even if an organization is theoretically capable of successfully defending against a ransomware attack, there might be compelling pragmatic reasons to pay the ransom.
• Reporting: Should the organization report the ransomware attack? An organization may be under a legal obligation (under statute, generally applicable common or civil law or contract) to report a ransomware attack to law enforcement, regulators (including privacy commissioners), insurers, affected individuals (e.g. customers) and organizations (e.g. business partners) and other interested persons (e.g. shareholders and investors). In addition, there might be important business reasons to give notice of a ransomware attack to certain stakeholders even if there is no legal obligation to do so.
• Remedies: Does the organization have insurance coverage for the ransomware attack, and what are the applicable insurance policy requirements? Should the organization seek remedies for its costs and other financial losses against culpable persons (e.g. if the ransomware infection was caused by carelessness of a service provider)?

Organizations should obtain appropriate technical and legal advice when preparing a cyber incident response plan and when responding to a ransomware attack.