How to Respond If Your Company's Data is Taken Hostage
By Tom Kang
The first ransom note in American history was written in 1874, when kidnappers demanded $20,000 to return four-year-old Charley Ross to his parents. “You wil have to pay us before you git him from us, and pay us a big cent to,” the note read.
Ransom notes have come a long way since the hand-scribbled messages of post-Civil War times. In our modern-day digital world, their form has morphed into malicious software that holds a computer and its data hostage, setting them free only when the ransom money demanded is paid – usually in cryptocurrency like Bitcoins in lieu of paper money in a suitcase or sack. Personal computers are most commonly attacked, but businesses of all sizes are a growing target.
The first case of ransomware dates back to 2005, and the number of attacks has grown exponentially since then. According to the 2017 SonicWall Annual Threat Report, ransomware attacks grew from 3.2 million attempts in 2014 to 3.8 million in 2015, and then rose meteorically to 648 million attacks in 2016.1
The average ransom paid likewise shot upward. Symantec’s 2017 Internet Security Threat Report states that ransoms jumped from $294 in 2015 to $1,077 in 2016, but ransoms as high as $70,000 or more are not unheard of.
How Does Ransomware Get on Your Computer?
Ransomware may be triggered in different ways: a phishing email that looks like a legitimate invoice or image, a visit to an infected website or an ad containing malware that has been injected into a legitimate webpage. When an unsuspecting victim opens the email or inadvertently falls into a online trap laden with ransomware, the virus is silently installed on the victim’s computer.
Employees click on phishing emails anywhere from 8 to 20 percent of the time, depending on how enticing the content is, according to the 2016 Phishing Susceptibility and Resiliency Report.2 If 10 employees receive the same phishing email, it’s almost certain that at least one of them will click on it, posing a real risk to business owners.
What Does Ransomware Do?
Ransomware holds its victims hostage in one of two ways:
- Lockscreen ransomware displays a window that prevents access to any part of the computer until a sum is paid.
- File-encrypting ransomware is a more sophisticated adaptation that keeps the computer available but scrambles certain types of files, such as databases that hold sensitive or proprietary customer and business information. Then it displays a pop-up screen with detailed instructions on how to buy the private decryption key that will decrypt the scrambled files.
How Should You Respond?
Lockscreen ransomware can often be cleared by shutting down the infected computer and starting it back up again, but there’s no such simple fix for file-encrypting ransomware. Lack of access to essential data can be crippling for a business, and compel business owners to act quickly to resolve the intrusion.
The right response is to neither negotiate with nor pay the perpetrator. Those who do not only encourage continued crime, they may also pay a heavy ransom and never get their data back. But the element of time and other practical considerations can sometimes force a business owner’s hand.
If your business falls victim to ransomware, take these steps:
- Report the incident to your local FBI office and file a complaint with the Internet Crime Complaint Center.
- Restore file backups if you have them. Backups are your best protection against an intrusion and can immunize your business from the effects of an attack.
- Check your insurance coverage. Cyber insurance policies may cover the cost of the ransom money paid and provide response assistance. Before you act, review policy terms regarding:
- What is and isn’t covered
- Requirements for prior consent
- Guidelines on how to respond. Does the insurance company want to interact with the bad guys or do you make the decisions?
- Services and resources to guide you through the response process, including third parties to coordinate with law enforcement and handle negotiations
- Ransom reimbursement
If you decide to pay the ransom, payment is generally required in Bitcoin, a mysterious and unfamiliar form of currency for most people that has a learning curve associated with it. You’ll need to set up an account at an online exchange and purchase Bitcoin in order to release funds to the extortionist.
How Can You Protect Your Business From Attack?
Businesses should anticipate the real possibility of cyber extortion and take preventive measures now so they don’t fall victim later:
- The single most important thing to do is to back up sensitive business files regularly and maintain copies off your main network. Backed up files can be quickly restored, minimizing the effects of an attack.
- Consider ransomware a real exposure that you’ll need to face at some point and plan your business’s response. Establish safeguards including multi-factor authentication to protect sensitive data from unauthorized access and use.
- Educate employees on ransomware and how it works. Conduct training sessions on detecting suspicious emails and attachments, and set up a protocol for reporting them to a designated manager.
- Install updates to your company software as soon as they are released. They often contain patches that address security vulnerabilities that help keep your business protected against online threats.
- Purchase cyber liability insurance that has the option to include coverage for cyber extortion loss that entitles you to assistance in responding to a threat and also reimburses the ransom amount if payment is made.
About the Author
Tom Kang is product manager of cyber at The Hartford. He has over 10 years of experience in cyber, technology errors and omissions, and professional liability insurance. Tom can be reached at email@example.com.
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.