On April 29, 2016, the Federal Bureau of Investigation (FBI) released a warning regarding the increase in ransomware cyberattacks.  During 2015, law enforcement saw an increase in ransomware attacks, particularly against organizations, including hospitals and other companies in the health care industry.  The FBI predicts that the number of ransomware incidents will continue to grow in 2016 unless individuals and organizations prepare for these attacks in advance. 

Generally, in a ransomware attack, people click on a link that ultimately results in the infection of their computer with malicious software.  Due to the effectiveness of spam folders in weeding out unknown senders or suspicious e-mails, cyber criminals are now using “spear phishing” e-mails (e.g., the e-mail appears to be from a company or individual known to the recipient) and, in newly identified instances, they have seeded legitimate websites with malicious code.  Once a computer is infected, malware then begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network to which the infected computer is attached.  Users and organizations are typically not aware of the infection until data access is blocked or they receive ransom demands for payment in exchange for a decryption key.

Due to the significant risks posed by ransomware attacks, all organizations, including those regulated by HIPAA, should evaluate how to best mitigate ransomware risks and update risk management plans, business continuity plans, and policies and procedures accordingly.

The FBI recommends focusing on two main areas in preparing for ransomware attacks:

1. Training and safeguards to prevent ransomware infection, specifically:
   • Educating employees regarding ransomware trends and of their critical roles in avoiding ransomware attacks;
   • Patching operating systems, software, and firmware on digital devices;
   • Ensuring antivirus and anti-malware solutions are set to automatically update and conduct regular scans;
   • Managing privileged account use—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary;
   • Configuring access controls, including file, directory, and network share permissions appropriately (e.g., if users only need to read specific information, they should not have write-access to those files or directories);
   • Disabling macro scripts from office files transmitted over e-mail;
   • Implementing software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs);
   • Executing operating system environments or specific programs in a virtualized environment;
   • Categorizing data based on organizational value, and implementing physical/logical separation of networks and data for different organizational units; and
   • Implementing application “whitelisting” (e.g., only allowing systems to execute programs that are known and permitted).
2. Business continuity planning addressing what to do in the event of a ransomware attack, which is tested in on a regular basis.  Specifically, data should be backed up and verified regularly.  These backups should be secured and not connected to the computers and networks they are backing up such as by, for example, securing data in the cloud or physically storing it offline.  In evaluating security options, note that some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time.

The FBI news story is available here.

Reporter, Lara Compton, Los Angeles, +1 (213) 443-4369, lcompton@kslaw.com.