Ransomware: Extortion for the Digital Age. As 2015 drew to a close, security analysts predicted that 2016 would be “the year of ransomware.” See http://www.infosecurity-magazine.com/opinions/will-2016-be-ransomware/#.VlMlHya8bTw.twitter. Ransomware is not a new concept. Early versions appeared in 1989 and the first modern ransomware attack was reported in 2005. However, ransomware attacks represented only a small sliver of overall malicious intrusions until 2013, when ransomware attacks increased by 200% in just one year. Since then, ransomware attacks represent increasing shares of all attacks. In the first quarter of 2016 alone, ransomware attacks are up 30% over the last quarter of 2015; one 2016 survey found that 40% of responding business had been the victim of a ransomware attack in the past 12 months, and 20% of those businesses had to cease operations until the ransomware had been removed.
See http://www.kaspersky.com/about/news/virus/2016/Ransom-Aware; see also https://www.scribd.com/document/320027570/Malwarebytes.
All ransomware uses the same basic attack model; the software infects the targeted computer and locks users out of their data. Once lockout is complete, the software displays a notification explaining that the user will be unable to access their data until the user pays the attacker a ransom. Typically, modern ransomware asks for payment using a cryptocurrency such as bitcoin, which makes payments difficult to track. Within this basic model, ransomware is diverse. Ransomware has been written for all major operating systems, including Linux and MacOS, and can target mobile devices, servers, computers, and even Internet of Things devices (devices that historically have not had network capabilities, such as lightbulbs and refrigerators, but which are now being added to networks to enable remote services). Ransomware can be designed to affect only one device, or can spread from one infected device across a whole network. Some ransomware is even designed to seek out and erase networked system backups. Though it is most commonly delivered through email phishing, ransomware is also delivered by SMS, ads on public websites, and other common malware sources.
Ransomware attacks impose different costs than the historically more common data breach attacks. By now, the costs of data breaches are well understood; companies face the costs associated with user notification, detection, response, and lost business. See https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF. The costs associated with ransomware attacks are less well understood, but additionally include revenue lost during periods when data and systems are inaccessible, any ransom that may be paid, and potential liability to third-parties for damages caused by service outages. There are also real public safety concerns as there have been successful attacks against essential services such as hospitals and law enforcement. Successful attacks against critical infrastructure or key systems (like airline systems) could have broad reaching impacts.
Expert advice for preventing ransomware attacks mirrors advice for preventing other incursions: train employees to avoid email phishing scams; install and regularly update reputable antivirus software; restrict employees’ use of company networks and vpns on their personal computers; and restrict employee access to files on a shared network to only those files they truly need access to, even when the files contain no sensitive information. In the event of a successful ransomware attack, companies that back up files frequently can restore their systems from a clean backup with minimal service interruption. See http://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001. Companies without available backups have few response options to a serious incursion. In 2015, the FBI recommended that most companies hit by ransomware attacks pay the attacker; though its 2016 recommendations warn that payment does not guarantee that an attacker will restore access to data and may encourage future attacks. See http://www.businessinsider.com/fbi-recommends-paying-ransom-for-infected-computer-2015-10; see also https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.
Typically, victims of a ransomware attack face no liability for paying attackers to restore access to data. Before making any such payment, it is nevertheless advisable to report and consult with law enforcement. A number of groups that are known to support terrorists are quite robust in their hacking capabilities. Any monies sent to such groups could support very serious criminal investigations, including providing material support to terrorists. However, malware variants may evolve that combine more traditional exfiltration of data with ransomware. Thus, companies may still face liability to their users for damages caused by service outages or the breach of information. Courts are increasingly receptive to plaintiffs suing service providers when a service provider fails to prevent a cyberattack. In Patco Construction Co., Inc. v. People's United Bank, 684 F.3d 197 (1st. Cir. 2012), the First Circuit reversed a district court finding that a bank was not liable to its client for losses sustained when hackers gained access to the client’s account. The First Circuit noted that the risk of cyberattack was not allocated by the contract, and that the bank had not implemented several available security measures. Though courts are still struggling to develop a framework for cybercrime liability, Patco suggests that companies will bear some responsibility for security breaches under default rules. Similarly, the SEC recently reached settlements where breaches of clients' personally identifying information were viewed as de facto violations of certain securities laws. Corporations seeking to mitigate liability resulting from cyberattack should disclaim liability as part of their contracts and terms of service and use the latest available security measures. But this may not be sufficient. It is critical that any cyber response plan includes conferring with internal or external lawyers as soon as possible.