Guidance on Ransomware

1. What Is Ransomware?

According to the FTC, ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data "hostage" until the victim pays a ransom, frequently demanding payment in Bitcoin. (See the FTC Business Blog by Ben Rossen from November 10, 2016, "Ransomware—A Closer Look.") According to the FBI, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. (See the FBI's brochure, Ransomware Prevention and Response for CEOs.)

2. How Is Ransomware Delivered?

According to the FTC, ransomware often arrives through email phishing campaigns, which typically require the user to take an action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user's computer. In addition, ransomware is delivered through "malvertising" campaigns, where malicious code is hidden in an online ad that infects the user's computer. These attacks can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.

Attackers also have exploited server-side vulnerabilities to deliver ransomware payloads by searching for networks that had failed to patch known vulnerabilities. (See the FTC Business Blog by Ben Rossen from November 10, 2016, "Ransomware—A Closer Look.")

3. What Are the FBI Recommendations for Responding to Ransomware?

The FBI recommends that organizations do the following.

• Isolate the infected computer immediately, and remove infected systems from the network as soon as possible to prevent ransomware from attacking network or share drives.
• Isolate or power off affected devices that have not yet been completely corrupted.
• Immediately secure backup data or systems by taking them offline, and ensure backups are free of malware.
• Contact law enforcement immediately.
• Collect and secure partial portions of the ransomed data that might exist if available.
• Change all online account passwords and network passwords after removing the system from the network if possible, and change all system passwords once the malware is removed from the system.
• Delete registry values and files to stop the program from loading.
• Implement security incident response and business continuity plans.
• Conduct a postincident review of the response to the incident, and assess the strengths and weaknesses of the incident response plan. (See the FBI's brochure, Ransomware Prevention and Response for CISOs.)

4. How Should You Report Ransomware to Law Enforcement?

The FBI is requesting that victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with the following ransomware infection details (as applicable).

• Date of infection
• Ransomware variant (identified on the ransom page or by the encrypted file extension)
• Victim company information (industry type, business size, etc.)
• How the infection occurred (link in email, browsing the Internet, etc.)
• Requested ransom amount
• Actor's Bitcoin wallet address (may be listed on the ransom page)
• Ransom amount paid (if any)
• Overall losses associated with a ransomware infection (including the ransom amount)
• Victim impact statement (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")

5. Should Organizations Pay the Ransom?

The FBI does not support paying a ransom to the adversary because it does not guarantee the victim will regain access to their data. In fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit and could provide an incentive for other criminals to engage in similar illicit activities for financial gain. Although the FBI does not support paying a ransom, it recognizes that executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")

6. What Prevention and Continuity Measures Exist?

The FBI recommends organizations consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.

• Regularly back up data, and verify the integrity of the backups.
• Secure backups, and ensure backups are not connected to the computers and networks they are backing up.
• Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
• Only download software, especially free software, from known and trusted sites, and verify the integrity of the software through a digital signature before execution when possible.
• Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
• Ensure antivirus and antimalware solutions are set to automatically update and regular scans are conducted.
• Disable macro scripts from files transmitted via email, and consider using Office viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
• Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including those located in the AppData/LocalAppData folder. (See the FBI's brochure, Ransomware Prevention and Response for CEOs.)

The FBI also recommends that organizations do the following.

• Enable strong spam filters to prevent phishing emails from reaching the end users, and authenticate inbound email using technologies like Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats, and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.
• Consider disabling Remote Desktop Protocol if it is not being used.
• Conduct an annual penetration test and vulnerability assessment. (See the FBI's brochure, Ransomware Prevention and Response for CISOs.)

Following are additional considerations for businesses.

• Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and be trained on information security principles and techniques.
• Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered.
• Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary, and they should operate with standard user accounts at all other times.
• Configure access controls with least privilege in mind.
• Use virtualized environments to execute operating system environments or specific programs.
• Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.
• Require user interaction for end-user applications communicating with Websites uncategorized by the network proxy or firewall.
• Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")

Organizations also should conduct a cyber-security risk analysis of the organization and have and test an incident response plan. (See the FBI Brochure, Ransomware Prevention and Response for CEOs.)

Finally, organizations should take into account insurance coverage, including cyber-liability/cyber-extortion coverage.

7. Is There an Example of a Recovery Plan Specific to a Ransomware Attack?

The National Institute of Standards and Technology Guide for Cybersecurity Event Recovery includes an example of a recovery plan in the form of a playbook for a ransomware attack. (See the NIST's special publication, Guide for Cybersecurity Event Recovery.) While the guide applies to US federal agencies, it should be useful to any organization.

8. Could There Be FTC Enforcement Regarding Ransomware?

According to FTC Chairwoman Edith Ramirez's opening remarks at the "Fall Technology Series: Ransomware" in Washington, DC, on September 7, 2016:

One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including malicious software. A company's unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act. For example, in a recent case against device manufacturer ASUS, we alleged that the company's pervasive security bugs left the company's routers vulnerable to malware, and that attackers exploited these vulnerabilities to reconfigure consumers' security settings and take control of consumers' Web activity. We also alleged that the company did not address these security vulnerabilities in a timely manner and did not notify consumers about the risks posed by their vulnerable routers.

In another case against Wyndham Worldwide, we alleged that hackers infiltrated the network of a Wyndham franchisee, navigated to the company's network and the networks of other franchisees, and placed memory-scraping malware on the franchisees' servers. We alleged that these hackers exploited Wyndham's lax security to steal sensitive consumer data from dozens of Wyndham franchisees.

As these cases illustrate, businesses play a critical role in ensuring that they adequately protect consumers' information, particularly as security threats like ransomware escalate.

9. Could a Ransomware Attack Result in a Breach under HIPAA?

The Department of Health and Human Services (HHS) provided guidance in Fact Sheet: Ransomware and HIPAA that states:

A breach under the HIPAA Rules is defined as, "… the acquisition, access, use, or disclosure of [protected health information] PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.402.6.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

10. What Is the "No More Ransom!" Website?

The "No More Ransom!" website is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky Lab, and Intel Security with the goal of helping victims of ransomware retrieve their encrypted data without having to pay the criminals.