Crypto-ransomware – guidance for firms

Technology 08/07/2016

Crypto-ransomware is malware that accesses computer networks and systems. It encrypts all the files of certain types on the system in order to put those files beyond use. When a victim can no longer access their files, he or she is directed to pay a ransom. The ransom is usually demanded to be paid in a digital currency called ‘bitcoin’. Payment of the ransom may – or may not – lead to regaining access to the data.

Some types of ransomware are concealed in email attachments that look like invoices or other commonly received file types. Others are distributed though hijacked hyperlinks on websites. The malware is deployed by clicking to open.

Where an infected computer is connected to a network, the ransomware may spread to other devices and drives on the network.

The number of crypto-ransomware attacks has increased in recent months and have been directed at businesses across Ireland. Law firms are advised to take extra precautions to ensure the security of their systems.

In most instances, there is no way of reversing the file-encryption carried out by the ransomware without receiving the encryption key from the criminal gang that deployed the malware. A firm’s options will be either:

  • Revert to the most recent back-up of the data (which might lead to some loss of work), or
  • Pay the ransom (which has no guarantee that the criminal gang will provide the key, and which rewards the criminal gang for their actions).

Certain business procedures can be put in place to reduce the possibility of falling victim to an attack.

First steps

  • Review and update your backup procedures in light of this threat,
  • Update all computers on your firm’s network to the latest versions of software available – many types of ransomware exploit known vulnerabilities that have not been patched in order to obtain access to systems,
  • Educate your employees on the dangers of opening files from unknown sources, particularly .exe, .zip or .war files,
  • Educate your employees on how to verify hyperlinks by hovering over the hyperlink and checking the file path before clicking – this is particularly important for websites that do not use the ‘https://’ protocol (look for the padlock icon on your URL bar),
  • Access your system on the administrator account only when required,
  • Contact your IT services provider and let them know that you are concerned about falling victim to a crypto-ransomware attack. Ask if your current systems will be of use in preventing an attack or in dealing with the aftermath of an attack. To establish their credentials in dealing with such attacks, ask if they have previously dealt with an attack.

Further actions that you or your IT services provider might take

  • Reduce access to your file-storage drives to those of your employees who really require access. Now is a good time to audit and tidy-up creeping access privileges on your drives.
  • Adopt internet and file-type ‘white-listing’, which permits your firm’s computers to access permitted URLs and file-types only.

Services you might consider requesting from your IT services provider

  • Email-scanning services to filter out dangerous files and URL links in emails,
  • Viewer software to open files transmitted by email in a safe environment,
  • Proxy servers to filter incoming and outgoing web-browsing internet traffic,
  • Dual redundant firewalls that are regularly updated and tested. – if one fails, the other automatically kicks in to maintain service and security.

What will be of most use should I fall victim to an attack?

  • It cannot be emphasised enough that backups are crucial – suitable backup procedures ensure that data is not lost and permit business continuity,
  • Ensure that critical backups are not continuously connected to the network – they must be stored separately, or the firm’s backups may also be encrypted and rendered useless,
  • Cloud-based backups that ‘live-sync’ may not be effective, as they may also be encrypted.

 What to do if my firm’s network is attacked?

  • Immediately pull any infected computers off the network,
  • Call your IT support team for assistance,
  • Do not access your backups until all the infected computers have been wiped clean or completely removed from the network.

 At present, it appears that the encryption of data rather than extraction of data is the aim of the gangs that deploy crypto-ransomware. Firms, however, should consider their professional obligations to ensure confidentiality of communications with their clients, to keep full and accurate records of their dealings with clients, and their responsibilities under the Data Protection Acts 1988 and 2003 to protect personal data from unauthorised disclosure, loss, destruction, or alteration.