Ransomware is a top cybercrime threat and businesses need to be aware of it. Those that fail to plan could find themselves in a bad spot, choosing from terrible options. Prevention means applying good management to cybersecurity and devoting reasonable resources to improve cyber defenses.
Ransomware combines malware, encryption and extortion. Malware is malicious software. Encryption is a powerful tool that protects the confidentiality of data; here, it is used by criminals to harm victims, deny access to their data and commit theft by extortion. The ransomware takes control of a computer, server, or system and then starts encrypting the data within it. Once the business’ data is encrypted it is unusable, and then the business learns that they need to pay a ransom in order to receive the code to unlock their data.
The victim organization then faces three options:
- Restore their backups. When evaluating this option, many organizations realize that they do not have backups, they are incomplete or cannot be restored fully. At this point, organizations realize their cybersecurity planning and preparation was inadequate.
- Attempt to decrypt the encoded data. But breaking strong encryption is impossible for them.
- Pay the ransom and hope the cybercriminals deliver on their promise to provide the decryption key. Taking this action helps make this crime profitable, rewards the criminal and encourages future attacks. There are other implications, too.
Ransomware has important legal implications from both criminal and civil perspectives. Ransomware is a serious crime — extortion (a form of theft), along with digital vandalism. It violates state and federal criminal laws, though enforcement lags.
Our government needs to be more effective investigating and deterring these (and other) cybercrimes. Most cybercrime is about greed and theft, and ransomware is an innovation on this theme, utilizing virtual currencies and cryptocurrencies (e.g. Bitcoin) as the payment mechanism.
Many cybercrimes rely upon the theft of data and its reuse to commit more crime. But with ransomware, the cybercriminal does not have to use the data to make money, since they merely lock it up in exchange for a ransom. Nevertheless, ransomware victims need to investigate whether their encrypted data was accessed and stolen.
The ransomware victim should evaluate legal requirements, so here is a quick recap of what we covered in a prior article: Legal duties exist for cybersecurity, and organizations should achieve “reasonable” cybersecurity. Certain cybercrimes need to be reported to the government (or others), such as when certain data is accessed or breached. Thus, organizations need to evaluate whether the malware and attacker accessed or obtained data which might implicate breach reporting duties. Finally, making or directing a payment to an unknown cybercriminal has implications relating to anti-money laundering rules and sanctions.
A sound cybersecurity program protects the organization, and also aids in the efficient management of information assets. Businesses can protect themselves and their customers with good cybersecurity, perhaps preventing ransomware from ever occurring in the first place. If well-prepared organizations are hit by a ransomware attack, they will have secure backups that can be restored. They will not have to contemplate paying the ransom.
Organizations should consider my framework — Bandler’s Four Pillars of Cybersecurity — as an excellent starting point that is understandable to all.
Businesses should continually improve their cybersecurity plan to protect the organization, safeguard customer and employee data and comply with legal standards. Preventing a serious cybercrime is the greatest reward, but improved compliance and efficiency also follows.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas.