What to Do When Your Data Is Held for Ransom

By:
Randy R. Werner, CPA, J.D., LL.M./TAX
Published Date:
Jun 14, 2016
Ransomware and cyber-extortion represent one of the more malicious types of hacker attacks making the rounds today. It sneaks into computer systems, encrypts files and demands a ransom before decrypting the files. A major problem is that ransomware doesn’t always decrypt files, even after the ransom is paid. Being prepared and taking precautions against cyber risk exposures such as this type of malicious software is therefore essential. Don’t prepare and you’ll be at the mercy of criminals who prey upon unprepared and unsuspecting businesses and individuals.

Ransom demands range from a few hundred dollars to several thousand, depending on the size of the victim. Not all ransomware attacks are reported to authorities, so estimates of the total amount paid over the past few years vary widely, ranging up to $300 million. The more notorious names among ransomware are CryptoLocker, CryptoWall, TorrentLocker and Locky, among others. Some attacks rely on software that now has known fixes, so a solution might be found online. However, other ransomware is so technically advanced that it has no known fix, leaving the victim helpless unless he or she has current backup files.

And that’s really the primary defense against ransomware—frequent backups of the files you don’t want to lose. Some ransomware even options to consider for multiple backups.

Even with backup files in place, a firm may still spend many hours gathering, re-entering and reconstructing data. Rebuilding work, such as tax returns based on the back-ups, also takes time. If personally identifiable information (PII) is involved, such as Social Security numbers, the firm might also need a professional risk assessment to determine its legal responsibilities.

Such losses can sometimes be avoided by creating user awareness and training everyone in your firm to be extremely cautious about unsolicited or questionable attachments or hyperlinks in email messages. Training can broaden your firm’s prevention IQ. It also never hurts to call or contact senders to ask if they sent you a document before you open it. Sometimes, ransomware enters a computer system via innocuous-looking Word or Excel documents. There’s a reason why people say, “An ounce of prevention is worth a pound of cure.”

Loss prevention tips
• Create backup copies of all important data and information on a regular basis. The frequency of backup depends on how often your data changes and the impact on your business, if you lose the data between the last backup and the time of loss. Store and secure backup copies away from your office location and use encryption to protect any sensitive or physical incident such as a fire or flood.

• Don’t open attachments or hyperlinks if you didn’t request them or if the email is suspicious or questionable. Don’t follow instructions to “enable macros” or “enable content.” Many attacks appear to come from a trusted source or someone you know, as part of a social engineering scheme. A scheduled event, travel plans or user interests can be used to create what looks like a legitimate document, employing logos and brands to deceive users into performing an action such as opening a document, clicking a hyperlink or changing a password. The action then enables a hacker to commandeer accounts and launch attacks. By hovering your mouse over a hyperlink, without clicking it, you can check the address for the website. If the address is for a different website, that’s a big red flag. A misspelled hyperlink is another red flag.
• Strictly define user permissions and restrictions so that users don’t have any more rights or access to a program or system than they need, also known as the “least privilege” concept. The same applies to administrators, who should not stay logged in as an administrator any longer than is strictly necessary. Excessive rights and activities can allow malware to do extra harm and lead to large losses of data.

• Apply all software security updates to your computer. Once a software vulnerability is identified, most software companies practice to check for the latest updates.

• Antivirus software is a must. Antivirus companies constantly update virus definitions to defend computers against new threats, and for the most part, these software updates are seamless to the user. Most antivirus software includes spyware, adware and email attachment protection. If not, they should be de-
ployed along with antivirus software.

• Consider cyber-insurance. Coverage for extortion expenses incurred as a result of a credible cyber-extortion threat is a good feature, but remember that paying a ransom does not always decrypt files.

With more devices becoming connected to the Internet, it’s important to take steps toward avoiding cyberthreats such as ransomware and having a plan in place for mitigating threats and risks. If and when you’re hit by a threat, you’ll at least be in line with the Boy Scout motto, “Be prepared.”

Randy R. Werner, CPA, J.D., LL.M./Tax, is a loss prevention executive with Camico. She responds to Camico loss prevention hotline inquiries and speaks to CPA groups on various topics. For information on the Camico program, call Camico directly at 800-652-1772, or contact: (Upstate) Reggie DeJean, Lawley Service, Inc., 716-849-8618, and (Downstate) Dan Hudson, Chesapeake Professional Liability Brokers, Inc., 410-757-1932.

Click here to see more of the latest news from the NYSSCPA.