The recent discovery regarding CryptoWall has changed the way we need to respond to ransomware.
As described in our previous blog, ransomware encrypts your computer’s files (rendering all data inaccessible) and demands a ransom in order to decrypt the files. Since Cryptocker ransomware first showed up in September 2013, there have been a number of copycats including CryptoWall, New CrytoLocker, DirCrypt, CryptoDefense, and Critroni. These variants of CryptoLocker differ in their demands for the ransom payment and the instructions regarding how to unlock the infected machine.
While ransomware has changed, the response to these forms of malware has, up to this point, remained the same. Companies have paid the ransom, or have removed the malware and restored files from backup. The response now needs to change.
In May 2014, the brokerage firm of Benjamin F. Edwards & Co. was infected with CryptoWall and found that this malware may have much more serious implications. Three days after their computer systems were compromised, the company’s investigation ascertained that customer data was transferred to a suspicious IP address. The company therefore responded to the ransomware infection with a breach response. They sent out breach notification letters to thousands of their current and former customers to notify them of the breach and to offer them identity protection, fraud protection and credit monitoring for 12 months at no cost.
If your employee is a ransomware target, and your employee has access to your organization’s data, your organization may have suffered a data breach. In addition to the cost of recovering the data, if your company deals with private information, your company may now also face the extensive costs of responding to the breach. These costs include the actual cost of staff time, mailings, and credit monitoring for affected individuals, the financial penalties imposed by regulators, as well as the indirect costs of damage to the organization’s reputation.
Breaches of private information from organizations such as financial services firms, lawyers, and companies which deal with credit card information are regulated in many states including New York. Private information includes a combination of a person’s name, Social Security number, driver’s license number, bank account number, and/or credit and debit card number with PIN or access code. For companies that work with personal health information (PHI), breach notification requirements are also regulated by HIPAA and the HITECH Act.
The frequency of breach reports is increasing. The biggest percentage of healthcare breaches are still caused by a lost or stolen unencrypted mobile device. Nevertheless, data breaches are increasingly happening by means of the Internet and they are happening to companies in many industries. Most organizations find out about their breach from a phone call from someone outside the company. However, ransomware is one type of breach event that the company will very quickly come to know once it realizes that all its data has been encrypted and is inaccessible. Companies working with private information need to prepare to avoid a breach and they must have a breach response plan in place.
The best way to avoid a breach caused by ransomware is to train employees about internet security and how to recognize malware attacks. Stemp Systems has programs designed to educate your staff and sends regular security alerts to raise awareness about new malware tactics. Join our mailing list to help keep your company and data safe.