Out-Law News | 20 Dec 2016 | 12:45 pm | 2 min. read
Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent businesses carrying out everyday operations or accessing data or other assets. Businesses are prompted to make a payment to the hackers to bring about an end to the attack.
Cyber risk specialist Philip Kemp of Pinsent Masons, the law firm behind Out-Law.com, said new informal guidance to businesses on preventing ransomware attacks, issued by the UK's Information Commissioner's Office (ICO), should serve as a catalyst to organisations to consider how they might best mitigate against the increasing risk of ransomware attacks.
Kemp said: "The ICO's guidance offers practical tips that provide a valuable starting point for any organisation turning to the risks of ransomware. One of the key messages to take away from that guidance is the risk that even if a ransomware payment is made decryption may not be successful, which can mean that back-ups take on fundamental importance for business continuity."
"Sophisticated ransomware attacks are capable of encrypting not only a single computer or server, but also any networked devices. Where a back-up is stored on a networked device that back-up may also be vulnerable to encryption. In a worst case scenario ransomware attackers could not only compromise an entire business network and lock staff out of accessing data, but also lock out any back-up stored on a network device," he said.
Kemp said there are simple steps that organisations can take to mitigate the impact of such an attack, such as "segmenting networks or limiting user privileges to ensure that certain user accounts are not capable of running executable files on networked devices".
"It is also important that, where possible, businesses operate distinct, offline, offsite back-up systems to their live environment," he said. "This can ensure that even if the main system is compromised in a ransomware attack, the business can restore access operations and data from a back-up untouched by any ransomware."
In a blog, Simon Rice, the ICO's group manager for technology, warned businesses that there is "no guarantee" that those behind a ransomware will release the "decryption key" businesses will need to access their systems and data even if they pay the ransom to attackers.
Rice said businesses that cannot restore personal data they are locked out of accessing during ransomware attacks could fall foul of UK data protection laws.
"If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act," Rice said.
"If you have a back-up from which you can restore a working copy of the data, then a permanent loss of data would not be considered to have occurred. However the ICO would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding," he said.
Rice said organisations should take a range of measures to help prevent ransomware attacks succeeding, such as putting in place up-to-date "basic technical cyber protection against malware" and segmenting business IT networks to ensure an entire network cannot be compromised in a single attack.
Businesses should also plan for cyber attacks to be successful, and so should "have an effective back-up policy and process in place" and check that it is working, Rice said. Back-up systems should be regularly tested, he said.
After removing ransomware, businesses should "carry out a full security scan and penetration test of [their] systems and network", Rice said.
"If attackers were able to get the ransomware onto your systems, they may have gained other access that you have not detected," he said.