Ransomware has moved from an issue primarily discussed by information security professionals to a persistent topic discussed in newsrooms and boardrooms across the country. 

Recent Litigation Articles of Interest​

eDiscovery Case Law Links of Interest​

History of Ransomware and How to Protect Your Organization

After the unprecedented WannaCry cyber attack, ransomware has moved from an issue primarily discussed by information security professionals to a persistent topic discussed in newsrooms and boardrooms across the country. It’s safe to say that no information security concern has demanded more attention from organizations than ransomware.

As a result, most members of the C-Suite are trying to understand how ransomware started and the implications it has on their business. In this post, you’ll find a brief overview of the history of ransomware and highlight a few important actions an organization should take in order to protect themselves from possible future attacks.

A Brief History of Ransomware

The evolution of ransomware from an ineffective nuisance to a sophisticated, lucrative business tool for criminals has been impressive, to say the least.

1. Ransomware 1.0 (2008-2014)

The early incarnations of ransomware were little more than a nuisance for most organizations. Upon infecting a system, the malware attempted to simply “lock” the computer screen, indicating that law enforcement would act if payment was not provided within a defined time period. Computers infected with this early type of ransomware weren’t really disabled, and law enforcement would not be arriving anytime soon.

Most anti-virus platforms could remove any issues that may have occurred and eradicated the infection. In addition, the payment options were very complex for most people, if they chose to attempt to comply. As a result of these limitations, ransomware’s “scareware” tactic was pretty much a failure.

While the first version of this threat produced a very low return on investment, it was obvious that the concept had potential. However, for this attack vector to bear fruit, the attackers needed to create a sense of urgency that forced action by those infected.

2. Ransomware 2.0 (2014-Present)

Since its initial iteration, ransomware has certainly overcome those initial shortfalls! The current ransomware families (there are many different variants) have exceeded even the most motivated fraudster’s expectations.

Ransomware has quickly established itself as the predominant malware threatening most organizations. In addition, PhishMe reported that 93 percent of phishing emails were infected with ransomware in Q1 of 20161.

The ransomware attacks cybersecurity pros are currently combatting involve encrypting everything possible with an unbreakable code: local user-created files, local system backups (volume shadow copies), network shares to which the infected user account has modified rights (often causing major devastation), and any locally-attached USB drives.

Ransomware in the Age of Cloud-Computing

In addition, an undocumented “feature” of most current ransomware variants is that cloud-based storage is also at risk.

Here’s how: Cloud storage solutions often synchronize the local user files to the cloud provider. If the ransomware encrypted the local files that are to be synchronized, and there are not multiple versions in the “cloud”, the cloud-synchronized files will also be encrypted. By performing a detailed analysis of ransomware samples, we have been able to determine that these attacks are currently geographically focused on only certain countries, while others are excluded, based on the location of the computer.

Additionally, due to the price tolerance (and likelihood of payment) of different countries, the ransom fee demanded will actually vary based on the location of the machine that is infected.

Further, the attackers’ “market analysis” has identified which file types infected users are most likely to pay a ransom to recover.

How to Protect Your Organization from Ransomware Attacks

Ransomware has become a big business, indeed. While there is no single control you can deploy to ensure you are protected, here are three tactics you can implement together to help prevent or detect future ransomware attacks:

  1. Ensure you have a mature and tested data backup process.
  2. Develop a vulnerability and patch management process for your assets.
  3. Limit the number of network file shares that users can access.

LBMC has partnered with leading law firms to discuss the technical and legal issues revolving around ransomware. We developed a comprehensive ransomware protection checklist that outlines these ideas in detail and provides additional security recommendations.

If you want to ensure your organization is protected from ransomware cyber attacks, both today and in the future, download the checklist and give us a call.

How is Ransomware Evolving?

Play Button

During this time of crisis, ransomware attacks are on the rise as threat actors are looking for the least path of resistance through vulnerable systems.

Ransomware Poses New Challenges for Tax Compliance

According to the IRS, business identity theft is growing and individual identity theft or tax fraud is diminishing. Cybercriminals’ increased focus on breaching tax professionals’ systems and stealing client data is causing the increase in business and partnership return identity theft.

According to the IRS, business identity theft happens when someone creates, uses or attempts to use the identifying information of a business — without authority — to obtain tax benefits. Business identity thieves file fraudulent business returns to receive refundable business credits or to perpetuate individual identity theft.

The IRS is aware of a handful of tax practitioners who have been victimized by ransomware attacks. The Federal Bureau of Investigation recently cautioned that ransomware attacks are a growing and evolving crime threatening the private and public sectors as well as individuals.

Ransomware is a type of malware that infects computers, networks and servers and then encrypts (locks) data. Cybercriminals then demand a ransom to release the data. Users generally are unaware that malware has infected their systems until they receive the ransom request.

The most common delivery method of this malware is through phishing emails. The emails lure unsuspecting users to either open a link or an attachment. However, the FBI also has warned that ransomware is evolving and cybercriminals can infect computers by other methods, such as a link that redirects users to a website that infects their computer.

Tips to prevent ransomware attacks

According to the IRS, tax practitioners — as well as businesses, payroll departments, human resource organizations, and taxpayers — should talk to an IT security expert and consider these steps to help prepare for and protect against ransomware attacks:

  • Make sure employees are aware of ransomware and of their critical role in protecting the organization’s data.
  • For digital devices, ensure that security patches are installed on operating systems, software and firmware. This step may be made easier through a centralized patch management system.
  • Ensure that antivirus and antimalware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts. No users should be assigned administrative access unless necessary, and only use administrator accounts when needed.
  • Configure computer access controls, including file, directory and network share permissions, appropriately. If users require read-only information, do not provide them with write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs.
  • Back up data regularly and verify the integrity of those backups.
  • Secure backup data. Make sure backup devices aren’t constantly connected to the computers and networks they are backing up. This will ensure the backup data remains unaffected by ransomware attempts.