Categories & Search

DHS Warns of New Ransomware Threats

The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.

Ransomware is a form of malware—often spread through phishing emails or infected websites—that encrypts the target’s files, promising to decrypt the data and return it to its owner only if a ransom is paid.  Until recently, ransomware attacks primarily targeted individuals, with hackers demanding small ransoms, often a few hundred dollars payable in Bitcoin.  More recently, ransomware attacks have been on the rise and have begun to target businesses.  And hackers have devised new forms of ransomware attacks.

DHS’s recent alert specifically warns of two new variants that have been deployed against healthcare companies in the first quarter of 2016.  The first, called “Locky,” propagates through spam emails with malicious Microsoft Office or compressed attachments, which contain macros or JavaScript files to download the ransomware.  The second, called “Samas,” propagates through vulnerable Web servers, which then upload the ransomware to the organizations’ computer networks.

DHS discourages paying the ransom, because doing so encourages hackers to carry out more attacks while providing no guarantee that a company’s data will be decrypted or that the malware infection will be removed.  But it poses a difficult issue for companies given the potential for the loss of sensitive information, business disruption, reputational harm, and other financial losses associated with restoring data and computer systems.  In the recent ransomware attack on the Hollywood Presbyterian Medical Center, the hospital reported that it paid a $17,000 ransom because it was the “quickest and most efficient way to restore [its] systems and administrative functions.”

In its alert, DHS recommends that businesses take action to prepare for potential ransomware attacks, including the following:

●  Deploy “a data backup and recovery plan for all critical information,” and regularly test the backups.

●  Implement “application whitelisting”—allowing only approved software—and restrict employees’ ability to install and run unwanted applications.

●  Regularly update your operating system and software, including anti-virus software.

●  Block emails from suspicious sources, disable email attachments with macros, and exercise caution when following links on the internet.

Many or all of these measures may already be included in a company’s general cybersecurity practices, since ransomware infects networks in much the same way as other forms of malware.