FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed

A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used in cyberattacks in the United States. The first 9 months of 2019 have seen 621 ransomware attacks on government entities, healthcare organizations, and educational institutions.

Ransomware attacks can have devastating consequences. This week, a healthcare provider announced that it will be permanently closing its doors as a result of a ransomware attack due to extensive damage to its systems and the permanent loss of patient data. This is the second healthcare provider known to have been forced out of business due to a ransomware attack this year.

Even when recovery is possible – by paying the ransom or restoring files from backups – the attacks cause major disruption and result in substantial losses. A ransomware attack on DCH health system forced its three hospitals to temporarily close to all but critical patients while systems were restored. Attacks on municipalities have resulted in essential services grinding to a halt, police departments have lost access to records systems, and schools have been forced to send children home and, in one case, delay the start of the school year.

The cost of the attacks is considerable. Lake City in Florida paid a ransom demand of $460,000 and Riviera Beach in Florida paid $600,000 for the keys to unlock the encryption. Those payments were high, but they are just a fraction of the total cost of the attack.

If the decision is taken not to pay the attackers, the costs can be considerably higher. The city of Baltimore was issued with a ransom demand of $76,000 which it refused to pay. The cost of mitigating the attack has been estimated at $18.2 million. The costs may even be higher still. Last month, the Danish hearing aid manufacturer Demant experienced a suspected ransomware attack and recently told its investors that the bill is likely to be between $80 million and $95 million.

When attacks take place, it may be possible to restore files without paying a ransom. Emsisoft has developed workarounds for certain types of ransomware attack and free decryptors are available for some ransomware variants through the NoMoreRansom project. However, in most cases attacked entities only have three choices: Accept file loss, restore files from backups, or pay the ransom.

FBI Updates its Ransowmare Guidance

The recent attacks have prompted the FBI’s Internet Crime Complaint Center (IC3) to update its advice on ransomware. The FBI has long maintained the view that paying a ransom is never advisable. The attackers may not hold valid keys to unlock the encryption or may choose not to supply them and issue further demands after an initial payment is made.

Data can be corrupted during the encryption process which may make it impossible to recover some or all of the encrypted data. The FBI also says, “Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.”

That said, the latest ransomware guidance has seen the FBI slightly soften its stance on paying ransoms, saying “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” In some cases, paying the ransom demand may be the best option.

What the recent attacks have clearly demonstrated is that it is essential to ensure that valid backups of all critical data are made to keep attacked entities’ options open. It is no use creating backups and storing them on networked devices, as those backups are likely to also be encrypted. Multiple backup copies should be created and at least one backup copy should be stored on a non-networked device that is not connected to the internet. It is also essential to test backups to make sure files can be recovered in the event of disaster. If backups are corrupted, paying the ransom may be the only option.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.