Ransomware (malware that encrypts data pending an extortion payment) threat is accelerating rapidly and becoming more widespread and profitable for criminals. In 2015, it was estimated that there were nearly 1 million new malware threats detected daily. The FBI reported that ransomware attacks grew by 300 percent in 2016. With WannaCry affecting over 230,000 computers in at least 250 countries, it highlights the advancing global impact, speed and extent of the ransomware problem.

Ransomware is quite lucrative for criminals as it allows them to lock a computer and require direct payment, usually via Bitcoin, on many computers at the same time. It encrypts the files on a victim's computer with an algorithm that is virtually impossible to break, leaving the victim with either paying the ransom or losing their files. Estimates are that approximately 70 percent of those affected will pay the ransom, especially if the amount is less than $500. However, some businesses have learned the hard way that even paying the ransom did not guarantee they would be able to restore their encrypted files.

Malware does not need to be complex, overt or malicious right from the time it is detected. Annoying or seemingly innocuous behavior, such as being re-directed out of a browser or using cookies excessively can be considered a malware threat.

Ransomware can be brought into a computer in several ways:

Infected media – a user opens a video or article that has been infected with malware that encrypts their files. A document arrives in an email that looks legitimate and sneakily invites the user to enable macros. If the user follows through, the malicious script executes and downloads malware.

Phishing emails – a user opens an email that either has been infected or contains an infected web link or attachment, such as a ZIP file. Upon opening, a script is executed and malware is downloaded from a remote server.

Ad frauds – this malware hijacks a user's system to visit websites where it triggers clicks on ads, increasing income for the people who placed the ad.

USB memory devices – a user inserts an infected USB device into their computer, which upon opening it encrypts their files. For example, a criminal can 'drop' many of these USB memory devices in a corporate parking lot, and curious individuals may insert them, triggering the attack – once it is in one computer it quickly spreads throughout the network.

Subtitle files for films and TV shows – can be manipulated to allow hackers to take complete control over any type of device when a user starts the video – malicious subtitles can be sent automatically to millions of devices, bypassing security software and giving the attacker full access to the data on those devices.

Web link attachments to social media platforms – a user opens what they think is a friendly attachment, such as an offer for a vacation package, and upon opening the link it takes over their computer; or

Other unknown or as yet unidentified means.

Business costs of ransomware can range from temporary to permanent loss of data or records, loss of intellectual property, loss from disruption/suspension of operations and payment systems, investigative costs, ransom payment and possible regulatory fines; reputational harm; and restorative costs of these losses. For businesses or manufacturers with automated and/or interconnected machinery or equipment, the losses can be huge and detrimental to continuing operations.

Small to medium businesses are vulnerable to attack, particularly because they tend to use older software and do not have the staff or resources to keep all of their systems patched in a timely manner. Criminals can buy ransomware toolkits that take little to no programming skills to run an attack on these older systems. As a 'service', ransomware is offered on the dark web for as little as $39.

There are some steps a business may consider to help prevent or mitigate a ransomware attack:

Human:

Corporate recognition that small to medium size businesses have just as must exposure to cyber threats as a large business, and that while technology and software to prevent cyber theft are good, they will not suffice at preventing all attacks.

Management attention to cyber-security as a priority – planning, expenses and resources.

Proactively establish a plan for what to do if there is an attack – will they pay the ransom or not, or at what amount, and plan the steps that will need to be taken to resume operations.

Remind employees to regularly update the software on their mobile and other devices. While all software should be kept up to date, updated antivirus software is especially important.

Implement staff awareness and training to recognize phishing emails. A few ways to spot a 'phishy' email include:

Looking at the email address of the sender to see if it looks legitimate.

Checking for obvious typos and errors in the body of the email, and incomplete sentences.

Hovering over hyperlinks so you can read the name of the website it is linking before clicking.

Technological:

Back-up data always. If all of the pertinent files are backed up and available, it may be unnecessary to pay the ransom to continue operations.

Apply system patches as soon as possible from the time they are released, so that operating systems, security software, and patches are up to date for all systems and devices. Software makers frequently issue security updates for their products and send these updates to their users to 'patch' their systems.

Disable the hidden file extensions in Windows, as this will help recognize an attack when file attachments are opened.

Take steps to detect and block malware through monitoring and detection. Monitoring may include analyzing basic network traffic and checking for any anomalous network activity. Implementing firewall protection and utilizing security breach detection systems can block unauthorized access, and alert of potential cyber threats.

Insurance:

There are a number of insurance products available from ISO and private insurers that include some form of coverage for cyber related losses. While the coverage options are too extensive to include here, the purchase of insurance is another step to be considered when implementing a plan to prevent or mitigate cyber-related losses.

Once a computer has been infected the nature and scope of the attack should be assessed to determine the extent of the systems and data affected, whether or not it has been contained, and the security that needs to be restored.

A cyber incident may trigger a legal notification requirement, depending on the facts and nature of the data. Notification may be required for anyone whose personally identifiable information (PII) was acquired or accessed, or was reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents, some states also require notification to public agencies, such as the state attorney general. The National Conference of State Legislatures, Security Breach Notification Laws identifies notification breach laws by state: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx