Ransomware - Holding Your Data Hostage

Cryptolocker is a ransomware that was discovered in September 2013.  It utilizes both technical and nontechnical methods to infect computers, identify critical files and render them unavailable until victims pay for their release.

The most common method for infection is through the use of phishing emails that encourage the recipient to click on a link that enables the malicious software to be downloaded, opened and executed.  Once installed the malware seeks out user created files such as .doc, .xls, .pdf, and others. Using a robust encryption application the malware encrypts each of these files rendering them unavailable to anyone who does not have the key needed to decrypt, which happens to be stored on a remote server under the control of the cybercriminal.  Cryptolocker is especially aggressive in that it has the ability to locate files the victim has access to on not only the local drive, but files located on shared network drives, USB drives, external hard drives, network file shares and in some cases even some cloud storage devices. 

Individuals and organizations that find themselves falling victim to a ransomware infection such as Cryptolocker should contact your IT administrator and determine what your incident response plan is and start the remediation process.

Some common recommendations to follow if you believe that your computer has been infected include:

• Immediately disconnect your system from the network.  This will prevent the virus from further encrypting additional files on your network.
• Turn off any data synchronization software that automatically syncs your data to a central server.
• If you decide to restore your files from backup copies, once you have removed all remnants of the virus, including  ensuring that your registry has been appropriately cleaned, it is essential that you identify and utilize a backup from a time period prior to the original virus infection.

Due to the inability of most antivirus software applications to proactively detect the malicious software associated with ransomware, the most successful strategy is to prevent the infection of the malware.

One of the most important things an individual or an organization can do to limit their exposure is to ensure that individuals are aware of the threat and you do not open suspicious emails or unexpected attachments.When in doubt the recipient should verify the identity of the sender and the specific contents of any attachments.

Regular backup of all systems will limit the impact of data or system losses.

Organizations should restrict access to sensitive files and conduct regular review of user access to ensure that it is limited to only that level required to perform their work duties.

Regular updates of all antivirus programs and enabling automatic updates of your AV signatures and software as well as ensuring that your system is updated and patched in a timely manner will also help reduce your exposure.

Ransomware is an area that is going to be a real issue going forward as it can be very lucrative for the cybercriminal, and the risk of being caught is still relatively low.  According to an article in PCWorld, the creator of the Cryptolocker virus may have made as much as $30 million in just 100 days;if that is the case, you can guarantee that more ransomware is on the way.

Perfect Security is Perfectly Impossible

I was recently listening to an analysis of the Target security breach on NPR's On Point with Tom Ashbrook (On Point).  One of his guests for the show was David Lazarus who is a consumer columnist for The Los Angeles Times. Mr Lazarus had written an article that took the position that companies are willfully leaving customer information vulnerable to disclosure because the cost of securing the data is too expensive (Lazarus, 2014). 

Mr. Lazarus makes a valid point when he indicates that it is expensive to secure networks and data, and it is indeed a business decision to balance between security and usability or availability.   Unfortunately, in my opinion,  he jumps off the track when he suggests that organization can deploy a multitude of security mechanisms to provide absolute security.

As I am sure you are aware, every security technology  has inherent vulnerabilities.  Every tool that is introduced into a network can and with enough time will be defeated.  In other words, there will never be perfect security in a network designed for commerce.  Even encryption, which some tout at the holy grail for securing data, has vulnerabilities that allow for the possibility of its defeat.

It is true that businesses are collecting more and more information from its customers.  Many are asking for email addresses, telephone numbers, and other non-financial information at the point of sale.  Others are offering club cards, memberships and discounts which collect the same information.  This information, while innocuous can be a rich target for hackers and identity thieves.  What is often forgotten, or perhaps overlooked, is that none of this information is needed to complete the transaction.  Customers can simply say no, refuse to provide their email, or telephone number, and simply complete the transactions.  This might mean that you are not able to receive a discount on your purchase, or miss out on special sales, but your information will be just a little bit more secure.


I do support, as I have previously posted, the idea of assessing a fee to organizations that experience a breach, perhaps with a sliding scale if it can be determined that the organization was negligent in providing security for its customer data, but I would be caution of making the fine so high that it becomes a deterrent to reporting.  I also feel that any fines collected due to a breach should be used to create a "super fund" to provide monetary support for consumers that have their information compromised as a result of a breach, provide funding for research and education and for the identification and prosecution of cybercriminals.

To me, the most unsettling fact about the recent string of breaches is the time that elapsed between the initial breach and the organizations public notification of the breach.  There is no reason that an organization should be sitting on a known breach for four weeks, without providing notification to those that were affected.  That to me is unconscionable and should be a primary concern for our legislature to address.  

The bottom line is there is no such thing as personal security, consumers need to revalue their personal privacy and  control how it is distributed, organizations need to voluntarily disclose data breaches in a more timely manner, and as a nation we do need to examine a comprehensive breach notification law. 

40 Million? 70 Million? 110 million? We are still not sure how many customer data records have been compromised in the last 12 weeks

When initially reported by Target, it was estimated that approximately 40 million credit and debit card  customer files had been compromised as a result of a data breach, which occurred sometime between November 27 and December 15, 2013 (Wall Street Journal, Corporate Intelligence). After initially being reported by the KrebsOnSecurity on the 18 of December, Target makes a public acknowledgement of the breach on the 19^th, confirming that customer names, credit or debit card numbers, expiration dates and encrypted security codes had be compromised.  During the course of their investigation, in conjunction with Department of Justice, the Secret Service and Verizon Communication, on December 27^th, Target discovers that encrypted debit card PIN information was also compromised as a result of the breach.  Two weeks later, on January 10, Target announces that some additional 70 million customers had their personal information stolen during the breach. This includes names, mailing addresses, phone number, or emails (Wall Street Journal, Corporate Intelligence).  On January 11, Neiman Marcus confirms that it too was a victim of a data breach during the same time frame as Target and that they were working with the U.S. Secret Service to investigate the break in.  Neiman Marcus also informs the public that they were unable or unwilling to disclose the number of customer records that were compromised.  Today, according to Reuters, there were at least three other smaller breaches on other well-known U.S. retailers in a similar fashion as the Target and Neiman Marcus breaches (Reuters).

Most states (46 out of 50)(National Conference of State Legislatures)  have laws that require companies to notify customers when personally identifiable information is compromised, such as social security numbers.  In Massachusetts, Mass General Law 93H-1 et seq.  states when a breach of security results in the disclosure of  a resident’s first name and last name, or first initial and last name in combination with any one or more of the follow data elements( social security number; drivers license or state –issued identification card; or  financial account information  with or without required security codes)that agency must notify the individual.   Currently there is no federal law requiring consumer notification as a result of a data breach.

The reality of today is that data breaches happen and they will continue to happen. As new security technologies are brought into the marketplace, hackers and cybercriminals will continue to test the security controls looking and exploiting weaknesses in the technology.  Organizations will experience temporary losses as consumers’ confidence waivers as a result of the breach notification, but those profits are likely to return as the public generally has a short memory and will eventually forget the incident.  This is short lived until the next round of breaches are discovered and disclosed. 

The real issue is the lack of accountability for organizations to take meaningful steps to protect consumers, and make them whole.  Currently the remedy for consumers caught up in a data breach is credit monitoring services. While this is an important step to take to protect consumer credit score, it is woefully inadequate in protecting consumers from other forms of personally identifiable information abuse.  Credit monitoring will not monitor public record databases, driver license records, criminal records, social security records, or medical records. There is nothing that compels organizations to provide meaningful long term protection for victims of data breaches. 

It has been floated as an idea that speaks to the need of a federal law that penalizes organizations that are victims of a data breach who do not inform consumers.  Recognizing that it is impossible to prevent every type of security issue, I find that suggestion naïve and overly simplistic.  What I would suggest is a law that requires organizations to contribute to a superfund, similar to those established to clean hazardous substances, a monetary fee for each data record breached.   For instance, if organizations were required to submit $1 for each data record compromised as a result of a data breach, Target would contribute between $40 and $70 million dollars to the fund.  A portion of the fund could be set aside for future claims of repeat victimization of consumers who were initially victimized in a breach.  After all, once your personal information is released, it may be years before the extent of the compromise is personally quantified.  The fund could also be used to provide resources for research and education in the field of computer security, allowing specifically for research and training in the prevention, detection and mitigation of cyber threats.  Finally, funding could be provided to offset the cost of investigating, and prosecuting individuals responsible for the breach and future crimes related to the misuse of disclosed information.