Ransomware: How to Respond to Locky

Computer hacking continues to grow in sophistication. It's a constant arms race between security professionals and criminals who wish to cause harm. This battle leaves businesses, hospitals, and other entities that store sensitive data in a rough spot. If there is no absolutely sure way to prevent attacks, how should a company handle it if it does happen? And how should they tell the public?

Take what happened to three U.S. hospitals recently. They were all hit with ransomware. This is software that encrypts vital files on a computer and extorts the computer owner for money to unlock the system. All of the hospitals were able to recover, though not without significant disruption. One of them did pay the $17,000 demanded to unlock the files after being down for ten days. Ransomware is pretty new, but there are quite a range of attacks that have hit businesses over the last few years.

Hospital attacks are worrisome because of the potential for medical records theft and potential disruption of systems that are necessary to save lives. The Institute for Critical Infrastructure Technology is predicting that ransomware attacks are going to rise in 2016 because of their high profitability and few defenses against them. Fortunately, there are things that can be done to improve health care crisis management after an attack.

Internal Response

Speed is of the essence in a ransomware attack. The primary goal is to keep the program from spreading to other computers on your network. This is easier said than done. Locky and other modern ransomware programs are able to reach across to other connected servers, even unmapped ones, and infect those. If a computer is suspected to be infected it must be removed from all networks.

The early stages of an attack are not the time to wonder how an unwanted piece of software got in. That comes after the problem is fixed, though security professionals should stay on top of the news on ransomware and other attack programs and how they get in. That can prevent a problem before it starts. Locky, for instance, is commonly delivered in an email disguised as an invoice with a Word file attached. The Word file instructs the reader to enable macros, which causes the payload to download and run.

Once the virus is contained, an assessment has to be made of what data might have been encrypted, if any. Different ransomware programs take different tactics. Some don't encrypt at all and try to fool people into thinking the police or some other authority has evidence of a crime, then try to extort payment. Encrypting variants are on the rise though, and these can lock certain folders, file types, or even the master boot record of the drive.

Ideally, you'll be able to isolate the problem computer to stop the spread of infection, then restore from backup. The FBI is closely watching ransomware attacks, so a call to the local authorities may be wise. However, that could expose the attack to the general public, which means you need to have an external response ready.

External Response

Should you reveal that you've been attacked? Opinions vary. The public seems to react better if you tell them in situations where their data has been stolen or their services compromised, as seen in how Buffer and Evernote handled their crises, and how Sony didn't. Transparency and open communication allows companies to manage expectations and allay fears before the public can come to their own conclusions.

But ransomware doesn't steal customer data. It just encrypts it. Should the public be notified you had a breach if the attack doesn't affect them directly? “There are a lot of factors that go into that decision,” notes Rosemary Plorin, a crisis management strategist for the healthcare industry.

For example, if the infection was caught early enough and no customer data was affected and any affected computers were fixed or quarantined, then perhaps you could keep it to yourself. But if customer-facing systems, or something worse like the EHR system, were affected, or if services were delayed, then the public must be notified. The urge to save yourself from public opinion may be strong, but hiding a problem that affects the public will result in a much worse situation. Again, if you communicate with the public be clear and open about what happened and what you're doing to fix it.

After any successful attack, security must be improved to prevent future ones. In fact, an attack can be a blessing in disguise. Long-standing security holes that might have been left open for convenience can be shut down once there's proof that an attack can get in. Telling the public about how you improved your security can relieve fears of future attacks.

Crisis management during and after an attack is crucial to restore public trust and to prevent further damage from an attack. Keep on top of the latest cybersecurity news and study how other businesses handled their own breaches. Learning from other's actions is a good way to seal up your own weaknesses.



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 22 July 2019
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips


Jill Holtz
1898 Points
Tena Glaser
1386 Points
Michael Lane
802 Points
Ron Immink
732 Points
Fionan Murray
719 Points
View Leaderboard