How ALTA Members Can Defend Against Ransomware

November 10, 2016

Ransomware has emerged as one of the most serious online threats facing businesses, according to the Federal Trade Commission (FTC).

Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data “hostage” until the victim pays a ransom, frequently demanding payment in Bitcoin. In the typical case, the criminals demand between $500 to $1,000, but some have demanded as much as $30,000, according to the FTC. As an example some hackers will delete the victim’s files if payment isn’t made within a specified period of time, and many newer variants use highly advanced methods of encryption.

Risks

Any business that holds consumers’ sensitive information should be concerned about the threat of ransomware. It can impose serious economic costs on businesses because it can disrupt operations or even shut down a business entirely. In addition, a business’ failure to secure its networks from ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked. A company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act, according to the FTC. This principle is illustrated in several recent FTC actions that highlight the importance of defending against malware, such as the case against Wyndham Hotels & Resorts LLC. The decision gives the FTC broader data security power.

How is ransomware delivered?

Criminals deliver ransomware in a variety of ways. The FTC reports that 91 percent of all ransomware arrives through email phishing campaigns. These typically require the user to take some kind of action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user’s computer.

How to defend against ransomware

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene: Practice good security by implementing basic cyber hygiene principles.
    • Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
    • Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
    • Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
  • Backups: Back up your data early and often.
    • Identify business-critical data in advance and establish regular and routine backups.
    • Keep backups disconnected from your network so that you can rely on them in the event of an attack.
  • Plan: Prepare for an attack. Develop and test incident response and business continuity plans.

How to respond if you’re a victim

If ransomware strikes, the FTC says to consider these steps: 

  • Implement your continuity plan: To be ready if an attack occurs, have a tested incident response and business continuity plan in place. Well-prepared organizations with reliable backups may be able to restore systems from those backups with minimal data loss or business interruption.
  • Contact law enforcement: Contact law enforcement, such as a local FBI field office, if you discover an attack.
  • Contain the attack: Keep ransomware from spreading to networked drives by quickly disconnecting any infected computer from the network.    

The third pillar of ALTA’s Title Insurance and Settlement Company Best Practices encourages companies to adopt and maintain a written privacy and information security program to protect Non-public Personal Information (NPI) as required by local, state and federal law. (For more on protecting NPI, see Know What’s Considered Non-public Personal Information and Where It’s Located in Your Company.)


Contact ALTA at 202-296-3671 or communications@alta.org.