The Complete Guide to Ransomware Protection for SMBs
ODMOB Ransomware newsletter final
1. Page | 1
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Ransomware:
Strategies to avoid
Capture
Introduction
The use of computers has
become so pervasive that most, if
not all, businesses in developed
countries have become totally
dependent upon the use of
computer technology and the
availability and integrity of the
information stored and
manipulated by computer
systems.
This dependency is no longer
limited to domestic relationships.
Through the advent of the
internet and its ever growing
influence, the combination of
computer technology with
telecommunications technology
has extended the use of the
computer from the personal
environment to the commercial
environment with global reach.
Computers are now able to
communicate relatively easy
over great distances through
large distributed networks.
They can now facilitate
electronic commerce
transactions not only
domestically but also
internationally. Organisations
such as Amazon, Netflix,
AirBNB and Uber have taken
substantial advantage of this
connectivity and have
disrupted traditional
businesses such as bricks &
mortar retail stores ( for
example traditional book stores
like Borders no longer even
exists and the same situation
impacted Blockbuster video
stores through the advancement
of Netflix). Further, the criminal
sector of society no longer relies
on physical presence but have
also taken advantage of this
connectivity to engage in new
crimes. One fairly new criminal
activity has been the
proliferation of ransomware.
Ransomware: What is it?
Ransomware is basically the
sending of malware (Malicious
Software) that will, when
activated, encrypt the victim’s
data so that the victim no longer
has access to that data. The data
is still located on the victim’s
computer system but the victim
is not able to process it as it has
been encrypted by the
ransomware.
Recently, there has been a
substantial increase in
ransomware attacks. The first
known ransomware attack
occurred more than 27 year ago
and was identified as the AIDS
Trojan. The implementation of
this attack involved symmetric
cryptography and the instigator
of this attack was Joseph Popp
who demanded payment of US
$198. Popp was caught and
prosecuted but was later
determined to be unfit to stand
trial. 7 years after this first attack,
Young and Yung coined the
term “cryptovirology” which
has morphed itself into
ransomware.
At the 1996 RSA conference,
Young and Yung showed how
public key cryptography could
be used to encrypt third party
data and systems so as to hold
the afflicted party to ransom.
The afflicted party would have
to pay a small fee in order to gain
access to their vital data. This
was the birth of modern
ransomware. The attack vector
has been the proliferation of
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 3
Next issue
BYOD
arrangements: staff
rules and the legal
risks involved.
2. Page | 2
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
email across many millions of
computers. But the initial
ransomware attack had a vital
flaw in that it still required some
form of payment. Initially, the
payment was in physical money
(fiat currency), which required
there to be some form of physical
delivery of the cash. This
exposed the criminals to a risk of
being caught at the time of
collection. Obviously, this was
an unacceptable risk for most
criminals.
In 2013, criminals combined
ransomware (Crypto-locker)
implementations with bitcoin, a
virtual currency that has
pseudo-anonymous
characteristics. Through the use
of bitcoin as the payment
mechanism, criminals were able
to be paid quickly for their
ransomware activity and in a
pseudo-anonymous manner.
The advantage of bitcoin
payments is that the criminals
could undertake this crime
without ever setting foot in the
victim’s jurisdiction. Therefore,
the risk of being caught was
substantially reduced and since
2013 the proliferation of
ransomware has expanded
exponentially.
It should be understood that
bitcoin is not completely
anonymous as it is possible to
trace the bitcoin conversions into
fiat currency. This is known as
on-ramp and off-ramp
monitoring, which is where law
enforcement agencies
concentrate their activities;
especially for money laundering
and counter-terrorism financing.
It has been estimated that on
average each internet connected
business person in an
organisation (any organisation)
will have been sent 58.9 spam
emails on a daily basis. On
average, good spam filters will
remove approximately 90% of
spam emails. So on a daily basis
each person in an organisation
will actually receive 5.52 spam
emails that have escaped the
spam filter. Note this is just
spam email. Spam email may
only account for 4% or less of the
total emails actually received by
an employee on any given day.
That is, in total, an employee
depending of their job position
may receive more than 120
emails per day.
At the human resource level, a
small business with say 30
employees has to deal with 165
spam emails (30 x 5.52 spam
emails) on a daily basis that have
reached a human recipient. Not
all of those spam email will
contain Ransomware. Let’s
say .1% as a very conservative
approach. That results on
average that an organisation
comprising 30 staff who are
connected to the internet will on
a fortnightly basis (10 working
days) receive about 1.65 spam
email that will contain
ransomware. Consequently,
over a year the small business
can expect approximately 43
ransomware infected emails
reaching at least one of their
employees. The example above
only deals with a small business
with 30 employees. Consider the
situation where an organisation
like a bank or a government
agency that has many thousands
of employees, with the
possibility of just one person
being distracted for a moment
and due to that distraction
activates a ransomware.
Now criminals can buy on the
dark web email lists that contain
millions of captured email
addresses. In fact on the dark
web, criminals can purchase
email harvesting applications
3. Page | 3
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
that can target particular
organisation to scape all of the
email addresses from the targets
email server. From that point on,
the cost to the criminal is the cost
of developing/writing a
plausible spam email that will
not be captured by a spam filter
and hopefully will be activated
due to some human failure.
There is no cost in sending the
email which is the criminals
greatest economic advantage.
If any employee of an
organisation fails to recognise
the infected email and clicks on
any link or document embodied
in the infected email then the
ransomware will be activated.
Consequently, the effectiveness
of ransomware is a numbers
game, which due to work
pressures many employees of
organisations are under there is
a real possibility for success for
the criminal. In essence
ransomware success will
principally be due to a lapse in
concentration at the human
recipient level.
Kaspersky Research labs
released its 2015 report on
ransomware that included the
disturbing graph detailed in
Annexure A.
Note that each bar only accounts
for a 3 month period. Hence in
just the last quarter of 2015, there
were globally more than 337,000
ransomware attacks which were
identified. Any one of these
could have been successful for
the perpetrators. On a quarterly
basis, there is a 27% increase
compounded, which means that
on an annual basis the growth of
ransomware is nearly tripling.
Hence, for the last quarter of
2016 it is expected that the
number of ransomware
incidents globally will reach
approximately 1 million attacks.
At the time of the release of this
newsletter, the price of a bitcoin
is US580 and it is not uncommon
for the ransom to amount to 2
bitcoins (US$1160) though a
recent attack on a North
American hospital required the
payment of 25 bitcoins
(US$14,500). As can be readily
identified, ransomware is a very
lucrative activity due to the
simplicity of the attack, low cost
implementation and reduced
risk through bitcoin payment.
Management’s Fiduciary
Obligations
Directors are under various
duties to act in the best interests
of the company as a whole. This
duty includes an obligation not
to misuse or endanger property
belonging to the company. This
prompts an investigation of
what precisely is incorporated in
the scope of the term “property”.
Clearly, physical assets of a
company will be property;
however, questions remain as to
the classification of certain
intangible assets. Of particular
concern is whether the
information accumulated and
stored in a company’s IT system
will generally be regarded as
property of the company.
Latham CJ addressed the issue
of information as “property” in
The Federal Commissioner of
Taxation v United Aircraft
Corporation by exploring the
value of knowledge as a
commodity. Although
recognising that knowledge is
valuable, particularly
knowledge that is kept secret, his
Honour did not believe it to be
property in a legal sense.
Despite this position is Australia
as to the rejection of confidential
information being classified as
property, Courts in other
jurisdictions such as the USA
have declared confidential
information as being property.
4. Page | 4
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Further, even in Australia, the
Federal Court in ASX v. Pont
Data acknowledged the
monetarization that exists in the
trading information.
Consequently, even though
confidential information may
not in Australia be classified as
property it is a commercial asset
that the law will impose upon
management the fiduciary duty
to protect.
As Viscount Haldane LC said in
Lennard’s Carrying Company Ltd v.
Asiatic Petroleum Company Ltd.:
“My Lords, a corporation is an
abstraction. It has no mind of its
own any more than it has a body
of its own; its active and
directing will must
consequently be sought in the
person of somebody who for
some purposes may be called an
agent, but who is really the
directing mind and will of the
corporation, the very ego and
centre of the personality of the
corporation. That person may
be under the direction of the
shareholders in general meeting;
that person may be the board of
directors itself…”
The relationship between a
director and company is one of
the categories of relationships
considered by the Courts to be
fiduciary. Mason J (as he then
was) in Hospital Products Ltd v
United States Surgical Corporation
succinctly stated the general
position concerning fiduciaries
as:
The critical feature of these
relationships is that the
fiduciary undertakes or agrees
to act for or on behalf of or in
the interests of another person
in the exercise of a power or
discretion which will affect the
interests of that other person
in a legal or practical sense.
The relationship between the
fiduciaries is therefore one
which gives the fiduciary a
special opportunity to exercise
the power or discretion to the
detriment of that other person
who is accordingly vulnerable
to abuse by the fiduciary of his
position.
The duty owed by a director to
the company in equity requires
the director to act honestly, in
good faith and to the best of his
or her ability in the interests of
the company, to the exclusion of
all other interests. This duty also
incorporates negative duties,
such as the duty to avoid conflict
and the duty not to secretly
profit from their position.
This standard of duty of
business and professional
conduct should be ascertained
objectively by taking into
consideration:
(a) What the industry norm
is for the corporation;
(b) What standards if any
have been adopted or
endorsed by industry
bodies of which the
corporation is a member;
(c) What codes of conduct
have been endorsed or
developed by relevant
industry bodies;
What commercial environment
does the corporation operate in
and therefore what is the best
practice rules governing that
environment. If management
which obviously includes the
directors of an organisation do
not implement appropriate
security standards then they
could be held accountable for
any loss that arises out of a
hacker attack including a
ransomware attack.
Consequently, what should
management do to reduce the
risk of a successful attack?
5. Page | 5
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Managements Actions to
reduce the Risk of
Ransomware
The law does not require
management or company
boards to internally have the
skills to implement the complex
aspects of IT security. IT
security is a complex topic which
requires specialist skills which
not only involve technical skills
but also legal knowledge.
Section 180 (2) of the
Corporations Act deals with the
business judgement rule which
insulates directors from liability
where they have acted in good
faith by accepting the advice
from an external expert.
Therefore, it is highly
recommended that boards
should take advantage of this
safe harbour by regularly
seeking IT security legal advice
in their deliberations concerning
the protection of corporate
information.
The management of a
corporation should follow the
AIC model of security. AIC
stands for:
Availability of the
information/data. This is the
highest priority. If the
information is not available
for use then the remaining 2
criteria are irrelevant.
Integrity of the information.
Management must have the
confidence that the data on
which they are processing is
complete, correct, and up to
date. Their corporate
decisions will be based upon
the integrity of the
information processed.
Confidentiality of the
Information. The
data/information should be
classified to determine what
security framework needs to
be implemented. Some data
may be classified as open
data and can be accessed by
anyone either at no cost or for
a minor stipend. Other data
may be classified as
commercial in confidence or
board members only.
Consequently, the impact of a
successful ransomware attack is
that the corporation’s vital data
will no longer be available. It is
imperative that all corporations
have a ransomware strategy in
place. It is proposed the
following strategy as a
minimum should be considered:
Patch Management
Procedure: All corporations
should have a patch
management procedure that
is regularly reviewed.
Management should not just
think that the patch
management procedure is
automatically being done. It
is not a set and forget
mechanism, once it is set up.
Patch management
procedures should be
regularly reviewed in order
to determine that they:
o Are effective both from a
cost perspective and time
perspective;
o Actually work. That is
they should be tested to
ensure that all patches are
up to date. This can be
achieved through a review
of audit logs.
Train staff: There are
literally many hundreds of
academic paper identifying
that the weakest link in IT
security is the human
element. Staff training
obviously needs to be
undertaken as part of the
induction process but all staff
should be retrained on a
regular basis. Refresher
courses should be part of
standard procedures in the
same way fire-drill are
ingrained into the employee
psyche. In particular there
should be particular attention
concerning the prohibition of
downloading any
attachments that the
employees are not expecting;
even if they know the senders
name. It is best, to train
employees that if they receive
an email with either an
attachment or a link from
6. Page | 6
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
someone they know but were
not expecting they should
telephone that sender just to
make sure that they actually
sent the relevant email. Some
criminals are now
undertaking email address
harvesting and then sending
ransomware to the various
harvested email address.
Email address harvesting
involves a small bot that will
copy a person’s contact list
(victim A) and FTP it to the
criminal. The criminal then
knows who to send the
ransomware to and does so
by spoofing victim A’s email
address.
Implement appropriate
security measures: It is
important that corporations
deploy at least:
o Up to date firewalls, anti-
virus software, intrusion
detection system and
where appropriate data
loss prevention systems,;
o Undertake regular backup
procedures and test that
the data/system
environment is capable of
being recovered in a
timely manner;
o Business continuity
procedures and disaster
recovery procedures. In
particular, staff should
know who is to take
control and what tasks
they need to do to ensure
that the environment is
able to be fully functional
in a timely manner.
In addition to the above the FBI
on 29 April 2016 issued the
following checklist concerning
proactive protective measures in
dealing with Ransomware
attacks:
Prevention Efforts
Make sure employees are
aware of ransomware and
aware of their critical roles
in protecting the
organization’s data.
Training; Training; Training.
In this regards organisations
should review their staff
rules and procedures to
make sure that staff are
aware of their corporate
obligations.
Patch operating system,
software, and firmware on
digital devices (which may
be made easier through a
centralized patch
management system).
Ensure antivirus and anti-
malware solutions are set to
automatically update and
conduct regular scans.
Manage the use of
privileged accounts—no
users should be assigned
administrative access unless
absolutely needed, and only
use administrator accounts
when necessary.
Configure access controls,
including file, directory, and
network share permissions
appropriately. If users only
need read specific
information, they don’t
need write-access to those
files or directories.
Disable macro scripts from
office files transmitted over
e-mail.
Implement software
restriction policies or other
controls to prevent
programs from executing
from common ransomware
locations (e.g., temporary
folders supporting popular
Internet browsers,
compression/decompressio
n programs).
Business Continuity Efforts
Back up data regularly and
verify the integrity of those
backups regularly.
Check to see if there are any
antidotes available from
reputable vendors. Some of
the more reputable vendors
have made available
decryption keys for many
ransomware malware.
Secure your backups. Make
sure they aren’t connected
to the computers and
networks they are backing
7. Page | 7
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
up. The last
recommendation by the FBI
is highly important. Once
the ransomware has been
eliminated from the affected
computer system the off line
backup data can be used to
restore the data
environment to a state that
existed hopefully
immediately prior to the
attack. Of course, there will
be some loss of data but it
does reduce the impact of
the ransomware.
It is management responsibility
to ensure that a corporation’s
information assets are available
for future use and ransomware
is a noted and ever increasing
threat. Furthermore, it is not
unusual for a corporation to
have long term contracts in place.
In performing such long term
contracts, organisation are
dependent upon their computer
systems being available and
operating correctly. Most if not
all long term contracts include a
force majeure clause as part of
the contractual arrangement.
A force majeure clause deals
with events that are outside of
the control of either party and
are usually written on a mutual
basis meaning that the clause is
available for the benefit of both
parties. The issue then arises
whether a successful hacker
attack can fall within a force
majeure clause. The answer to
this issue really depends on
what security measures did the
victim of the attack put in place.
If the victim organisation does
not implement what would
reasonably be expected for the
type of organisation in question
then the victim organisation may
not be able to rely upon a force
majeure. In the case of in re
Verizon - Maine Public Utilities
Commission, the Commission
rejected Verizon’s argument
that the impact of the Slammer
worm (a computer virus that
was first identified in the early
2000s) was within the ambit of
the force majeure clause.
Verizon was seeking a waiver of
its contracted wholesale
performance metrics because the
Microsoft SQL Slammer Worm,
had caused significant
disruptions across the Internet in
early 2003, impacting its servers.
As a result, Verizon could not
meet its performance standards
as detailed in its contract with
the State of Maine. Verizon had
been aware of the existence of
the Slammer worm for
approximately 6 months but
failed during that period to
implement the Microsoft
released patch, which had been
released a number of months
prior to falling victim to the
virus. To make their argument
ineffective, 2 competitors
namely AT&T and World Com
intervened in their dispute with
the State of Maine by submitting
affidavits detailing how their
respective IT departments had
implemented the Microsoft
released patch and how their
respective IT systems were
immune to the slammer worm.
Consequently, a failure to
implement proper security
measures can have far reaching
implications including
secondary impacts by not
allowing the victim to rely upon
a force majeure clause.
Conclusion
IT security is complex and as
such management and in
particular boards of directors
should seek external expert
advice so as to take advantage of
the business judgement rule.
More sophisticated boards are
even making sure that at least
one of their members has
sufficient expertise in IT security
so as to explain what security
measures should be considered
8. Page | 8
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
for their company. In this case IT
security should not be an
exceptional board agenda item
but should be discussed
regularly or at least on a
quarterly basis depending on the
industry sector of the relevant
organisation.
There is no such thing as a
completely secure system. If it
was able to make a system
absolutely secure then hackers
would not be as successful as
they are. Despite this, there are
strategies which can be
implemented to reduce the risk
of a successful attack. When it
comes to the effectiveness of
ransomware, organisations
should follow the FBI
recommendations which will
not prevent a successful attack
but it will reduce the impact of
any attack. Finally,
organisations should engage
external experts to assist in
reviewing their systems to
identify what actions can be
taken prior to an attack.
Postscript
This newsletter is an abridged
version of an 18,000 word essay
dealing with management
responsibility in the protection
of information assets, which will
be published in a noted legal
journal. If any reader is
interested the larger essay is
available on request.
9. Page | 9
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Adrian McCullagh: ODMOB Lawyers
ABN: 81 141 521 571
Email: Ajmccullagh57@gmail.com
Mob: +61 (0) 401 646 486
If you wish to subscribe or unsubscribe to this newsletter then please contact the author by
email at the above email address.
IF YOU REQUIRE ANY IT LEGAL ASSISTANCE THEN PLEASE CONTACT THE AUTHOR
BY EMAIL AT THE ABOVE EMAIL ADDRESS.
PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue then
they should seek appropriate legal advice. The author makes no warranty as to
correctness of anything contained in this paper. This paper is the sole opinion of the author
and must not be relied upon as legal advice. Every situation is different and as such proper
analysis must be undertaken when seeking a legal opinion. Consequently, the author takes
no responsibility for any errors that may exist in this paper and certainly takes no
responsibility if any reader takes any actions based on what is (expressly or by implication)
contained in this paper. All readers take full responsibility for anything they may do in
reliance of anything contained in this paper.