‘Ransomware’ Emerges As A Major Threat To IP Ownership

Criminals are increasingly blocking access to digitised intellectual property and then charging their victims ransom to get it back, as “ransomware” attacks become increasingly common and sophisticated.

Organisations often tend not to report when they were forced to pay ransom after their data was compromised, while analysts say data analysis and isolated incidents that organisations have reported point up to a surge in the number of attacks.

According to the US-based Institute for Critical Infrastructure Technology (ICIT), Kaspersky, Covenant Security Solutions, Forcepoint, GRA Quantum, Trend Micro, and Securonix are among the security firms that forecast a “dominant resurgence,” of ransomware attacks this year. The US Federal Bureau of Investigation (FBI), for example, said perpetrators were able to exhort US$209 million in ransomware attacks during the first three months of 2016 alone.

Perpetrators tend to concentrate their attacks in wealthy and Internet-connected countries such as the United States, Japan, Germany, and the United Kingdom where victims have greater means to pay ransom, compared to poorer countries. In the US, Hollywood Presbyterian Medical Center in Hollywood, California was forced to pay $17,000 in bitcoin ransom in February to retrieve data from its laboratory, radiology, emergency room, and pharmacy networks, according to ICIT.

Earlier this year, Methodist Hospital in Henderson, Kentucky, in the US reported that it was locked out of accessing data from its server and PC network and sought help from the FBI about whether to pay ransom or not to retrieve the data.

Attackers generally infiltrate networks with the help of unsuspecting victims who install malware on a network. The malware typically infects networks after a user opens a seemingly innocuous link on a website or a file sent as part of a phishing scheme, often from a user whose email account was pirated. The malware then proceeds to infiltrate the network, initially without the IT administrator’s knowledge.

During the initial phases, the malware will access databases that archive intellectual property, as well as other valuable information such customer data, accounting information, or personnel files and then encrypt them. The perpetrators will often distribute denial of service (DoS) attacks on the network as well to create a further sense of urgency among its victims to pay ransom more quickly, typically in the bitcoin virtual currency, in order to unlock the encrypted files.

“The software can then sit there for ages – the user forgets that they have done anything, and as nothing has happened, they haven’t called the help desk or done anything,” Clive Longbottom, an analyst for Quocirca, told Intellectual Property Watch. “So, when it starts to do its nasty work, the user has no idea what has happened and tends to let it run for too long before they do anything, such as ripping out any network cables or hitting the off button.”

Unfortunately, there is not a lot organisations can do once their intellectual property becomes encrypted on a server or PCs and is held for ransom. It was widely reported that FBI assistant special agent Joseph Bonavolonta, who heads the FBI’s CYBER and Counterintelligence Program in Boston, recommended that victims pay the ransom, while speaking at the 2015 Cyber Security Summit. He later partially retracted the statement, while adding that ransomware should be paid only when necessary.

“If an organisation’s IP is held for ransom, there is little that they can do and they are truly held hostage to the whims of the adversary,” James Scott, co-founder and senior fellow of ICIT, told Intellectual Property Watch. “Even if they pay the ransom, there’s still, at most, a 50 percent chance they’ll regain access to their data.”

Once attacked, an organisation’s legal department or outside counsel should obviously become involved. Criminal complaints should also be filed in the respective country of the attacks.

In France, for example, victims should inform the Brigade d’Enquête sur les Fraudes aux Technologies de l’Information (BEFTI), Nicolas Maubert, an attorney for the Paris-based law firm Rive Droit who is specialized in intellectual property and patent law told Intellectual Property Watch. “We have good contacts with these guys,” Maubert said. “Very often, though, their investigations lead them to hackers who are outside France. I have heard that often, [attackers] originate from Africa, and it is difficult to catch them.”

The best defence against ransomware attacks is to improve security since the options are limited for what can be done once data is held for ransom. Defensive measures include better data protection and analysis, awareness and understanding of how these attacks are becoming more sophisticated, and especially, making backups.

“Any organisation in possession of valuable data such as IP should make a habit of backing up their data in real time, offering training to staff on the basics of cyber-hygiene and they should absolutely layer their security so that they can detect, respond, and predict threats,” Scott said. “The technology is readily available to do this, executives at these companies need to simply make the effort to make use of them.”

However, aside from keeping data isolated on a system that is not connected to the internet and relying on other radical security measures, intellectual property sitting on servers and PCs remain at risk, even if enterprises have advanced security systems in place.

“The chances of having an off-site, air-locked, near-time backup capability is virtually zero – so sign up for bitcoin and pay the fee,” Longbottom said. “Unless, of course, it is a fairly old ransomware program, in which case, there are probably some keys on the web that could unlock the data. The trouble is finding a trustworthy source.”

In the future, ransomware attacks on intellectual property are also expected to become more prolific and advanced.

“In the future, adversaries will become more stealthy and sophisticated with the vectors they use to deliver their malicious payloads. Ransomware and malware will continue to be delivered by the easiest vector to exploit at that is spear phishing,” Scott said. “The emails will be less riddled with grammar and spelling errors that were previously present in the spoofed messages used to get staff to click on a malicious link. The messages will be perfectly crafted from grammar, spelling and syntax, down to a spoofed ‘from’ name and URL so that it resembles the most realistic scenario for their target.”