Ransomware

When ransomware affects a business, it can block access to important software and data for days. Not only does this disrupt the company who was attacked, but it can also affect the customers and clients who rely on them.

Many forms of ransomware can be prevented by implementing basic cybersecurity measures, but too many companies fail to do so.

Ransomware is a form of malware that encrypts all or some of a computer’s data, blocking access until payment is made. Theoretically once a victim pays the ransom, they will receive a decryption key which will restore their files.

Many forms of ransomware can be prevented with the right cyber protection infrastructure in place. But, companies often fail to secure their networks or properly train employees on how to detect cyber security threats. When they are hit with a ransomware attack, business can grind to a halt as they work to recover their data, not just affecting their bottom line but often causing financial losses for their customers as well.

If a company doesn’t adequately protect against a ransomware attack and fails to provide services promised to the consumer, they may be liable for damages. If you were financially affected by a company’s ransomware attack, contact us for a free, no-obligation legal review.

How Does Ransomware Work?

There are two main types of ransomware: crypto ransomware and locker ransomware.

Crypto ransomware blocks access to specific files or data. Once the ransomware is installed, it will encrypt (or lock) data it finds valuable, usually without the victim's knowledge. When the victim is notified of the ransomware, it’s too late: their files can only be unlocked with a decryption key received upon payment of the ransom.

Locker ransomware locks the entire device. This form of ransomware typically uses pressure tactics, like masquerading as law enforcement after a user visits a questionable site, in order to extract payment.

Even criminals who aren’t tech-savvy can purchase ransomware toolkits from other criminals.

Because locker ransomware typically only affects the front interface of a device, leaving the files and data behind untouched, tech-savvy victims can sometimes find ways to remove the malware without paying a ransom. But ransomware is evolving, and more advanced forms now use crypters (software that can encrypt and manipulate malware) so that it’s difficult to reverse engineer the ransomware.

A variant of locker ransomware is “scareware”—when a computer isn't infected with a malware, but criminals lie to try to get users to pay a ransom anyways. Usually, these messages go away if the user simply restarts their computer.

Ransomware is so common now that even criminals who aren’t tech-savvy can purchase ransomware toolkits from other criminals. These off-the-shelf ransomware programs include popular strains like CryptoLocker, CryptoWall, Locky, and TeslaCrypt.

How Does Ransomware Infect Computers?

A common method of infecting computers with ransomware is through phishing scams. These are emails masquerading as legitimate companies or people to trick recipients into clicking on malicious links and attachments. For example, a cyber criminal may use an email address that looks like the CEO’s or IT department’s and request that an employee open a particular document or visit a certain website. Once the victim does click the link or download the attachment, the malware infects their computer.

"Malvertising" is a variation of phishing scams. Attackers embed malicious software into online advertisements hosted on reputable sites. When a visitor clicks on the advertisement, the malware is downloaded to their computer.

Phishing is becoming a less popular method of spreading ransomware as individuals become more knowledgeable on how to spot these threats. Cyber attackers are now downloading the malware themselves by exploiting network and software vulnerabilities.

The WannaCry ransomware spread through a vulnerability in Microsoft Windows' file-sharing protocol Server Message Block (SMB), for example. Cyber attackers also exploited Remote Desktop Protocol (RDP) systems that were open to the Internet, putting small businesses who outsource IT support at risk of a ransomware attack.

If ransomware can infiltrate one computer, it can infect every other computer on the same network if an organization doesn't shut it down quickly enough. Experts recommend that businesses use multiple servers and networks to minimize damage in the event of a ransomware attack. 

What is the Average Cost of Ransomware Damage?

One-third of businesses affected by ransomware will lose access to their data for at least five days.

Though data breaches seem to get more press, ransomware attacks are actually more common. Between 2005 and March 2016, there were 7,600 ransomware attacks reported to the Internet Crime Complaint Center compared to only 6,000 data breaches.

In 2016, cyber criminals extorted roughly $1 billion from ransomware attacks. And the number of attacks targeting corporations is only rising: Between April 2015 and March 2016, there were 718,000 crypto-ransomware attacks, compared to only 131,000 attacks in the previous year.

When businesses are hit with ransomware attacks, the effects are much more serious than just paying an unexpected ransom and moving on—it can disrupt the organization for days.

Seventy-two percent of businesses lose access to their files and other data for at least two days. One-third will suffer five days or more without access to their data. Each day a business is grappling with a ransomware attack, it can result in $5,000-$20,000 in damages from lost business.

In 20% of cases, even if a business is desperate and does pay the ransom, they won’t get their files back. When working with criminals, nothing is ever guaranteed after all.

What Was WannaCry?

With ransomware attacks on the rise, it’s imperative that businesses do everything they can to prevent cyber criminals from breaching their networks. When businesses leave their servers and networks vulnerable to outside threats, they put the security of the personal identifiable information (PII) of their customers and employees at risk, and leave their business and the lives of their customers susceptible to major disruption.

Despite high-profile ransomware cases and warnings, companies still fail to properly secure their networks. The WannaCry ransomware attack that swept 100 countries around the world in 2017 is a perfect example of this, since it could have been prevented by installing a Microsoft security update.

WannaCry targeted the file-sharing protocol Server Message Block (SMB) on Windows programs. Microsoft released a free security update that addressed the vulnerability two months before WannaCry spread, but many companies failed to implement the patch. As a result, organizations as diverse as FedEx, Honda, the National Health Service in England, and the Chinese Public Security Bureau were disrupted as they tried to restore their data.

Why Is the Healthcare Industry Vulnerable to Ransomware?

Some of Allscripts' clients were unable to access patient records, billing, or prescription services for more than a week due to the ransomware.

Hospitals and other healthcare providers are prime targets for ransomware attacks because they don’t have the luxury of waiting for a fix and are therefore more likely to pay a ransom.

In 2016, a strain of the Locky ransomware affected Hollywood Presbyterian Medical Center. The hospital was offline for more than a week until they paid $17,000 (or 40 bitcoin) to restore patient data.  

One month later, SamSam ransomware caused MedStar Health to shut down the computers and email across their 10 hospitals and 250 outpatient clinics in the Washington, D.C-area. It was believed that the ransomware accessed the network via an improperly installed server.

SamSam ransomware was also responsible for two high-profile healthcare attacks in early 2018. Hancock Health, a hospital in Indiana, was infected with the malware on January 11. Hackers encrypted and renamed all of the hospital’s files to “I’m sorry.” The hospital paid a $55,000 ransom to recover the data.

One week later, attackers crippled the Allscripts healthcare IT system. Allscripts is an electronic health records vendor that manages patient records, prescriptions, billing, and more for its thousands of medical care clients.

When SamSam infected Allscripts servers in Raleigh, North Carolina and Charlotte, South Carolina, Allscripts shut down access to electronic health records and prescription services for roughly 1,500 clients. Many clients, like Surfside Non-Surgical Orthopedics, were forced to turn patients away as they were unable to access patient records, billing, or prescription services. Some users were unable to access the network for more than a week.

These financial losses prompted Surfside Non-Surgical Orthopedics and similarly affected medical providers to file a class action lawsuit against Allscripts for their cyber security negligence. The lawsuit seeks enhanced cybersecurity measures and damages for the loss of revenue. ClassAction.com attorney John Yanchunis is representing class members.

Were You Affected by a Ransomware Attack?

If you suffered financial losses because of a company’s failure to prevent a ransomware attack, you may be eligible to file a lawsuit. Our attorneys are not just leaders in this practice area, but they are actively shaping it. ClassAction.com filed the first ransomware class action lawsuit in the U.S., and attorney John Yanchunis has served as lead counsel in some of the largest data breach lawsuits in history, including against Equifax and Yahoo.

Contact us today for a free legal review. It never costs a thing unless we win a verdict or settlement for you.