The Threat of Ransomware to Private Equity Firms

As noted by one well-known commentator in the cybersecurity space, Graham Cluley, “Online extortion – whether it be by ransomware encrypting victims’ files and locking up computers, or demanding payment to stop blasting websites offline through denial-of-service attacks – is surging and only likely to get worse in the next six months.  Unless companies take steps now to reduce the risks with a layered defence and recovery procedures they may find themselves struggling to cope.” (Source: “Cyber criminals turn to ransomware as victims pay out,” ITProPortal, January 26, 2016).  The problem with ransomware today is that it is insidious.  What is ransomware?  Ransomware is a variant of malware that encrypts your files or even your network until you pay the attacker a “ransom” (most likely, in untraceable bitcoin).

Underneath the rubric of ransomware are other variants of malware that might steal your data.  Thereafter, you might receive an email from an attacker demanding payment in exchange for the return of your data.  Unless payment is received, the attacker may post your data (say your limited partner information, which might include highly confidential information) on a public website so everyone can see it.  Faced with reputational issues, the firm involved might decide to pay the ransom.  Of course, this is fine until three months later, when the attacker comes back, steals further information and then doubles or triples the ransom.

From a “how do they do it perspective,” most attackers spread ransomware though socially engineered spearphishing, where an unsuspecting employee gets a very authentic email from his bank, gym or from even a “co-worker” asking them to click on the attached file (which ends up being laced with Malware).  Other ransomware variants start from a distributed denial of service attack, which distracts IT and others in the firm while the attackers enter through a backdoor and spread the malware on the network.  Sneaky, but efficient.  It usually works.

What can be done to avoid or minimize these risks?

  1. Employee training and awareness related to spearphishing.  As we say to clients, “please don’t click on the link.”
  2. Patch all known vulnerabilities that give an attacker a foothold in your network.  Many announced vulnerabilities go 30-60 days before being fixed.  Some longer.  One study recently performed by the Online Trust Alliance recently noted that, “a whopping 91% of data breaches that happened from January to August 2015 could have easily been avoided had servers and software been patched, or if the data had been encrypted, or had employees not lost their laptops.”
  3. Religiously back up your network so that, if your files get encrypted accidentally, you can refuse the ransom request, back up your system and move on.
  4. Finally, run penetration tests and red team drills to ferret out known vulnerabilities in your network so that they can be fixed before they do harm.