United States: Ransomware And Encryption Attacks - How Recent Attacks Can Inform Effective Prevention And Response Efforts

As organizations move towards the efficiencies of a "paperless office," the very same internet-facing technologies that help create a more efficient and productive workplace can also greatly increase the risk of suffering a significant ransomware or encryption attack. While a great deal of technical literature is available about encryption attacks and ransomware, the goal of this article is to provide simple and practical answers to the following questions:

  • Can my organization learn from recent encryption attacks to prevent an infection?
  • How can my organization be better prepared to respond to a successful attack?

Lesson 1: The critical importance of patching

SAMSAM (MSIL/Samas) health care sector attacks. The ransomware variant SAMSAM (aka MSIL/Samas) is publicly reported to have infected health care organizations through vulnerabilities in outdated "JBoss" software1. In addition to encrypting a network's active files, SAMSAM searches for file extensions and directories containing backup files. Once located, SAMSAM often successfully encrypts or deletes backup files before proceeding with its encryption of active files, thus creating a "perfect storm" of malicious design elements.

WannaCry — 99 countries affected with malware in 27 different languages. On May 12, 2017, malware known as WannaCry, WCry or Wanna Decryptor infected tens of thousands of users in as many as 99 countries. The requested ransom associated with the attacks was .1781 bitcoin, or roughly $300. WannaCry gained access to victim networks through one of two primary means: RDP compromise2 or the exploitation of a critical Windows SMB vulnerability3. In addition, WannaCry's cryptographic loading method does not directly expose itself on disk, making it difficult to detect through most antivirus software scans. Interestingly, Microsoft released a security update for this "MS17-010" vulnerability on March 14, 2017, approximately one month before the widespread attacks referenced above.

The malicious binary Dharma. The ransomware variant Dharma is one of the more common in recent days, affecting numerous financial services and health care systems through its use of asymmetric cryptography4. There are two separate versions of the Dharma variant, both of which use a combination of AES and RSA ciphers. The AES technology produces a public key to execute the encryption. It targets text documents, graphics databases, archives, audios, videos, and other file types. It appends a custom extension to the names of the encrypted items. The RSA cipher then generates and encrypts a private key that the attacker stores on a remote command and control server. During encryption, the explorer.exe process can become unresponsive, and like most other variants, Dharma generates a ransom note on the server's desktop. Through a recent online leak of Dharma decryption software, an effective "decryptor" for Dharma is now widely available, obviating the need for the payment of a ransom in many cases.

Action Item: Review your organization's patching protocols. The number of known ransomware variants continues to grow as opportunistic attackers target vulnerable organizations through the use of modified code and refined attack forms. According to Verizon's 2017 Data Breach Incident Report, public administration organizations were the number one industry targeted by ransomware, with healthcare the second most targeted and financial services the third5. On a positive note, SAMSAM and WannaCry attacks have been largely curtailed through public education and aggressive software patching campaigns. Keeping software up to date, however, requires careful planning and diligence. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary infection vector in at least 95 percent of incidents was an unpatched vulnerability in an operating system, software, or plugin6.

To prevent attacks through unpatched software, organizations should consider the use of a centralized patch management system. In addition, alerts from automated vulnerability scanning tools should be aligned to trigger an organization's internal patching processes. Other measures, such as application white-listing and software restriction policies, should also be implemented to prevent the execution of programs in common ransomware locations, such as temporary folders.

Lesson 2: Control the use of administrative privileges

Petya malware — the attack on DLA Piper and others. On June 27, 2017, Petya malware spread across Europe and the United States, infecting international law firm DLA Piper, shipping giant Maersk, and several other global organizations. Instead of encrypting files one by one, Petya denied access to each infected system by attacking the network's master file table and rendering the entire file system not readable7. These attacks are believed to have propagated through a legitimate software updater for the tax accounting software MEDoc, and through a separate watering hole attack8 associated with Ukraine's municipal website, Bahmut. Significantly, the compromise of just a single set of administrative credentials enabled the spread of Petya malware across entire networks9. This highlights the critical need for organizations to both limit the granting of administrative credentials and to properly segment network environments.

Action Item: Strictly reduce accounts with administrative privilege. When attackers gain access to accounts with administrative privileges, they are able to access sensitive network data and further the exploitation of a network by installing keystroke loggers, sniffers, and remote control software to harvest additional data. To limit the chance an administrative account is compromised, administrative privileges should only be granted to those who need them to perform essential business functions. Audits of the use of administrative privileged functions should also be regularly conducted and monitoring should be employed to detect anomalous behavior on administrative accounts.

Action Item: Apply the principle of network segmentation. Categorize and separate your organization's data based on its value or on its importance to operations. In addition, implement virtual environments and the physical and logical separation of networks and data where possible. In other words, separate your organization's data and restrict permissions and accesses to limit the potential damage that can result from an attack.

Lesson 3 – Create an incident response plan that includes specific planning for encryption attacks

In the aftermath of a successful encryption attack, an organization will be unable to access important files or information within its network. For example, in the recent spate of Petya attacks, DLA Piper employees were without access to email or telephone systems for days. In addition, the firm's information technology team preemptively shut down many unaffected systems to limit the spread of the malware.

One of the critical questions regarding your organization's preparedness to withstand a significant encryption attack should be, "Can my organization conduct its most 'mission essential' functions without access to email, the internal document system, or any other of the firm's digital information?" In other words, after your firm activates its incident response plan and remediation efforts are underway, the question you may be faced with is whether your employees can operate under "Code White" conditions — that is, can your organization temporarily function without its usual network of computers? In the most extreme example, that might mean conducting all operations manually — hence the reference to the use of white paper notepads and pens and pencils.

Action Item: Update and revise your organization's incident response plan. While it may seem unnecessary or unrealistic to prepare for a scenario in which a large portion of your network has been rendered inaccessible, consider that the crippling attacks on Sony Corp. 10, Saudi Aramco11, or Maersk and DLA Piper are increasingly within the realm of possibility. In each of those events, the organization's critical infrastructure was severely damaged and employees could not access the digital information necessary to conduct even the most basic daily business activities. A well-crafted incident response plan should therefore contemplate either partial or complete encryption scenarios and provide for immediate access and current and accurate information regarding:

  • Designated first response staff (including key stakeholders, such as IT, legal, financial, HR, insurance, risk/compliance, corporate communications/public relations);
  • Pre-positioned supplies and resources12 to allow mission essential functions to continue;
  • Plans to engage key personnel and vendors to restore affected segments of the network from backup data; and
  • Plans to transition back to normal operations when the incident has been mitigated.

Action Item: Review your organization's backup protocols. Effective backup protocols are absolutely critical to surviving a significant encryption attack. Utilize a backup system that allows multiple iterations of the backups to be saved, in case backup copy becomes encrypted or the files within the backed up data are otherwise infected. Routinely test backups for data integrity and ensure that your technical staff is both trained on data recovery and integrated into your organization's IRP. Training through tabletop exercises is an effective means to ensure that the organization's operational plan to restore affected parts of the network will function properly when it is most needed.

Other Helpful Action Items: The Center for Internet Security and the MS-ISAC offer the following additional guidance to help you secure your network and to prevent or limit the damage from a successful encryption attack:

  • Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs authorized to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
  • Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications. These macros are a frequent encryption attack vector.
  • Restrict internet access. Use a proxy server for internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
  • Vet and monitor third parties that have remote access to the organization's network and/or your connections to third parties to ensure they are diligent with cybersecurity best practices.
  • Participate in cybersecurity information sharing. Programs and organizations, such as MS-ISAC and the FBI's InfraGard and Domestic Security Alliance Council can provide the latest guidance on best practices, advisories, and information on the latest ransomware and encryption attacks.
  • Establish relationships with federal law enforcement/national security organizations. The FBI maintains Cyber Task Forces in each of it 56 field offices nationwide. The United States Secret Service maintains a nationwide network of 46 Electronic Crimes Task Forces as well. These organizations publish additional bulletins and advisories based on trends culled from active cyber investigations. These materials, as well as access to periodic roundtables and working groups, can be obtained free of charge by contacting your local field office and requesting to be placed on cyber advisory distribution lists13.


In today's digital environment, organizations should plan for the possibility, or even the eventuality, of a ransomware or encryption attack. While the likelihood of an attack is greater now than at any time in the past, employing a multi-layered cyber defense that carefully implements the 20 industry-standard critical cyber security controls14 will greatly reduce the likelihood of a significant encryption attack. This data security posture will also prepare you to more quickly recover from an attack which encrypts all or part of your organization's network.


[1] The JBoss vulnerability, which proved to be the vector of intrusion in the recent SAMSAM attacks, was an open source version of software used to implement Java and other web-based applications. Many victims were unaware that this unpatched version of JBoss was even running within their environments.

[2] RDP, or Remote Desktop Protocol, is a proprietary Microsoft network communications protocol designed to facilitate remote access to virtual desktops, applications, and servers.

[3] The Server Message Block (SMB) Protocol is a network protocol whose main purpose is to enable file sharing. For more, see Microsoft SMB Protocol and CIFS Protocol Overview: https://msdn.microsoft.com/en-us/library/windows/desktop/aa36 5233(v=vs.85).aspx

[4] According to the SANS Institute, asymmetric cryptography is a modern type of "public key" cryptography in which the algorithms employ two different keys (a public key and a private key) and use a different component of the key pair for different steps of the algorithm.

[5] See: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ .

[6] See: https://www.cisecurity.org/white-papers/technical-white-paper-timely-patching-reduces-system-compromises/

[7] See: https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

[8] A watering hole attack is one in which the attacker guesses or observes which websites the group often uses and infects one or more of them with malware.

[9] See Cyber Alert: Petya Ransomware, June 28, 2017: https://www.cisecurity.org/cyber-alert-petya-ransomware/

[10] See "Hackers Lay Claim to Saudi Aramco Attack": https://mobile.nytimes.com/blogs/bits/2012/08/23/hackers-lay-claim-to-saudi-aramco-cyberattack/

[11] See "U.S. Said to Find North Korea Ordered Cyber Attack on Sony": https://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html

[12] For example, to be able to effectively function following a significant encryption attack, the following items might be prepositioned in a strategically designated location to enable the firm's critical tasks to continue: laptops for key personnel with preloaded macros and software, copies of staff directories and other important contact information, updated customer lists, critical billing information, and other important reference materials.

[13] For more information about FBI programs like InfraGard and the Domestic Security Alliance Council, see: https://www.fbi.gov/about/partnerships/office-of-private-sector, or contact your local FBI field office directly. To locate one of the 46 US Secret Service's Electronic Crimes Task Forces, see: https://www.secretservice.gov/investigation/

[14] For more information on the 20 critical cyber security controls, see: https://learn.cisecurity.org/benchmarks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions