Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Page | 1
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Strategies to avoid
The use ...
Page | 2
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
email across many millions of
computers. But the initial
Page | 3
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
that can target particular
organisation to scape all of the
Page | 4
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Further, even in Australia, the
Federal Court in ASX v. Pont
Page | 5
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Managements Actions to
reduce the Risk of
The law ...
Page | 6
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
someone they know but were
not expecting they should
Page | 7
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
up. The last
recommendation by the FBI
is highly important. O...
Page | 8
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
for their company. In this case IT
security should not be an
Page | 9
ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2
Adrian McCullagh: ODMOB Lawyers
ABN: 81 141 521 571
Email: Aj...
Annexure A:
Kaspersky Research labs released its 2015 report on ransomware with this disturbing graph:
Upcoming SlideShare
Loading in …5

ODMOB Ransomware newsletter final


Published on

  • Be the first to comment

  • Be the first to like this

ODMOB Ransomware newsletter final

  1. 1. Page | 1 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 Ransomware: Strategies to avoid Capture Introduction The use of computers has become so pervasive that most, if not all, businesses in developed countries have become totally dependent upon the use of computer technology and the availability and integrity of the information stored and manipulated by computer systems. This dependency is no longer limited to domestic relationships. Through the advent of the internet and its ever growing influence, the combination of computer technology with telecommunications technology has extended the use of the computer from the personal environment to the commercial environment with global reach. Computers are now able to communicate relatively easy over great distances through large distributed networks. They can now facilitate electronic commerce transactions not only domestically but also internationally. Organisations such as Amazon, Netflix, AirBNB and Uber have taken substantial advantage of this connectivity and have disrupted traditional businesses such as bricks & mortar retail stores ( for example traditional book stores like Borders no longer even exists and the same situation impacted Blockbuster video stores through the advancement of Netflix). Further, the criminal sector of society no longer relies on physical presence but have also taken advantage of this connectivity to engage in new crimes. One fairly new criminal activity has been the proliferation of ransomware. Ransomware: What is it? Ransomware is basically the sending of malware (Malicious Software) that will, when activated, encrypt the victim’s data so that the victim no longer has access to that data. The data is still located on the victim’s computer system but the victim is not able to process it as it has been encrypted by the ransomware. Recently, there has been a substantial increase in ransomware attacks. The first known ransomware attack occurred more than 27 year ago and was identified as the AIDS Trojan. The implementation of this attack involved symmetric cryptography and the instigator of this attack was Joseph Popp who demanded payment of US $198. Popp was caught and prosecuted but was later determined to be unfit to stand trial. 7 years after this first attack, Young and Yung coined the term “cryptovirology” which has morphed itself into ransomware. At the 1996 RSA conference, Young and Yung showed how public key cryptography could be used to encrypt third party data and systems so as to hold the afflicted party to ransom. The afflicted party would have to pay a small fee in order to gain access to their vital data. This was the birth of modern ransomware. The attack vector has been the proliferation of ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 3 Next issue BYOD arrangements: staff rules and the legal risks involved.   
  2. 2. Page | 2 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 email across many millions of computers. But the initial ransomware attack had a vital flaw in that it still required some form of payment. Initially, the payment was in physical money (fiat currency), which required there to be some form of physical delivery of the cash. This exposed the criminals to a risk of being caught at the time of collection. Obviously, this was an unacceptable risk for most criminals. In 2013, criminals combined ransomware (Crypto-locker) implementations with bitcoin, a virtual currency that has pseudo-anonymous characteristics. Through the use of bitcoin as the payment mechanism, criminals were able to be paid quickly for their ransomware activity and in a pseudo-anonymous manner. The advantage of bitcoin payments is that the criminals could undertake this crime without ever setting foot in the victim’s jurisdiction. Therefore, the risk of being caught was substantially reduced and since 2013 the proliferation of ransomware has expanded exponentially. It should be understood that bitcoin is not completely anonymous as it is possible to trace the bitcoin conversions into fiat currency. This is known as on-ramp and off-ramp monitoring, which is where law enforcement agencies concentrate their activities; especially for money laundering and counter-terrorism financing. It has been estimated that on average each internet connected business person in an organisation (any organisation) will have been sent 58.9 spam emails on a daily basis. On average, good spam filters will remove approximately 90% of spam emails. So on a daily basis each person in an organisation will actually receive 5.52 spam emails that have escaped the spam filter. Note this is just spam email. Spam email may only account for 4% or less of the total emails actually received by an employee on any given day. That is, in total, an employee depending of their job position may receive more than 120 emails per day. At the human resource level, a small business with say 30 employees has to deal with 165 spam emails (30 x 5.52 spam emails) on a daily basis that have reached a human recipient. Not all of those spam email will contain Ransomware. Let’s say .1% as a very conservative approach. That results on average that an organisation comprising 30 staff who are connected to the internet will on a fortnightly basis (10 working days) receive about 1.65 spam email that will contain ransomware. Consequently, over a year the small business can expect approximately 43 ransomware infected emails reaching at least one of their employees. The example above only deals with a small business with 30 employees. Consider the situation where an organisation like a bank or a government agency that has many thousands of employees, with the possibility of just one person being distracted for a moment and due to that distraction activates a ransomware. Now criminals can buy on the dark web email lists that contain millions of captured email addresses. In fact on the dark web, criminals can purchase email harvesting applications
  3. 3. Page | 3 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 that can target particular organisation to scape all of the email addresses from the targets email server. From that point on, the cost to the criminal is the cost of developing/writing a plausible spam email that will not be captured by a spam filter and hopefully will be activated due to some human failure. There is no cost in sending the email which is the criminals greatest economic advantage. If any employee of an organisation fails to recognise the infected email and clicks on any link or document embodied in the infected email then the ransomware will be activated. Consequently, the effectiveness of ransomware is a numbers game, which due to work pressures many employees of organisations are under there is a real possibility for success for the criminal. In essence ransomware success will principally be due to a lapse in concentration at the human recipient level. Kaspersky Research labs released its 2015 report on ransomware that included the disturbing graph detailed in Annexure A. Note that each bar only accounts for a 3 month period. Hence in just the last quarter of 2015, there were globally more than 337,000 ransomware attacks which were identified. Any one of these could have been successful for the perpetrators. On a quarterly basis, there is a 27% increase compounded, which means that on an annual basis the growth of ransomware is nearly tripling. Hence, for the last quarter of 2016 it is expected that the number of ransomware incidents globally will reach approximately 1 million attacks. At the time of the release of this newsletter, the price of a bitcoin is US580 and it is not uncommon for the ransom to amount to 2 bitcoins (US$1160) though a recent attack on a North American hospital required the payment of 25 bitcoins (US$14,500). As can be readily identified, ransomware is a very lucrative activity due to the simplicity of the attack, low cost implementation and reduced risk through bitcoin payment. Management’s Fiduciary Obligations Directors are under various duties to act in the best interests of the company as a whole. This duty includes an obligation not to misuse or endanger property belonging to the company. This prompts an investigation of what precisely is incorporated in the scope of the term “property”. Clearly, physical assets of a company will be property; however, questions remain as to the classification of certain intangible assets. Of particular concern is whether the information accumulated and stored in a company’s IT system will generally be regarded as property of the company. Latham CJ addressed the issue of information as “property” in The Federal Commissioner of Taxation v United Aircraft Corporation by exploring the value of knowledge as a commodity. Although recognising that knowledge is valuable, particularly knowledge that is kept secret, his Honour did not believe it to be property in a legal sense. Despite this position is Australia as to the rejection of confidential information being classified as property, Courts in other jurisdictions such as the USA have declared confidential information as being property.
  4. 4. Page | 4 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 Further, even in Australia, the Federal Court in ASX v. Pont Data acknowledged the monetarization that exists in the trading information. Consequently, even though confidential information may not in Australia be classified as property it is a commercial asset that the law will impose upon management the fiduciary duty to protect. As Viscount Haldane LC said in Lennard’s Carrying Company Ltd v. Asiatic Petroleum Company Ltd.: “My Lords, a corporation is an abstraction. It has no mind of its own any more than it has a body of its own; its active and directing will must consequently be sought in the person of somebody who for some purposes may be called an agent, but who is really the directing mind and will of the corporation, the very ego and centre of the personality of the corporation. That person may be under the direction of the shareholders in general meeting; that person may be the board of directors itself…” The relationship between a director and company is one of the categories of relationships considered by the Courts to be fiduciary. Mason J (as he then was) in Hospital Products Ltd v United States Surgical Corporation succinctly stated the general position concerning fiduciaries as: The critical feature of these relationships is that the fiduciary undertakes or agrees to act for or on behalf of or in the interests of another person in the exercise of a power or discretion which will affect the interests of that other person in a legal or practical sense. The relationship between the fiduciaries is therefore one which gives the fiduciary a special opportunity to exercise the power or discretion to the detriment of that other person who is accordingly vulnerable to abuse by the fiduciary of his position. The duty owed by a director to the company in equity requires the director to act honestly, in good faith and to the best of his or her ability in the interests of the company, to the exclusion of all other interests. This duty also incorporates negative duties, such as the duty to avoid conflict and the duty not to secretly profit from their position. This standard of duty of business and professional conduct should be ascertained objectively by taking into consideration: (a) What the industry norm is for the corporation; (b) What standards if any have been adopted or endorsed by industry bodies of which the corporation is a member; (c) What codes of conduct have been endorsed or developed by relevant industry bodies; What commercial environment does the corporation operate in and therefore what is the best practice rules governing that environment. If management which obviously includes the directors of an organisation do not implement appropriate security standards then they could be held accountable for any loss that arises out of a hacker attack including a ransomware attack. Consequently, what should management do to reduce the risk of a successful attack?
  5. 5. Page | 5 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 Managements Actions to reduce the Risk of Ransomware The law does not require management or company boards to internally have the skills to implement the complex aspects of IT security. IT security is a complex topic which requires specialist skills which not only involve technical skills but also legal knowledge. Section 180 (2) of the Corporations Act deals with the business judgement rule which insulates directors from liability where they have acted in good faith by accepting the advice from an external expert. Therefore, it is highly recommended that boards should take advantage of this safe harbour by regularly seeking IT security legal advice in their deliberations concerning the protection of corporate information. The management of a corporation should follow the AIC model of security. AIC stands for:  Availability of the information/data. This is the highest priority. If the information is not available for use then the remaining 2 criteria are irrelevant.  Integrity of the information. Management must have the confidence that the data on which they are processing is complete, correct, and up to date. Their corporate decisions will be based upon the integrity of the information processed.  Confidentiality of the Information. The data/information should be classified to determine what security framework needs to be implemented. Some data may be classified as open data and can be accessed by anyone either at no cost or for a minor stipend. Other data may be classified as commercial in confidence or board members only. Consequently, the impact of a successful ransomware attack is that the corporation’s vital data will no longer be available. It is imperative that all corporations have a ransomware strategy in place. It is proposed the following strategy as a minimum should be considered:  Patch Management Procedure: All corporations should have a patch management procedure that is regularly reviewed. Management should not just think that the patch management procedure is automatically being done. It is not a set and forget mechanism, once it is set up. Patch management procedures should be regularly reviewed in order to determine that they: o Are effective both from a cost perspective and time perspective; o Actually work. That is they should be tested to ensure that all patches are up to date. This can be achieved through a review of audit logs.  Train staff: There are literally many hundreds of academic paper identifying that the weakest link in IT security is the human element. Staff training obviously needs to be undertaken as part of the induction process but all staff should be retrained on a regular basis. Refresher courses should be part of standard procedures in the same way fire-drill are ingrained into the employee psyche. In particular there should be particular attention concerning the prohibition of downloading any attachments that the employees are not expecting; even if they know the senders name. It is best, to train employees that if they receive an email with either an attachment or a link from
  6. 6. Page | 6 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 someone they know but were not expecting they should telephone that sender just to make sure that they actually sent the relevant email. Some criminals are now undertaking email address harvesting and then sending ransomware to the various harvested email address. Email address harvesting involves a small bot that will copy a person’s contact list (victim A) and FTP it to the criminal. The criminal then knows who to send the ransomware to and does so by spoofing victim A’s email address.  Implement appropriate security measures: It is important that corporations deploy at least: o Up to date firewalls, anti- virus software, intrusion detection system and where appropriate data loss prevention systems,; o Undertake regular backup procedures and test that the data/system environment is capable of being recovered in a timely manner; o Business continuity procedures and disaster recovery procedures. In particular, staff should know who is to take control and what tasks they need to do to ensure that the environment is able to be fully functional in a timely manner. In addition to the above the FBI on 29 April 2016 issued the following checklist concerning proactive protective measures in dealing with Ransomware attacks: Prevention Efforts  Make sure employees are aware of ransomware and aware of their critical roles in protecting the organization’s data. Training; Training; Training. In this regards organisations should review their staff rules and procedures to make sure that staff are aware of their corporate obligations.  Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).  Ensure antivirus and anti- malware solutions are set to automatically update and conduct regular scans.  Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.  Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.  Disable macro scripts from office files transmitted over e-mail.  Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompressio n programs). Business Continuity Efforts  Back up data regularly and verify the integrity of those backups regularly.  Check to see if there are any antidotes available from reputable vendors. Some of the more reputable vendors have made available decryption keys for many ransomware malware.  Secure your backups. Make sure they aren’t connected to the computers and networks they are backing
  7. 7. Page | 7 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 up. The last recommendation by the FBI is highly important. Once the ransomware has been eliminated from the affected computer system the off line backup data can be used to restore the data environment to a state that existed hopefully immediately prior to the attack. Of course, there will be some loss of data but it does reduce the impact of the ransomware. It is management responsibility to ensure that a corporation’s information assets are available for future use and ransomware is a noted and ever increasing threat. Furthermore, it is not unusual for a corporation to have long term contracts in place. In performing such long term contracts, organisation are dependent upon their computer systems being available and operating correctly. Most if not all long term contracts include a force majeure clause as part of the contractual arrangement. A force majeure clause deals with events that are outside of the control of either party and are usually written on a mutual basis meaning that the clause is available for the benefit of both parties. The issue then arises whether a successful hacker attack can fall within a force majeure clause. The answer to this issue really depends on what security measures did the victim of the attack put in place. If the victim organisation does not implement what would reasonably be expected for the type of organisation in question then the victim organisation may not be able to rely upon a force majeure. In the case of in re Verizon - Maine Public Utilities Commission, the Commission rejected Verizon’s argument that the impact of the Slammer worm (a computer virus that was first identified in the early 2000s) was within the ambit of the force majeure clause. Verizon was seeking a waiver of its contracted wholesale performance metrics because the Microsoft SQL Slammer Worm, had caused significant disruptions across the Internet in early 2003, impacting its servers. As a result, Verizon could not meet its performance standards as detailed in its contract with the State of Maine. Verizon had been aware of the existence of the Slammer worm for approximately 6 months but failed during that period to implement the Microsoft released patch, which had been released a number of months prior to falling victim to the virus. To make their argument ineffective, 2 competitors namely AT&T and World Com intervened in their dispute with the State of Maine by submitting affidavits detailing how their respective IT departments had implemented the Microsoft released patch and how their respective IT systems were immune to the slammer worm. Consequently, a failure to implement proper security measures can have far reaching implications including secondary impacts by not allowing the victim to rely upon a force majeure clause. Conclusion IT security is complex and as such management and in particular boards of directors should seek external expert advice so as to take advantage of the business judgement rule. More sophisticated boards are even making sure that at least one of their members has sufficient expertise in IT security so as to explain what security measures should be considered
  8. 8. Page | 8 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 for their company. In this case IT security should not be an exceptional board agenda item but should be discussed regularly or at least on a quarterly basis depending on the industry sector of the relevant organisation. There is no such thing as a completely secure system. If it was able to make a system absolutely secure then hackers would not be as successful as they are. Despite this, there are strategies which can be implemented to reduce the risk of a successful attack. When it comes to the effectiveness of ransomware, organisations should follow the FBI recommendations which will not prevent a successful attack but it will reduce the impact of any attack. Finally, organisations should engage external experts to assist in reviewing their systems to identify what actions can be taken prior to an attack. Postscript This newsletter is an abridged version of an 18,000 word essay dealing with management responsibility in the protection of information assets, which will be published in a noted legal journal. If any reader is interested the larger essay is available on request.
  9. 9. Page | 9 ABN: 81 141 521 571 8/26/2016 Edition 2016 Volume 2 Adrian McCullagh: ODMOB Lawyers ABN: 81 141 521 571 Email: Mob: +61 (0) 401 646 486 If you wish to subscribe or unsubscribe to this newsletter then please contact the author by email at the above email address. IF YOU REQUIRE ANY IT LEGAL ASSISTANCE THEN PLEASE CONTACT THE AUTHOR BY EMAIL AT THE ABOVE EMAIL ADDRESS. PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue then they should seek appropriate legal advice. The author makes no warranty as to correctness of anything contained in this paper. This paper is the sole opinion of the author and must not be relied upon as legal advice. Every situation is different and as such proper analysis must be undertaken when seeking a legal opinion. Consequently, the author takes no responsibility for any errors that may exist in this paper and certainly takes no responsibility if any reader takes any actions based on what is (expressly or by implication) contained in this paper. All readers take full responsibility for anything they may do in reliance of anything contained in this paper.
  10. 10. Annexure A: Kaspersky Research labs released its 2015 report on ransomware with this disturbing graph: