Ransomware in 2016: this is an operational threat, not an IT incident
The ransomware wave in early 2016 shows that encryption attacks have become a business continuity problem, not just a security one.
In February 2016 Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of approximately $17,000 after ransomware locked the hospital out of its systems for several days. Medical records were inaccessible, some procedures were postponed, and staff reverted to paper-based processes. It was not the first such case, but it received wide coverage and changed the conversation about this threat.
Ransomware has stopped being a problem for individual users. It has become an operational threat to organisations.
What changed
Ransomware has existed for years, but the past year or two have seen several shifts that made it significantly more dangerous for businesses.
First - monetisation through Bitcoin made collecting ransoms relatively safe for attackers and made transaction tracing difficult.
Second - attacks became more targeted. Where ransomware used to spread through mass email campaigns and encrypt indiscriminately, some attacks are now run manually: attackers first study the infrastructure, locate backup copies, encrypt those too - and only then make demands.
Third - ransom amounts have grown. Where a few hundred dollars used to be demanded, organisations are now facing tens of thousands and more - especially when the target is visibly well-resourced.
Why this is no longer just an IT problem
When one employee's work files are encrypted, that is an IT incident. When everything is encrypted including backups, and the organisation cannot operate for several days, that is a business continuity crisis.
The difference matters. An IT incident is resolved by the technical team. A continuity crisis requires leadership decisions: pay or not pay, how to communicate with customers and regulators, how to operate in degraded mode, when to expect recovery.
None of these decisions can be made for the first time during the incident itself. They need to be prepared in advance.
What specifically to check
Backups are the first and most important question. If backups are accessible from the same network as the primary systems, ransomware will reach them too. Backups need to be isolated - ideally part of them offline or on an air-gapped medium.
The second question is restoration testing. An organisation may have been making backups for years and discover at the moment of an incident that restoration does not work as expected, or that critical data was never included. Recovery testing is an ongoing practice, not a one-time event.
The third is network segmentation. If all workstations and servers share one segment, a single infected machine can spread quickly. Segmentation limits the blast radius.
The fourth is the incident decision process. Who calls whom, who decides whether to pay the ransom - and it should be a considered decision, not a panicked one - who communicates with press and customers.
A minimum set of actions
If none of these questions has been put to your IT team in the past six months, this is a good moment to start. Ransomware in 2016 is not a hypothetical risk - it is happening to real organisations every week.
The question is not whether you will be targeted. The question is what happens to your business if you are.