Kidnapped! - the catastrophic cost of ransomware
/The changing working landscape has made businesses more vulnerable to ransomware attacks. The threat of cyber breach events is very real and, as more businesses are finding out, can come with catastrophic costs.
Protection from Ransomware Attacks
Back on 17 March 2020 we published a blog warning about cyber security risks for businesses with people working from home. Unfortunately, this prediction has turned out to be true, with several reports over the last couple of months of Ransomware taking businesses “down”. There is a high probability that this ransomware software got through via an insecure personal computer from someone working at home, or a new remote connection which was implemented in haste, without enough time to carry out the stringent security checks and testing periods usually required before implementing any new channels or endpoints.
What does Ransomware do when it gets in?
Ransomware can be a particularly devastating attack on computer systems. It is quite aggressive and, when well designed, it looks for a whole series of common file extensions and corrupts them all. The number of files it will look for and eventually encrypt can be close to 90 different types. Although not all of the files may be affected, enough will be encrypted, making it almost impossible to unencrypt and recover from. The software is designed so it quietly encrypts all the files it can find in the background before anyone notices. The first indication will likely be that an application will stop operating. If the computer is on a corporate network, it can work its way down the network to basically any computer it can find, even corrupting your backups if they are online. and then finally encrypting files listed on your desktop, which is often the first sign for many businesses that you have a major problem. By then, it is too late to do anything.
Can files be recovered without paying the ransom?
Recovering from this is extremely difficult. It can take days or weeks to work out how the files have been encrypted and then establish what the encryption key is.
If you wish to recover using your backup files, one has to basically do what is known in the industry as a "cold steel” rebuild. That is, totally wipe all the data off your computers or servers and storage disks and then rebuild from a backup that does not have the Ransomware malware already on it. Some versions of Ransomware can be on your computers for several days or weeks before it is activated, so going back to the latest backup may not work.
Now the problem with most corporate organisations these days is, the backups are normally on disk and these disks are online, so these also get corrupted. Similarly, for those organisations replicating backup data to a remote location, there is a high probability that the ransomware will make it through to those distant backups and corrupt them as well.
It is at this point in a ransomware attack that your IT group go to a sickly shade of white, need to rush off to the bathroom, as they realise first that their online backups are useless and second it is going to take them a long time to restore your data. We’re talking weeks at the very least, which is something that most businesses cannot afford.
If you do not have off-site/offline backups they may never be able to rebuild your data.
Changes in the industry to fight ransomware crime
The software and hardware industries are not sitting on their hands, but are in fact are working hard to address the exposure to such attacks. The following are some of the solutions that are coming through:
Data Backup Software that recognises a Ransomware attack
For backup tapes, there are products that use Artificial Intelligence (AI) to detect attempts to encrypt files. The product maps your normal file encryption via AI and as soon as it detects an attack it disconnects from the network and then restores the damaged files.
Replication of Data Protection
For replication there are now products that have inbuilt ransomware protection to stop the software getting to the remote location. This is a relatively new feature of some of the replication software and it would pay to check if the latest version you have provides ransomware protection.
Desktop Malware Protection
For home computers and also business protection, there are products that have inbuilt Ransomware and remediation of files built in. These are not the common malware protection products or the free products many choose to rely on. It will cost you a little more for the right protection but it is far cheaper than dealing with the costs to your business of an actual attack.
What can you do to increase your protection?
The most important action you can take right now is, take your backups offline after completion. If your business is using tape backups or USB disk backups, then you should have a policy of removing them off your system when the backup is finished. This creates what is known as an “air-gap” so that the malicious software cannot get to your backups. Make sure a part of those backups is the rebuild files for the hardware and operating systems. This can be a little old-school but it is better than nothing.
Other things you can do include:
Ensure your personnel are aware of the dangers of opening files and programmes that are from people they do not know.
Ensure all devices your team are working from remotely are secure, with robust anti-virus software that includes firewalls and malware protection, and keep it up to date.
Have the connectivity path from your office systems to the remote location via secure VPN with Two Factor Authentication.
Review security for home internet connectivity; in particular, change the default password on the routers and other devices.
Ring-fence sensitive systems and data from extended network activity where possible.
Provide dedicated devices to remote team members instead of allowing access from home computers or other shared devices.
Block the use of USB ports on computers used for company use.
Step up or refresh team training around security protocols and best practice.
Get expert advice from a professional cyber security consultant
Establishing the risks and impact of a Major IT Outage
Organisations need to understand the level of risk and impact of a cyber-attack as with any other major IT outage. A cyber-attack can have the same disastrous impact as a major natural disaster – in fact, it can be more damaging as it takes out a business’ reputation along with its ability to function. Cyber-attacks happen very fast and so organisations need to be prepared to be able to respond to them just as quickly. This includes having roles and response plans defined for key personnel, internal and external communication plans including media statements and scripts for call centres; and most importantly the response plan needs to be embedded and practised via cyber breach training exercises.
How can Standby Consulting help?
Standby Consulting are specialists in resilience. Our cyber security management offerings include cyber governance and breach response planning, as well as training and embedding exercises for staff at all levels.
If a face to face tabletop exercise is not really possible in the current climate, then we offer an online facilitator-led Cyber Hacking Exercise. You and other key members of your crisis response team can work together through a realistic cyber-attack, managing any impacts via a simulated virtual desktop where you can chat with each other and other stakeholders, check emails, track the market impacts, make critical decisions and more. Bring your key people together to develop both your skills and processes for managing a cyber breach.
Contact us for more information about our online cyber response exercise and other cyber security management offerings.