The term ‘Ransomware’ has been in the News again recently following several high-profile cyber-attacks. This article introduces what Ransomware is, why it can be so devastating for those affected, and what can be done to reduce its impact.
To reflect the devastating impact that ransomware can have, the National Cyber Security Centre (NCSC), as reported in The Guardian, is due to announce that ransomware is a ‘Malicious Strategic Threat’ and represents the biggest threat to the online security for businesses and people within the UK [Link].
Ransomware is a form of malware (malicious software). When deployed it encrypts or severely restricts a user's access to the files on their computer system until a ransom payment is paid. Usually, the attackers threaten to make public the encrypted information or refuse to handover the decryption keys until the ransom is paid.
Ransomware isn’t new, but over the last few years we have witnessed a huge surge in its use by cyber criminals to wreak havoc and to earn a quick buck. Whereas many historic cyber-attacks have cost the organisation financially and/or reputationally – ransomware has the potential to be a serious existential threat to the organisation.
In the last few months alone, we have seen a number of serious ransomware attacks.
The scale of these attacks and the disruption they caused has prompted Logiq to write this article so that we can all be better prepared to meet this threat and ensure that our organisations are cyber resilient.
WannaCry and Petya
Two of the most high-profile ransomware attacks in the last few years were the WannaCry and Petya attacks. WannaCry, in 2017, targeted vulnerabilities in the Windows Operating System. Petya, identified in 2016, operates in a very similar manner by targeting the master boot record of the Windows Operating System to encrypt the hard drive and prevent the computer from booting.
What can you do as an organisation?
One of the most important things an organisation can do is to ensure that all its systems are fully patched. Although a fully patched system may not prevent an attack from being successful, it can reduce the likelihood. When WannaCry malware exploited the Windows implementation of the Server Message Block (SMB) protocol; Microsoft had already released a patch for this vulnerability, but many organisations had not implemented it.
Invest in cyber security awareness of your personnel. People represent the largest attack surface, and this is a fact which is often overlooked by organisations. Organisations must invest in our people who are our first line of defence.
Ensure that policies and procedures for responding to a cyber event are up to date, tried and tested, and communicated to those who need to know them. All procedures should have been subject to the minimum of a Tabletop review.
Organisation should also regularly review their security posture. The systems used by the organisation may change or the threat could shift. It is good practice to review the security posture on a regular basis.
Importance of Maintaining Backups
We must accept that not all attacks are going to be prevented: remember that an attacker has to be successful only once, while the defender has to be successful every time. Therefore, it is essential that organisations plan and prepare for the worst. One of the best things an organisation can do is to ensure they maintain up to date system backups. This allows data to be restored if it is compromised. Think of it as an insurance policy.
To illustrate the importance of backups when JBS were attacked the backup servers were reportedly not affected. Therefore, although the company experienced hardship due to the attack they were able to restore the affected services by using trusted backups. The disruption faced was not as bad as it could have potentially been.
For organisations that utilise Cloud Infrastructure, backups are still important. Even if data is in the Cloud, then local secure backups should be maintained. Alternatively, the Cloud could provide opportunities to maintain backups of local (non-Cloud) systems. The organisation should determine what solution works best for them in concert with their risk assessment.
The organisation must ensure that these backups are routinely tested to ensure that data and services can be restored, and properly secured to maintain their integrity and availability. The prime objective is to ensure that the time to recovery is reduced to the smallest amount of time possible. This should be fully documented within the Disaster Recovery procedure.
An important case study here is that of Fujifilm. Earlier this month they reported that they had refused to pay the ransom to the cyber-criminal group that had attacked its networked, instead relying on backups to restore its business operations.
Business Continuity should focus on what an organisation needs to continue operations in the event of an emergency. Whilst the focus of Business Continuity should be greater than just cyber, a cyber-attack is one of the most likely events that will trigger a Business Continuity event.
To maintain business-critical functions while the backups are being restored, the organisation should document fall-back processes within their Business Continuity Management Plans. All plans should be validated through a minimum of Table-Top workshops, and preferably through full-scale exercises. There may also be benefit in having a third-party review the plans to provide impartial input.
Preserve Digital Evidence for Investigation
Following any cyber incident, it is important to preserve digital evidence for any further investigation and involvement from law enforcement. This evidence could be crucial to understand how the threat actor compromised the system and may aid preventing attacks in the future.
The increase of ransomware attacks is also having a knock-on effect for insurers, with many insurers becoming more vigilant over the security controls organisations have in place. Therefore, insurers may not provide cover to organisations who do not have at least the basic level of security in place or reduce the level of cover accordingly. Even worse, insurers may not honour premiums if they can prove the organisation did not manage and maintain their systems in accordance with their policies.
Ian Smith, writing for the Financial Times, reported that “insurers are using a mixture of financial incentives, in policy and pricing changes, in an attempt to persuade companies to strengthen their controls” [Link] and this could have an impact of the security preparedness of many organisations. Or it may mean that some organisations abandon cyber insurance altogether. Only time will tell.
National Cyber Security Centre (NCSC) Guidance
Every organisation has a responsibility to ensure that they have appropriate security controls in place. If you want to understand more about how you can protect yourself against ransomware, please visit the NCSC for further information: Mitigating malware and ransomware attacks
Matthew Mackay, Principal Consultant, Logiq Consulting Ltd