Many will be aware of businesses which have become a victim of ransomware – a potentially devastating attack which can bring your business to an abrupt halt. The size of the ransom varies. We have seen demands ranging from a few thousand to many tens of thousands of pounds. And they get paid too.
What is ransomware?
It is a type of malicious software which encrypts its victim’s data. The criminals hold their victim to ransom, blocking the organisation from accessing systems and data, pending payment of the ransom demand. The attacker promises to send a decryption key to release the data/systems following payment.
How does ransomware attack?
It is important to appreciate that your business will usually not have been specifically picked out, rather the attacks are automated at scale. It commonly begins with an employee clicking on a malicious link or attachment. This will be a random automated attack, or may come via an email from an infected client or other 3rd party. Another way is by a device or server having a vulnerability because it is not kept fully up to date with security fixes (“patches”). Automated attacks exploit both people and technical vulnerabilities. In the most common situation, the download from a click pulls in the ransomware, which automatically spreads to find data and files it can encrypt. When it is set off, it takes the system down and encrypts the data on the servers. Some ransomware can create new variants of itself faster than it can be identified by anti-virus software.
Once encrypted, many organisations find they cannot restore their systems or data and are left at the mercy of the criminals. This is because even where they think they are being fully backed up, often they are not, or the back ups are of the corrupted data. Some ransomware destroys the back ups, or even gains access through them. Crucially, unless correctly configured in the first place, it usually takes a long time to work out if you can put the individual back up pieces of the jigsaw into a functioning picture. Time which you do not have. Because the ransom demands are usually accompanied by a timer, which counts down the hours to the total and permanent destruction of data. Imagine losing all your data, customer information, access to EPOS or procurement systems etc? Which is why so many organisations pay the ransom demand to get released – itself a very dangerous game, as the criminals may still not release the data or may return.
How do we prevent it?
So, make sure all firmware, operating systems, software and anti-virus are all security patched up to date. Make sure everything is properly configured with security in mind (rather than just set up to achieve ease of access and functionality). We usually find poor configuration everywhere, devices left in their “out of the box” condition, anti-virus missing from devices, firewalls not working, etc. Where possible limit the extent of your infrastructure which is exposed to the internet. Put the right layers of security and separation around your data so that a virus can be contained. Keep access rights and permissions to a minimum, otherwise attackers gain access to all areas of your network/systems and data. Ensure that your back ups are properly structured with the right permissions, so that you can if necessary rebuild everything quickly.
But crucially, recognise that you cannot defend yourself against this or other types of attack by technology alone. You must ensure ongoing cybersecurity awareness training for everyone in the organisation and test that it has been understood. Put in place the right governance regime with the right policies that fit the way your practice operates while still keeping you safe. And regularly review and update these defences.
Protection requires that vulnerabilities in technology, people and processes are all addressed together on an ongoing basis. They should be assessed through a security lens and pressure tested by someone who is independent from whoever sold, fitted or configured the technology. Cyberecurity is not the same as IT support. And having your IT provider mark their own homework is rarely a good idea and in the case of a ransomware attack, can result in disaster.