Ransomware Archives - CyberBrokers.co.uk

Ransomware attacks remain a continuing threat to organisations as ransomware gangs introduce new strains which make them difficult to defend against.

http://cyberbrokers.co.uk/ransomware-is-still-a-real-threat/

With ransomware attacks comes the inevitable ransom demand. These demands in the early days were only a few hundred dollars and this has now developed into a multimillion dollar business for hackers.

Ransomware as a service (RaaS) is a subscription based model that allows other hackers to use already developed ransomware tools to carry out ransomware attacks.With this brings an increase in attacks together with an increase in the threat landscape and of course the actual ransom.

Should the ransom be paid?

Every organisation will have their own views on this and whether the ransom should be paid to the hackers or not. The type and severity of the ransomware attack will be the main factor as to how the organisation will wish this to play out.

What also is at stake – is it theft of data , is it loss of manufacture or it the use of the company website? All will have some form of financial implication.

Are there back-ups in place , are these isolated from the network and are these still secure ?

The role of insurance

If cyber insurance is in place the policyholder will advise their insurers of the attack and they will appoint a forensic investigator and a ransom ware specialist from their vendor panel.

These two parties will ascertain the extent of the incident and also as to whether there is collateral damage in that a sideways attack has taken place where data is already being extrapolated and in place to be distributed on the Dark Web or the public domain.

The decision to pay

If the position is that the data cannot be retrieved through back-up or it is not possible to return the business to near normal functionality it may be necessary to pay the ransom.

Some of the possible implications of paying this are as follows:-

The hackers will not provide the encryption code

The data still not be released

A further ransom could be demanded

Paying the ransom

If cyber insurance is in place the specialist ransomware vendor will organise the ransom payment to the ransomware gang in Bitcoin currency via a Bitcoin account set up on the business’s behalf.

As a result of the high incident of ransomware attacks there are signs that cyber insurers are restricting coverage. A number of insurers are introducing coinsurance but recently Axa in France have decided not to provide coverage for the payment of ransoms for policyholders in France.

https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

Long term effects of paying the ransom

The hackers could return to make subsequent ransom demands
The business could gain a reputation for paying a ransom and other ransomware gangs will try their luck
The original malware planted remains in the network and hackers return to exploit any vulnerabilities

The payment of a ransom following a ransomware attack is likely to be the last resort of a business but if robust cyber security is in place it provides every chance of having to succumb to the demands of hackers.

Image : Shutterstock

Norsk Hydro, the Norwegian aluminium manufacturer were hit by a ransomware attack in March 2019. The company is one of the largest aluminium producers of its kind with smelting plants and factories in 40 countries being managed by their 35,000 employees.

The ransomware attack impacted on their production in Europe and the US which resulted in the company having to revert to manual operations to manage their industrial control systems albeit on a much slower basis than normal whilst they battled against the ransomware attack.

Parts of the business were however still operational which allowed a degree of production to still be maintained.The stoppage of the primary metal and rolled products had some operation impact from a business interruption perspective.

The CFO announced that the ransom bitcoin demand had and will not be paid as they attempted to restore the company’s software and preserve their data.

The cause of the cyber attack was as a result of an employee opening an infected e-mail from what was thought to be a trusted customer which allowed the hackers to gain access to their IT infrastructure and put in place the ransomware virus.This was an example of an Advanced Persistent Threat (APT).

The type of ransomware is thought to have been LockerGoga which enables hackers to encrypt computer files very quickly which are then locked with a ransom demand then being made to release them. The hackers also threatened to increase the ransom should their be any be any delays in paying to add further pressure to the situation.

Norsk Hydro made three quick decisions which helped mitigate the attack:-

The CFO announced that the ransom bitcoin demand had and will not be paid.
Microsofts cybersecurity team ( Detection and Response Team know as DART) were engaged to help restore the operation.
Norsk Hydro were very transparent about the attack and hosted daily webcasts and press conferences providing updates on the attack which does not normally occur.

A special team was build up in the coming weeks which helped the business re over and reconstitute its business operations . This helped remove the threat posed by the hackers and to understand the mechanism of the ransomware attack.

Norsk Hydro shared a video of how they dealt with the ransomware attack in their Toulouse plant.

https://securityboulevard.com/2019/04/norsk-hydro-shares-a-4-minute-video-on-how-its-employees-stood-up-for-the-firm-post-an-extensive-cyberattack/

The financial impact of the ransomware attack is through to be in the region of $70- 80M. NorskHydro also purchased a cyber insurance policy which is believed to date to have paid out $33M.

Image : Shutterstock

Ransomware – Should the Ransom be Paid?

Norsk Hydro – A Ransomware Case Study