Ransomware – Should the Ransom be Paid?

Ransom

Ransomware attacks remain a continuing threat to organisations as ransomware gangs introduce new strains which make them difficult to defend against.

http://cyberbrokers.co.uk/ransomware-is-still-a-real-threat/

With ransomware attacks comes the inevitable ransom demand. These demands in the early days were only a few hundred dollars and this has now developed into a multimillion dollar business for hackers.

Ransomware as a service (RaaS) is a subscription based model that allows other hackers to use already developed ransomware tools to carry out ransomware attacks.With this brings an increase in attacks together with an increase in the threat landscape and of course the actual ransom.

Should the ransom be paid?

Every organisation will have their own views on this and whether the ransom should be paid to the hackers or not. The type and severity of the ransomware attack will be the main factor as to how the organisation will wish this to play out.

What also is at stake – is it theft of data , is it loss of manufacture or it the use of the company website? All will have some form of financial implication.

Are there back-ups in place , are these isolated from the network and are these still secure ?

The role of insurance

If cyber insurance is in place the policyholder will advise their insurers  of the attack and they will appoint a forensic investigator and a ransom ware specialist from their vendor panel.

These two parties will ascertain the extent of the incident and also as to whether there is collateral damage in that a sideways attack has taken place where data is already being extrapolated and in place to be distributed on the Dark Web or the public domain.

The decision to pay

If the position is that the data cannot be retrieved through back-up or it is not possible to return the business to near normal functionality it may be necessary to pay the ransom.

Some of the possible implications of paying this are as follows:-

The hackers will not provide the encryption code

The data still not be released

A further ransom could be demanded

Paying the ransom

If cyber insurance is in place the specialist ransomware vendor will organise the ransom payment to the ransomware gang in Bitcoin currency via a Bitcoin account set up on the business’s behalf.

As a result of the high incident of ransomware attacks there are signs that cyber insurers are restricting coverage. A number of insurers are introducing coinsurance but recently Axa in France have decided not to provide coverage for the payment of ransoms for policyholders in France.

https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

Long term effects of paying the ransom 

  • The hackers could return to make subsequent ransom demands
  • The business could gain a reputation for paying a ransom and other ransomware gangs will try their luck
  • The original malware planted remains in the network and hackers return to exploit any vulnerabilities

The payment of a ransom following a ransomware attack is likely to be the last resort of a business but if robust cyber security is in place it provides every chance of having to succumb to the demands of hackers.

Image : Shutterstock

Solar Winds Blows Cyber Chill

Solar Winds

The Solar Winds cyber-attack at the end of last year was a great example of the implications that this type of incident can have on the supply chain of an organisation.

Background

Solar Winds are a major US IT firm which provide software globally to Fortune 500 companies and the US government who regularly send out updates to their customers.

What Happened ?

During one of the updates Solar Winds inadvertently sent out updates that included a code that had been hacked. The code it is understood was added into the computer system “Orion” which is primarily used by firms to manage their IT resources. This particular system has 333,000 customers.

This created a backdoor to many of their customers computer systems which once in hackers installed further malware.It is understood that the attack took place for a number of months before it was discovered. It has been reported that 18,000 customers installed these updates which contained the malware.

Worst was still to come when US government agencies updated Orion’s software with the vulnerability being utilised to install Supernova and CosmicGale malware.This ultimately allows a hacker to  use remote code on the Orion software.

Who Was Impacted By This ?

The most highest profile company to be affected was FireEye who is a leading cyber security firm. Other companies including Microsoft, Cisco, Intel and Deloitte.

In addition to this a number of US government departments were compromised including the Department of Homeland Security and Treasury Department.

Who Carried Out The Attack ?

It is believed that Russian group SVR were behind this although some sources believe it may have been a Chinese targeted attack. No one is sure.

What Damage Was Caused?

Numerous e-mail accounts were broken into giving the hackers access to information contained within these.The accounts of the US government departments announced that only unclassified information  was compromised.

Impact On The Supply Chain

With many computer systems being accessed the task is to try and secure these and the time it will take to carry this out.

Many companies rely on companies for services be these IT related or otherwise and when these are compromised the implications of a cyber attack can run through the entire supply chain.

How Can Cyber Insurance Help ?

This form of insurance can provide many benefits for an organisation hit by such an attack.

The policy provides 24/7 emergency responses access to a specialist panel of vendors who have the specialism and skill set to manage and help with incidents such as these.

For example a forensic investigation can be carried out to ascertain the extent of the attack and if data has been compromised. Costs associated with subsequent claims by individuals and legal fees can also be covered under this policy.

Image : Shutterstock

Coronavirus Being Exploited By Hackers

Coronavirus

Coronavirus is sweeping the world with hackers taking advantage of people’s vulnerability and the uncertainty that exists in this situation.

The cyber threat landscape remains the same as do the techniques and methods that hackers utilize but hackers are also being more inventive and praying on innocent victims.

Phishing Attacks

This remains one of the most common forms of cyber attacks. The National Fraud Intelligence Bureau (NFIB) has announced that they are seeing cases of fraud where Coronavirus has been an avenue for cyber attacks. The losses are understood to be in excess of £800,000. Emails are inadvertently opened to trick individuals which leads to personal information being accessed by the hackers who then use this for illegal means.

This could include the impersonating of third party suppliers or the provision of business services. Another method is the bulk selling of face masks and hand sanitiser.

Also being seen are vishing (voice calls) and smashing (SMS) messaging. Everyone needs to be alert even more so to these dangers.

Hacker Scams 

Another pattern emerging is bogus emails coming from research agencies who are affiliated to bodies such as the World Health Organisation (WHO). The e-mail content pretends to be able to divulge information on individuals  who may have the infection.

https://www.bbc.co.uk/news/technology-51838468

Remote Working 

A large proportion of the work force is now working from home and with this comes an increased exposure to cyber risks. Good housekeeping is therefore important and should include the following:-

  • Ensure that communications are secure
  • Ensure that strong passwords and multi factor authentication
  • Raise awareness of cyber attacks within the organisation
  • Make sure laptops are kept secure and in a safe location
  • Be careful not to disclose personal credentials
  • Log – off when not using the network
  • Review the Remote Desktop Protocol (RDP)
  • Impose stricter procedures for financial processes and monetary transfers

Managing The Cyber Risk 

All organisations are facing a huge challenge with this infectious disease and the consequences that it brings with  business interruption being one of the main threats.

Cyber insurance includes incident response services which can assist with cyber attacks that may befall a company these include forensic investigation costs , public relations consultants and legal assistance. In the current climate it is even more important to have access to these specialist vendors.

 

Image : Shutterstock

Norsk Hydro – A Ransomware Case Study

Norsk Hydro, the Norwegian aluminium manufacturer were hit by a ransomware attack in March 2019. The company is one of the largest aluminium producers of its kind with smelting plants and factories in 40 countries being managed by their 35,000 employees.

The ransomware attack impacted on their production in Europe and the US which resulted in the company having to revert to manual operations to manage their industrial control systems albeit on a much slower basis than normal whilst they battled against the ransomware attack.

Parts of the business were however still operational which allowed a degree of production to still be maintained.The stoppage of the primary metal and rolled products had some operation impact from a business interruption perspective.

The CFO announced that the ransom bitcoin demand had and will not be paid as they attempted to restore the company’s software and preserve their data.

The cause of the cyber attack was as a result of an employee opening an infected e-mail from what was thought to be a trusted customer which allowed the hackers to gain access to their IT infrastructure and put in place the ransomware virus.This was an example of an Advanced Persistent Threat (APT).

The type of ransomware is thought to have been LockerGoga which enables hackers to encrypt computer files very quickly which are then locked with a ransom demand then being made to release them. The hackers also threatened to increase the ransom should their be any be any delays in paying to add further pressure to the situation.

Norsk Hydro made three quick decisions which helped mitigate the attack:-

  • The CFO announced that the ransom bitcoin demand had and will not be paid.
  • Microsofts cybersecurity team ( Detection and Response Team know as DART)  were engaged to help restore the operation.
  • Norsk Hydro were very transparent about the attack and hosted daily webcasts and press conferences providing updates on the attack which does not normally occur.

A special team was build up in the coming weeks which helped the business re over and reconstitute its business operations . This helped remove the threat posed by the hackers and to understand the mechanism of the ransomware attack.

Norsk Hydro shared a video of how they dealt with the ransomware attack in their Toulouse plant.

https://securityboulevard.com/2019/04/norsk-hydro-shares-a-4-minute-video-on-how-its-employees-stood-up-for-the-firm-post-an-extensive-cyberattack/

The financial impact of the ransomware attack is through to be in the region of $70- 80M. NorskHydro also purchased a cyber insurance policy which is believed to date to have paid out $33M.

Image : Shutterstock

The Cyber Security Threats For 2020

Cyber Security Threats

Cyber Security threats are evolving all the time making it extremely difficult for business to combat this and it is now even more important to have in place the appropriate protections to keep them safe from hackers.

The same core cyber security threats still exist but these are becoming more sophisticated and difficult to trace and prevent.

Ransomware   

Ransomware is now not just used as a scatter gun approach but is now being more targeted at businesses where ransom demands are now much larger than before. The decision now becomes to pay the ransom in order to obtain the decryption key to mitigate the interruption to the everyday operation of the organisation or to hold out and rely on the back-ups in place that hopefully would not be corrupted. New strains of ransomware are also appearing and becoming increasingly difficult to repel.

Phishing Attacks

These types of threats remain prominent and despite an increase in training by companies to help employees spot such attacks, commonly sent via e-mails, success is high for hackers still reaping rewards.

Internet of Things

The interconnection of devices is increasing at an alarming rate with all aspects of life now being connected from the office to the home . The concern is that people are more reliant on this and this provides greater opportunity for hackers to access a network and cause disruption.

The Supply Chain

The supply chain of any business is in many cases fundamental to its operation where this be the supply of technology or the provision of non IT services. The cyber security of such entities is in a number of cases not as robust as the principal business and should their IT be compromised this can lead to a hacker gaining access up the line.

The Insider Threat

This remains a prominent threat and is to an extent still hard to predict as this is determined by human nature. Even with the most sophisticated firewalls in place if an employee is determined enough to steal data they will succeed. It will be interesting to see how the Morrisons case develops which laid down that businesses are vicariously liable for the actions of employees in the event of a data breach of their employees personal data.

Artificial Intelligence  ( AI)  

AI as it is know is perhaps the newest of the cyber threat vectors that now exist and is the most unknown but potentially the one that could cause the most disruption. It is also the most difficult to defend against. Deep Fake videos are a fast developing area where a believable video conference call from what is thought to be the CEO could have been created by AI , this could lead to misinformation being relayed within the company and impact business decisions.

Image : Shutterstock

Deep Fake – Do You Believe ?

Deep Fake

Deep Fake is emerging as a prominent new cyber threat which businesses are now facing and need to implement measures to counteract.

What is Deep Fake?

Deep Fake is a method that combines and superimposes existing images and videos onto source images onto source images and videos using artificial intelligence. It uses a machine learning  technique known as generative adversarial network (GANS)and first emerged towards the end of 2017.

Video content has historically been very difficult to change but with the use of artificial intelligence this has helped make the process easier.

What are the typical threats?

  • Creating an emergency situation that is not real and causing panic.
  • Disruption to an election by false statements
  • The making of a false announcement to directors and shareholders
  • An image of a director requesting the fraudulent transfer of funds.
  • Posing falsely as a partner that may affect a relationship
  • False video of a celebrity in compromising situations.

How are Deep Fakes detected?

Sophisticated deep fakes are difficult to detect where as the more amateurish ones can be spotted quite easily such by a lack of blinking or shadows of individuals that do not seem to be in the correct position.

It is also possible for them to also be trained to avoid detection and is therefore a cyber threat that is hard to combat.

Last week Google released a database of 3,000 deep fakes to alter faces and to make people say things they never said. These were of course actors the purpose of this was to help researchers build tools required to take down harmful fake videos that could cause distress to individuals and harm to businesses.  https://nakedsecurity.sophos.com/2019/09/27/google-made-thousands-of-deepfakes-to-aid-detection-efforts/

Well Known Deep Fakes

Deep fakes have been carried out on many famous individuals from Donald Trump to Tom Cruise and Theresa May.

Here are some examples

https://www.creativebloq.com/features/deepfake-examples

The Future of Deep Fakes

The world of Deep Fakes will no doubt develop beyond a level which makes them impossible to differentiate between what is real and what is not – this is one race that hackers seem to be so far ahead that it will be difficult catch them.

Image : Shutterstock