ransomware

Ransomware – Should the Ransom be Paid?

by
Ransom

Ransomware attacks remain a continuing threat to organisations as ransomware gangs introduce new strains which make them difficult to defend against.

http://cyberbrokers.co.uk/ransomware-is-still-a-real-threat/

With ransomware attacks comes the inevitable ransom demand. These demands in the early days were only a few hundred dollars and this has now developed into a multimillion dollar business for hackers.

Ransomware as a service (RaaS) is a subscription based model that allows other hackers to use already developed ransomware tools to carry out ransomware attacks.With this brings an increase in attacks together with an increase in the threat landscape and of course the actual ransom.

Should the ransom be paid?

Every organisation will have their own views on this and whether the ransom should be paid to the hackers or not. The type and severity of the ransomware attack will be the main factor as to how the organisation will wish this to play out.

What also is at stake – is it theft of data , is it loss of manufacture or it the use of the company website? All will have some form of financial implication.

Are there back-ups in place , are these isolated from the network and are these still secure ?

The role of insurance

If cyber insurance is in place the policyholder will advise their insurers  of the attack and they will appoint a forensic investigator and a ransom ware specialist from their vendor panel.

These two parties will ascertain the extent of the incident and also as to whether there is collateral damage in that a sideways attack has taken place where data is already being extrapolated and in place to be distributed on the Dark Web or the public domain.

The decision to pay

If the position is that the data cannot be retrieved through back-up or it is not possible to return the business to near normal functionality it may be necessary to pay the ransom.

Some of the possible implications of paying this are as follows:-

The hackers will not provide the encryption code

The data still not be released

A further ransom could be demanded

Paying the ransom

If cyber insurance is in place the specialist ransomware vendor will organise the ransom payment to the ransomware gang in Bitcoin currency via a Bitcoin account set up on the business’s behalf.

As a result of the high incident of ransomware attacks there are signs that cyber insurers are restricting coverage. A number of insurers are introducing coinsurance but recently Axa in France have decided not to provide coverage for the payment of ransoms for policyholders in France.

https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

Long term effects of paying the ransom 

  • The hackers could return to make subsequent ransom demands
  • The business could gain a reputation for paying a ransom and other ransomware gangs will try their luck
  • The original malware planted remains in the network and hackers return to exploit any vulnerabilities

The payment of a ransom following a ransomware attack is likely to be the last resort of a business but if robust cyber security is in place it provides every chance of having to succumb to the demands of hackers.

Image : Shutterstock

Norsk Hydro – A Ransomware Case Study

by

Norsk Hydro, the Norwegian aluminium manufacturer were hit by a ransomware attack in March 2019. The company is one of the largest aluminium producers of its kind with smelting plants and factories in 40 countries being managed by their 35,000 employees.

The ransomware attack impacted on their production in Europe and the US which resulted in the company having to revert to manual operations to manage their industrial control systems albeit on a much slower basis than normal whilst they battled against the ransomware attack.

Parts of the business were however still operational which allowed a degree of production to still be maintained.The stoppage of the primary metal and rolled products had some operation impact from a business interruption perspective.

The CFO announced that the ransom bitcoin demand had and will not be paid as they attempted to restore the company’s software and preserve their data.

The cause of the cyber attack was as a result of an employee opening an infected e-mail from what was thought to be a trusted customer which allowed the hackers to gain access to their IT infrastructure and put in place the ransomware virus.This was an example of an Advanced Persistent Threat (APT).

The type of ransomware is thought to have been LockerGoga which enables hackers to encrypt computer files very quickly which are then locked with a ransom demand then being made to release them. The hackers also threatened to increase the ransom should their be any be any delays in paying to add further pressure to the situation.

Norsk Hydro made three quick decisions which helped mitigate the attack:-

  • The CFO announced that the ransom bitcoin demand had and will not be paid.
  • Microsofts cybersecurity team ( Detection and Response Team know as DART)  were engaged to help restore the operation.
  • Norsk Hydro were very transparent about the attack and hosted daily webcasts and press conferences providing updates on the attack which does not normally occur.

A special team was build up in the coming weeks which helped the business re over and reconstitute its business operations . This helped remove the threat posed by the hackers and to understand the mechanism of the ransomware attack.

Norsk Hydro shared a video of how they dealt with the ransomware attack in their Toulouse plant.

https://securityboulevard.com/2019/04/norsk-hydro-shares-a-4-minute-video-on-how-its-employees-stood-up-for-the-firm-post-an-extensive-cyberattack/

The financial impact of the ransomware attack is through to be in the region of $70- 80M. NorskHydro also purchased a cyber insurance policy which is believed to date to have paid out $33M.

Image : Shutterstock

Ransomware Is Still A Major Threat

by
Ransomware

Ransomware still remains one of the main methods that hackers utilise to carry out cyber attacks on businesses.

New strains of viruses are emerging all the time one such type is Sodinokibi which is only three months old but has had a significant impact already. It is also know as Sodin and REvil and connected to a previous form of ransomware called GrandCrab.

It is beloved that the average ransom demand for Sodinokibi in May was $150,000 against $50,ooo for other forms of ransomware. The largest recorded to date is $500,000.

Furthermore according to a report by Coveware, an incident response company the average downtime from a ransomware attack during the first part of this year has increased from 7.3 days 9.6 days which is believed to be due to the impact of this new ransomware.

The use of  Sodinokibi is also on the increase so much that it now accounts for 12.50% of the overall market.

Attack Methods

Sodinokibi is a ransomware-as-service (RaaS) and is used to attack both businesses and consumers and use various attack methods that include the following:-

  • Acting as malicious spam
  • Phishing attacks
  • Malvertising
  • Exploitation  of vulnerabilities in Oracle

The Signs of this Ransomware Infection

The normal signs of a ransomware attack are displayed when a computer system has been compromised by Sodinokibi this being changes in the desktop wallpaper and the announcement of the attack by way of a ransom note.

https://www.zdnet.com/article/sodinokibi-ransomware-is-now-using-a-former-windows-zero-day/

How it Happens

Files are encrypted on local drives by an encryption algorithm renaming all files with a pre-generated pseudo- random alpha- numeric extension that can be up to eight characters in length. This type of ransomware appears to target files which are mainly media related.

It also has been found to delete shadow copies of back-up and disables the Windows Startup Repair tool which prevents users from fixing any system errors relating to the ransomware attack.

Sodinokibi is unique in that it does latch on to zero-day vulnerabilities and and allow a Sodinokibi ransomware attacker access to endpoints that it infects replicating tasks that administrators would normally carry out.

How to Try and Prevent an Attack

Creation of back-ups of data on an external drive or on the cloud

Ensure that updates are run on all computer systems and appropriate patching is carried out.

Reinforce training of staff so that they are aware of possible phishing attacks that might carry this ransomware.

Restrict the use administrative tools to the IT team

Disable macro on Microsoft Office products

Cyber Insurance

The purchase of cyber insurance can help manage and mitigate the impact of these form of attack. This type of policy will provide coverage for the investigation costs of such an attack, the cost of negotiating with the hackers and if need be the actual ransom itself.

Image : Shutterstock

The Six Major Cyber Risks of 2019

by
Cyber Risks

What are the six major cyber risks of 2019 that businesses will need to guard against in the perpetual war against cyber criminals.

The cyberthreat landscape is constantly changing with hackers using ever more sophisticated means to gain unauthorised access to computer systems.This coupled with some of the more established tools utilised by hackers produces a cocktail of cyber attacks vectors that provide the ultimate test to cyber risk management of a busines.

Cyber risks come in many shapes and forms and it is likely that we will see the following featuring throughout the world in the coming days and months.

Supply Chain Vulnerbilities

This is proving to be a very real vulnerability with businesses heavily reliant on their suppliers and contractors for services whether this be for the provision of technology services that are fundamental to the effective functioning of the business.

If one of the suppliers systems are compromised this is likely to result if a significant businesses interruption loss where income will be lost and reputation damaged.

http://cyberbrokers.co.uk/how-secure-is-your-supply-chain/

Mobile Applications

We are are all reliant on our smart phones and laptops and end to end encryption of these is therefore of paramount importance. Confidential information and personal data is in abundance on these devices and a hacker will no doubt target such devices that do not have the appropriate security in place.

With the emergence of 5G this it will become increasingly harder to protect mobile applications.

Phishing Attacks

These are well established methods that hackers use to overcome human vulnerabilities.

This is carried out by e-mail compromise where uses click on a link that leads to malware being spread resulting in crippling the computer system or falsely changing a clients bank details to one set up by a hacker which leads to a loss of funds.

Ransomware Attacks

There have been a number of high profile ransomware attacks namely WannaCry and Non-Petya that impacted many countries around the world. Business affected by these include WPP, Maerck and the National Health Serice in the U.K.

A ransomware attack can be very cleverly disguised with many means available to gain access to a computer network. Over the past twelve months ransomware attacks have declined but they still remain a very real threat with different strains of malware emerging. This will only increase and make detection harder awareness of new methods and defense of these will therefore be vitally important to mitigate this on-going threat.

The Morrison’s Effect

As a result of a Morrison’s employee stealing salary details and distributing these to a number of newspapers Morrisons were sued for damages by a number of the affected individuals.

As a result of this it was found after appeal that Morrison’s were vicariously liable for the employees’ actions. The court also stated that the affected individuals could claim for financial loss and emotional distress. It is therefore conceivable that this could open the flood gates for class actions against other such businesses in similar circumstances.

https://www.bbc.co.uk/news/business-45943735

Artificial Intelligence and Internet of Things

Artificial Intelligence (AI) is now developing at an alarming pace as businesses recognized the benefits that machine learning can bring such as increased efficiency in manufacturing and data analysis. this however brings increased cyber risks. It is possible for inter-connectivity to take place which leads to communication with other devices called the Internet of Things (IOT) the result of which can lead to a compromise of systems , loss of data or even physical damage.

Cyber attacks backed by AI would be far greater than a conventional human lead cyber attack causing more damage for longer periods. This is a new emerging cyber threat but it could be one of the most dangerous and damaging as cyber security has not kept pace with the ensuing risks.

Cyber attacks will undoubtably become more sophisticated with the cyber risk landscape becoming more unpredictable and difficult to assess the threat vectors that develop.

Image : Shutterstock

How Secure Is Your Supply Chain?

by
Supply Chain

Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.

The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?

With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.

What sort of processes can be carried out in order to provide some assurances?

  • Regular cyber security audits of third party vendors
  • Prioritization of vendors for critical services
  • Review of data monitoring standards of third parties
  • Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
  • Managing of privileges provided outside of the business
  • Robust procurement processes for new vendors
  • Management of contractual liability with the vendor in the event of a possible data breach
  • Due diligence of cloud service providers
  • Insurance checklist for professional indemnity and or cyber insurance by the vendor
  • Review interconnected devices to managed The Internet of Things ( IoT) exposures

The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.

The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber-security-risks-in-the-supply-chain.pdf

The consequences of a third party suffering a compromise of their computer systems could lead to  the following:-

1.Business Interruption

2. Reputational Damage

3.Regulatory Actions and Fines

4.Loss of customers

5.Costs incurred to the business to rectify loss of data or damage to computer systems

6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-

Target

In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.

Stuxnet

This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.

It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.

NonPetya

Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.

The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.

A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.

 

Image : Shutterstock

Will Ransomware Attacks Increase Under GDPR?

by
Ransomware

Business in the UK suffer on average 38 ransomware attacks a day and it is likely that we will see a significant increase in this when GDPR comes into force on 25th May this year.

According to cyber security product developer Sonic Wall there are over 2,500 different know variants of ransomware hitting UK businesses which makes the task of managing these attacks becoming a formidable job to combat. One of the current trends of cyber attacks carried out by hackers was is that their targets appeared to be that of data with ransomware being an ideal method of disrupting businesses by corrupting their data, stealing it or perhaps holding them to ransom.

This form of cyber attack on a business is perhaps one of the most difficult to handle due to its unpredictable nature and the impact that it can have on a business leaving it paralyzed to operate. It is also normally time limited which adds the factor of stress to the business owners with  the imminent threat of data being destroyed if the ransom is not paid within a specific deadline.

With GDPR there is added factor of a business being fined by the Information Commissioners Office (ICO) if data is compromised.The fines that could be imposed by the ICO are between 2 and 4% of global turnover depending on how the degree of the data breach. Uber would be an example of where the ICO could have imposed a heavy fine. Hackers held Uber to £750,000 ransom with the threat of releasing the data of 57 million customers. Uber would have been in the position of breaching GDPR rules on two occasions for the initial cyber attack and the fact that it was not disclosed as all data breaches will need to be advised to the ICO within 72 hours. It will be interesting to see how the ICO approach the question of fines and to what degree they are likely to impose the maximum fine threshold.

The paying of a ransom is am easy option to pacify alleviate a cyber attack but this could only be a short term solution as the hacker could return perceiving the business to be an easy target. There is  also no guarantee that the files containing the data will be released and will remain encrypted with the business still unable to access the data.

Cyber insurance can help with ransomware attacks , in paying the actual ransom and the costs associated with negotiating with the hackers. The policy would also provide coverage for the forensic and IT costs to investigate a possible sideways attacks by the hackers into computer systems. A data breach will need to be managed and this specialist form of insurance provides incident response services backed by a panel of experienced vendors.

Ransomware attacks will undoubtedly increase once GDPR comes into force and businesses will need to improve their cyber risk management in order to avoid the wrath of the ICO and the damage to their reputation that a severe data breach may cause.

Image : Shutterstock