Companies scramble to recover from crippling ransomware attacks
Cyber criminals exploiting a security flaw in unpatched installations of Microsoft’s Windows XP operating system brought many organisations around the world to their knees on Friday with their so-called WannaCry ransomware attack that locked users out of their computers’ files. The unprecedented mass attack supported dozens of languages, indicating that the criminals were bent on wreaking as much havoc as possible with organisations ranging from the world’s biggest hospital groups, car makers, telecommunications firms, courier companies, rail operators and national governments being affected.
F-Secure, a Finnish cyber security company, estimated that over 130 000 systems in more than 100 countries had been affected. China, India and Russia were particularly hard hit with almost 30 000 institutions across China having reportedly been affected, according to a leading Chinese security-software provider. F-Secure’s chief research officer Mikko Hypponen said Russia and India were particularly hard hit because many there were still using Windows XP, an operating system that Microsoft terminated support for in April 2014. However the software giant had already taken the unusual step of reissuing security patches for this and other older versions of its operating system starting in March this year and has been criticising the US intelligence agencies for “stockpiling” software code as it has become apparent that hackers managed to exploit the leak of such code for this latest attack.
Yesterday Microsoft sent out a communiqu’e to users advising them to install their MS17-010security update on Windows XP, 8 and Server 2003 machines as soon as possible to counter the threat. Windows 10 operating systems have not been affected by the attack to date. WannaCrypt encrypts all files it finds and renames them by appending “.WNCRY” to the file name. It also creates the file “@Please_Read_Me@.txt” in every folder where files are encrypted.
Eleven health boards in the UK, including the National Health Services (NHS) were disrupted by the attack with hundreds of operations and treatments reportedly postponed countrywide. Only in February this year, F-Secure had issued warnings of the likelihood of such a ransomware attack and the possible consequences; highlighting the damage that can be done to health care organisations should they not have access to patient data. The NHS reported that some doctors couldn’t access their patients’ test results after operations or before scheduled treatments and that the National Cyber Security Centre (NCSC) was working around the clock to normalise IT systems after the attack.
Having locked users out of their files, the attackers demanded payment in the form of the virtual currency Bitcoin in order to decrypt them to regain access, as has now become typical of these types of attacks. The amount asked for per attack was $300 in bitcoin with a three-day expiry date, after which the payment demand would be doubled. A screen message on victims’ computers informed them that should no payment be received within seven days then the encryption key would be deleted and the files lost forever. Bitcoin has a public ledger that records all transactions that are made and to date there are reports of just over 200 hundred victims of the attack having paid the ransom which has amounted to less than US$60 000 for the criminals. This Friday will be the D-day though when the encryption keys purportedly get deleted due to non-payment and all eyes will be on these ledgers to see how much was paid in total.
To date, there are reports of less than a hundred victims of the attack having paid the ransom, according to analyses of the bitcoin addresses used for demanding the payments.
It hasn’t been a good year thus far for many businesses as initially their employees returned to work at the beginning of the year only to discover that they had been locked out of their computers and company databases had been encrypted. Demands for large payments to be made, typically in the form of untraceable bitcoin in order to regain access, then inevitably followed. When payments were made by those who decided to take their chances and pony up the money in an attempt to continue doing business as usual, some of them were then advised that the amount had subsequently increased.
“We’ve recently witnessed a major surge in ransomware attacks as an unprecedented number of organisations have approached us to help them secure their servers and networks against malware”, comments Grant Chapman of local data security provider Camsoft Solutions. “There are still many companies out there with inadequate or no protection against malware and unaware of the dire consequences. This, together with a general naivety that it might never happen to them, is going to result in many more unfortunate organisations having to pay the price in more ways than just the money. Those affected will also not be restricted to large corporations which usually try and keep knowledge of an attack a secret, knowing what the reputation damage and other fallout could be. When these organisations report that they are wiping clean all their servers and computers and reinstalling all their software from scratch it’s fairly obvious what has transpired. Some companies have even had to resort to reinstalling databases and mail servers that are over a year old after not keeping off-site backups. And then others who left backup devices connected to their servers at the time of the attack have had all their current backups encrypted as well. Regaining access to infected files by paying the ransom is also very risky because the malware is still resident on the infected machines and can very easily be re-activated for yet another ransom demand,” adds Chapman.
Ransomware has become big news in the US and elsewhere in the world and it was only a matter of time before South Africa started becoming a target too. Ransomware attacks worldwide doubled in the last two quarters of 2016, indicating just how lucrative the practice is, with the FBI estimating that profits related to ransomware exceeded a billion dollars last year.
“Usually, it is not so much the ransom itself, but business downtime and other consequences that will really disturb your business”, commentsEija Paajanen of F-Secure Corporation. “Paying the possible ransom will of course hurt. But what will probably hurt more are the other repercussions resulting from a successful ransomware attack. First, you have the lost business time. Think about an online store for example. Having your site down will have a direct effect on the bottom-line. The city of San Francisco was forced to give free rides to all commuters after ransomware hit their transportation system. A major target for ransomware continues to be hospitals and healthcare providers, as these latest attacks have highlighted. In addition to not being able to access patient data or sign in patients there will be other effects as well. Your IT staff has to spend a lot of their valuable time searching for the problems, isolating them and trying to fix them. In many cases, it is not just the infected computers that are rendered powerless, but also other devices need to be pulled down from the network to avoid further damage. Meanwhile, most of your employees will not be able to work and you face quite significant productivity losses, regardless of whether you pay the ransom or not. Secondly, there is the possible loss of critical data. In some cases, we have seen customers successfully back up their financial data, but not other business-critical assets. For a design agency, for example, the loss of their image and design files would be unbearable. Coming back to hospitals and other medical practices, the welfare of patients could be severely compromised by not knowing what medications or treatments they required or what their medical history was, should their data disappear. Thirdly, coming back to the potential loss of patient data, the problems that you might face with your operations are not the full story either. Privacy laws and regulations are pretty strict when it comes to personal data and the probability of facing penalties is high. As for financial data, there are other laws governing the obligations to keep archives for several years. Therefore, if a ransomware attack makes you lose the data for, let’s say even the current quarter, you would face a huge task to restore the data to be prepared for a possible audit two years later…”
One key element of protecting an organization against ransomware and other malware attacks is security awareness training, which is key to preventing employees from clicking on phishing links in e-mails or giving out confidential information like passwords during vishing attempts (voice phishing over the phone). So, what should you do if and when you find out that your organization has been hit by ransomware? Here’s some advice from Andy Patel, one of the security experts at F-Secure: “If your organization has been hit by crypto-ransomware, stop, take a breath, and respond to the incident in a level-headed manner. You’re going to want to start by isolating and remediating affected machines before restoring data from backups and ensure that you have the right protection on your network to prevent it happening again. Make sure you don’t restore the original infection vector during that process. And when your systems are back up and running, remember to kick off a root cause analysis. Learn from the experience and improve your processes and systems in order to avoid future infections, keeping your data security software updated regularly. The more prepared your organization is for the eventuality of a crypto-ransomware attack, the less likely you’ll end up panicking and doing something that could be more damaging.” It has been reported that many of those paying the ransom in these latest attacks didn’t regain access to their data. Although obviously not good for those affected, this is possibly good for combating the scourge of ransomware attacks. If the attackers don’t release access to data after receiving the demanded payments, less people will be likely to pay up in future which means that eventually the monetary reward for attacks will diminish to the point where it won’t be worth carrying out an attack. Unless, of course, the attack is purely for malicious intent, although such attacks have historically been far fewer and tended to be less widespread. Not paying ransom demands is a step in the right direction for curbing future attacks, whichever way you look at it.
We’re also seeing a major shift towards hosted data due to the highly sophisticated threat environment that exists currently”, comments Chapman. ” Hosted servers can be protected against malware with the likes of F-Secure’s Endpoint protection by a team of specialists who take responsibility for ensuring that the servers always have the latest updates, are backed up off-site and monitored for any untoward activity. They aren’t connected storage devices, which are still susceptible to attacks, and the connections between users and the server can be encrypted with SSL security. Outsourcing the responsibility for your data to experts who make it their business to safeguard it makes a lot of sense. There is also a reduced likelihood of infection from malware such as that used for ransomware attacks because sophisticated firewalls help prevent security breaches, caused for example by employees inadvertently initiating attacks by clicking on attachments in phishing e- mails. Whilst it is difficult to ensure that all IT resources are 100% protected against any potential threat, given the constantly changing nature of the threat landscape, there are tools available to minimize threats and stay ahead of the game and one should use these tools wherever possible.”
If you wish to assess your current capabilities to handle ransomware attacks – or any other type of malware attack for that matter, please check out F-Secure’s practical handbook for endpoint protection. It will give you the tools to assess your current capabilities, give guidance on best practices and help evaluate the most critical requirements for an endpoint protection solution that can stop ransomware and other malware in its tracks.