Ransomware

Sounding like a poorly-conceived 1980s movie, ransomware is the latest scourge to hit businesses and their IT. Unfortunately, it can have a devastating effect on companies and, in some cases, shutter them completely.

Over time, criminals using ransomware have changed their extortion tactics. Early attacks would encrypt hard drives, now they are more likely to capture data and threaten to release it onto the Internet or disrupt critical business processes. As the scale of the attack increases, so do the ransom amounts. 

Recent breaches such as the Colonial Pipeline attack, which nearly halved the oil flowing through the US East coast, shows the reality of ransomware attacks. They’re not limited to large and wealthy enterprises – the recent attack on Irish hospital IT systems shows the impact these attacks can have. Furthermore, despite the Irish government receiving a tool from the criminals to decrypt the servers, the attack was still causing significant disruption over two weeks later.  

Knock, knock

The bad actors who carry out ransomware attacks typically use either social engineering or exploit weaknesses in IT infrastructure (often arising through lack of patching). A popular target has been poorly-maintained VPN access – which is particularly troubling for IT administrators given the number of employees working remotely due to the pandemic. Once the bad actors have gained access they will move laterally within a network and compromise further systems and data.  

In troubling recent developments, the attackers are increasingly targeting local storage snapshots and backups in data centres and the cloud to reduce further the chance of restoration of systems.  

Refractis works extensively in infrastructure deployments, and we have the following advice to both reduce the chance of ransomware and dealing with it should it happen. 

Be prepared

The right preparation for a ransomware attack can save you and your business time when it’s most critical. In most cases, the steps are not too onerous nor difficult to carry out. We’ve put together the following practical checklist to help you:

1. What?

   • In conjunction with the business users, identify the most valuable IT systems and data to your business and record them within a register. Ask yourself the question: “Which systems and data do we absolutely need to keep our business running?”. In answering this question, you should also consider different timelines as businesses often have systems which aren’t used every day – but are critical to quarterly reporting.

   • Identify your critical physical assets and log them in a register. Examples of this might include hardware security modules, backup tapes and communications connectivity.

2. Where?

   • Where are the assets (geographically and physically), systems and data that you identified?  

   • Could you direct someone to exactly where they are and how they are accessed (including out of hours access phone numbers, protocols and site managers)?

3. How?

   • Maintain offline, encrypted backups of data and systems. You should test these backups regularly. Your backups should be kept offline because criminals are targeting accessible backups for deletion. If you have old, on-premise infrastructure, make sure that spare hardware is available that can be restored onto - since newer hardware can often exclude support for old operating systems.  

   • Retain the source code, or source media to use for restoration of systems (which could include code in escrow for some commercial products)  

   • Create, maintain and exercise a cyber incident response plan.  

   • Use a reputable supplier to conduct external vulnerability tests. These can be supplemented with in-house capabilities and scanning tools – but there’s no substitute for experts.  

   • Ensure all devices, operating systems and software is freshly patched – especially those facing directly onto the Internet.  

   • Make it difficult, through use of firewalls and other mechanisms such as bastion hosts, to move from non-operational to operational areas of the network – to hinder attacker’s ability to move within your network.  

The canary in the coalmine

You may have some early signs of a ransomware attack in progress such as positive malware detections – which may be signs of an earlier network compromise. 

Should you suspect that you are indeed under attack – there are two steps you should take immediately:  

• Isolate the impacted systems. Ideally, use network switches to provide the isolation – it’s quicker than unplugging cables in a data centre. If you can’t isolate the systems, then turn them off (to avoid the further spread of the ransomware infection).  

• Triage the impacted systems for restoration and recovery. Identify the critical systems (based on the list you created in the “Preparation” section) paying particular attention to those for health & safety, revenue generation or other critical systems; don’t forget to include dependent systems, too.  

Refractis has experience of helping clients with their ransomware preparation as well as those in the midst of recovering their systems. Contact us at enquiries@refractis.com if you’d like to discuss how you best avoid the impact of a ransomware attack.