It doesn’t matter who you are, your position, or the size of the company you work for, you never want receive that phone call saying that your company has been hit by a ransomware attack. Most IT departments and staff do their very best to protect their network from attacks by regularly patching, installing firewalls and intrusion detection systems, segmenting their network, and performing vulnerability assessments, but the real truth is that an external threat is going to find its way inside your network in some form in the near future.
Though the majority of the news stories today focus on the significant breaches within large companies, damaging incidents at small to mid-size companies are just as prevalent. The issue faced by small and mid-sized companies is that the budgets for IT security are often small and the number of IT staff and support is often even smaller.
Very recently I received a call from a close friend who asked for assistance because his company had been the victim of a ransomware attack. The hacker had locked staff out of all significant business applications and had compromised the physical backup tapes and the online backups, leaving IT staff with no safe backup to restore. The attacker sent a pointed email asking for a small sum of money in the form of Bitcoin.
Obviously there were numerous questions running through my friend’s mind: (1) What are bitcoins? (2) I don’t have any bitcoins, but even if I had some should I hand them over? (3) What other options do I have? (4) How can I avoid being in this position in the future?
My friend was in unchartered territory and found himself frantically trying to resolve the issue in order to get operations back up and running quickly. I tried to give him a little insight starting with his first question: what are bitcoins? Bitcoin is a form of currency that uses encryption to implement the transfer of funds, making it independent of banking institutions and resistant to formal regulation. A Bitcoin payment is made between two parties with a digital public register, called a ‘blockchain,’ verifying the validity of each transaction. The authenticity of the transaction is protected by a digital signature attached to each user’s sending address. There are few legal protections for these transactions, however, and nothing to guarantee that service or data will be restored upon payment. There are no refunds or reversals for transactions. Paying an attacker in Bitcoin for a ransom is a “Hail Mary pass” that is only explored by victims as a last resort, when their preparation was unable to allow them to independently recover from the attack.
In my friend’s case, he had no data recovery plan or readable back-ups safely stored away; therefore, he was left with no other option. So, he went through an arduous and unfamiliar process to set up a bitcoin wallet, obtain bitcoins via an exchange, and then make payment. Luckily, after making the payment, the hacker did pass along the key to unlock their system. This could have gone worse, with no response from the attacker, leaving my friend with no data and a few hundred dollars poorer. It could have also gone better, had preparations been made ahead of the attack.
This story offers up some lessons for IT personnel in businesses of all sizes. First, be prepared! We say it all the time, it is no longer a question of “if” but “when.” Good preparation starts with a solid back-up policy. Periodically test your system backups to ensure readability and to keep IT personnel familiar with the process. Most companies have a bad habit of only testing their backups once a year during a disaster recovery test or when an employee loses his/her important files. Periodic backup testing helps to ensure that tapes are not corrupted and may help to point out potential unauthorized activity.
Second, implement sufficient network security and perform periodic advanced internal and external penetration testing to help point out those vulnerable areas that external hackers and internal threats might attempt to compromise.
Finally, have an incident response plan that involves professionals. Anyone who has been a victim of ransomware can tell you that it is important to act quickly. A team of incident response professionals can quickly help you get back up and running while also identifying what happened in order to avoid falling victim a second time.
Time really is money and a company can’t afford to be down for a significant period of time as a result of being locked out of its systems. Being prepared and having a plan to handle digital ransom scenarios is becoming more and more important in this ever evolving digital age.
For weekly insights into cybersecurity, please sign up here: