cyber attack

Not the NHS but your business

The 2017 WannaCry and Petya global ransomware attacks have made companies, large and small, realise that they need to be vigilant and have proactive measures in place to protect themselves against this form of malware. The first Zhero feature takes a look at a small to medium size business (SMB) that was unprepared for the very worst that cybercrime has to offer.

A SMB falls prey

Luke is the CEO of a medium-sized creative marketing agency located in Central London. Luke arrived bright and early one morning, ready for another day of adventure at the office. This was one adventure that, in hindsight, would have been better termed a nightmare.

Luke had barely sat down with a latte when his PA buzzed. The PA urgently asked him to come over to his workstation. Luke wondered what, besides a client request or issue, could be so pressing. Arriving at the PA’s desk, he instantly identified the problem: the computer had fallen victim to ransomware.

He instructed his PA to remain calm, and not to be intimated by the threatening red screen with its two Doomsday clocks. One clock counting down until the ransom would be increased. The other, a ticking bomb until all data would be lost. They rebooted the machine. In the pit of his stomach, Luke instinctively knew that this would not remedy the situation. He was right, the same screen, the same clocks plus the £250 ransom demand to be paid in Bitcoin currency, appeared and no amount of clicking or key pushing changed the situation.

Soon cries of alarm were heard from all over the office. You guessed it – creative, marketing and administrative staff all sitting with the identical message in front of them: ‘Your files and data are encrypted.’ Nobody had access to email, client data, in-house documents or files stored in the cloud. To cut a long story short, business had come to an abrupt halt.

The two on-site IT support engineers were out of the office. One was on a training course, the other on leave. So what to do? Googling on his phone, Luke found the contact number of an on-call IT firm specialising in data loss and disaster recovery. After briefing one of their engineers about the problem, Luke gave a sigh of relief. The engineer assured him that he would be over within the hour and the company network would be up and running shortly thereafter.

One hour became two, then three and so on. By four o’clock, Luke was at his wit’s end. The phone lines had been ringing off the hook all day long. Disgruntled clients, potential clients, service providers all angry because they had not received the emails, data, files or documents that had been promised. On top of it, two of the creative staff had missed important client meetings; the calendars had failed to synchronise on their mobile devices. All in all, a day to be remembered for financial loss and loss of productivity. Not to mention how this underhand ransomware attack would impact on the long-term reputation of the company.

Why did it happen?

Ransomware is a remorseless form of malware in which cybercriminals design malicious code to avoid security solutions and target software, PC and network vulnerabilities. So, without getting too technical, take a look at how Luke’s network became infected in a few simple steps that occurred in seconds:

1. Somebody received an email containing a malware attachment or malicious link. The infection could have also originated from a malicious website. The website used a security exploit to create a backdoor to a PC using vulnerable software.

2. Unwittingly, somebody either clicked on the link or downloaded and opened the attachment. A downloader or payload was then placed on the victim’s PC.
3. The downloader used a list of predefined domains to download the ransomware program. Cybercriminals manipulated Command and Control (C&C) servers to download the program to a botnet; a botnet is a network of computers infected with malware without the owner’s knowledge.
4. Clicking on the link or downloading the attachment allowed the C&C servers to respond and send data, enabling the malware to encrypt the entire hard disk content. Personal files and data stored in the cloud on synced accounts, such as Google Drive or OneDrive, were all inaccessible and held ransom.
5. The PC then became frozen on the warning screen with its Doomsday clocks and instruction on how to pay for decryption.

All the while, as Luke and his PA stood dumbstruck and in disbelief, the C&C servers were able to spread the infection throughout the whole network, rendering all files, emails, data and the operating system out of action.

The aftermath

The on-call engineer finally arrived with the excuse that he had to attend to other clients who were having similar, urgent issues caused by ransomware infections. Luke wasn’t concerned about outsider problems, he only wanted to restore the company network and get his business back on track.

The engineer asked what backup system the company had in place. Luke wasn’t sure and called the in-house IT member who was on training. He had to leave a message on voicemail. When the call was returned, Luke discovered that the last full system backup had been made a week before. Frustrated and anxious, he explained the situation to the on-call engineer, then asking what the extent of the damage was. The engineer’s response was vague, saying that he would do the best that he could, but that there were no guarantees.

By the following afternoon, Luke and his team were back in business, but it was not business as usual. The engineer was only able to restore the network using historical backups. An attempt to use FileXRecovery software to recover data, files and emails from the last week was unsuccessful. In essence, Luke’s company had lost a week’s worth of work, had lost or put sensitive client and company information in jeopardy, and suffered a financial loss that would be difficult to quantify.

It didn’t end there. Luke and his staff were faced with the embarrassing prospect of contacting existing and potential clients, requesting them to resend documents and files. A handful of clients showed some degree of understanding, the majority were heartless, demanding to know how an IT breach of that magnitude had been allowed to happen. Some clients insisted on enhanced security for their data at no charge. Others left, permanently moving on to a company they believed they could trust.

Luke was lucky. The data retrieval and recovery processes were a success by comparison to what could have happened. Imagine a situation in which all company data was lost. What then? The combined impact of financial loss, non-existent client and company data and a seriously tarnished reputation, would surely have meant closure for Luke’s business.

Be proactive

Considering Luke’s scenario, ransomware is clearly a threat not to be taken lightly. So how can you minimise the effects of a ransomware attack? Better still, how can you avoid infection in the first place?

Backups and updates are two keywords at the forefront of ransomware protection. With these procedures in mind, the best reassurance for your company not to fall victim to a ransomware attack is to team up with a Managed Service Provider (MSP). A reliable MSP will use extensive technical knowledge and expertise to maintain and monitor your entire IT infrastructure, including antivirus and malware protection.

Using an MSP means that all your data and files are backed up through virtualisation technology and cloud computing. Backup is automated, so you needn’t worry about when and who will do the work. The MSP can arrange to make two backups, a virtual one and another on an external drive. MSPs also provide the latest software updates and security patches, so your operating system and network will be secure from hacking.

An added benefit of partnering with an MSP for your equipment and data protection is the availability of a 24/7 Help Desk. The Help Desk is designed to support end users, both clients and employees. In the unlikely event of a ransomware attack, the Help Desk is available within close to zero minutes to response time.

The MSP can help to educate and train your staff about web security and protocol. For example, not to open emails from unknown senders, not to download and open suspicious attachments and not to access potentially dangerous websites through the network. Moreover, the MSP will ensure that you have reputable antivirus and malware products in place that include an automatic update module. The MSP will also implement traffic-filtering solutions that provide proactive anti-ransomware protection.

Had Luke taken an MSP on board, he would have avoided the almost crippling consequences stemming from his ransomware attack. You might think that paying the ransom would have been the solution. Unfortunately, it’s not. Lost data cannot be retrieved. When it’s gone, it’s gone.

Breaking news

Equifax is one of the largest credit reporting companies in the world. In July 2017, Equifax joined the ranks of ransomware victims. Hackers had access to personal details of an estimated 143 million individuals in the United States. Data included Social Security numbers, birthdates, addresses and credit card numbers, all of which can be used to commit identity theft.

Now here’s the really bad news: From an unnamed site on the Darkweb, hackers have demanded a payment in excess of £2 million. If Equifax fails to meet this demand by 15 September 2017, the hackers have stated they will publicise the data. The hackers wrote, ‘We are two people trying to solve our lives and those of our families. We did not expect to get as much information as we did, nor do we want to affect any citizen. But we need to monetize the information as soon as possible.’

Equifax’s security breach is possibly the largest cybercrime involving Social Security numbers. Since the company is in the business of providing detailed financial profiles on individuals, SMBs and corporations, the data breach put Equifax in a precarious position. A class action suit has already been filed against Equifax. The claimants seek fair compensation for negligence and inadequately maintaining adequate IT safeguards. This litigation may be the first in a long line of headaches for the multinational corporation.