Whether for substantial financial gain or to create social or political disorder, cyber-attacks are increasing in prevalence, severity and disruption. According to the Bitdefenders’ 2020 Threat Landscape Report, the total number of global ransomware reports increased by 485% compared to the previous year.
As any business would scale, the Hackers are operating with greater efficiencies, creating new ways to implement crueller attacks. Leakware provides a new form of intimidation whereby the criminals threaten to publish highly sensitive data on the internet.
Nation-state attacks are increasing with the deployment of aggressive data wipers through software holes. The NotPetya attack in 2017 affected thousands of multi-nationals in 60 countries, including global logistics giant, Maersk.
Recent ransomware attacks.
When it comes to the most common form of cyber-attack, ransomware, the demands are escalating into the millions. The average cost of remediation has doubled, rising $1.85 million in 2021. In the largest attempt recorded, cyber-criminals insisted on $50 million to release the decryption key.
In May 2021, the Colonial fuel pipeline attack resulted in the complete shutdown of operations for 6 days, affecting six states. As the pipeline supplies almost 50% of the fuel to the east coast, the ransomware attack saw fuel stations running dry, huge queues of panic buyers and the highest fuel cost for seven years. The FBI confirmed that Darkside software had been used to access administrative and finance systems. To restore operations as quickly as possible, Colonial paid the 75-bitcoin ransom – the equivalent to US $5 million.
Increasingly, hackers are becoming big game hunters – bigger companies are well insured and able to pay higher demands. In July 2020, Garmin was hit by a new strain of ransomware, WastedLocker. It encrypted internal systems and shut down consumer-facing services, including Garmin Connect and Strava. Garmin paid the $10 million ransom to Russia’s Evil Corp – A cyber-crime organisation known to target Fortune 500 companies and financial institutions.
But it’s not all about insurance and bigger budgets. Often under-funded and under-resourced, the healthcare sector is highly at risk with far more at stake than money. Opportunistic attackers know they will pay a lower ransom rather than put lives in danger. In 2020, 85% of successful ransomware attacks targeted the healthcare sector that had bigger problems to deal with!
According to Sophos, 48% of UK organisations were hit by ransomware attacks in 2020. Even those with anti-malware software are not protected. It’s estimated that 75% of victims ran up-to-date end-point protection on their infected machines.
Much coverage around cyber-attacks focuses on prevention. However, with the increasing frequency and the rise of more sophisticated attacks, what do you know in the immediate aftermath of discovering a cyber-attack?
Detect. Protect. Recover.
1 – Isolate.
If your computer screen suddenly turns red, you might instinctively reach for the power button. However, in doing so, you can destroy important evidence. Reported incidents help law enforcement agencies understand criminal activity; it may also help other organisations in the same predicament. Not only is reporting a legal requirement, enforcement agencies can offer practical guidance. The Information Commissioners Office isn’t just there to issue fines.
By far, the most important action is immediately disconnect the device from the network. Unplug the Ethernet cable and remember to disable the Wi-Fi. This prevents information being fed back to the criminals and the deployment of further malicious code. It will halt lateral movement – fast-moving crypoworms, like NotPetya, seek connections with other devices and spread rapidly, destroying data.
Ensure you separate all infected devices, shared storage, external hard drives and cloud storage from the network. Segmentation between IT and the Operating technology is key when containing an attack.
2 – Identify.
Qualify the alert by asking, who, what, where, when, why, and how?
Without a solid understanding of how the attack occurred, you have less chance of recovery. What type of attack is it? Is it an infection? A hack to steal data? What about a malicious insider?
Is there more than one entry point? If a phishing attack is reported, did others open the attachment? Could this actually be an isolated incident? You don’t want to implement an unnecessary global shutdown.
Document what is happening and use a ransomware identifier tool to classify the strain. How does it spread? What files does it encrypt? Is malicious code likely to reside in multiple locations on your system? Always ensure research is undertaken on an uninfected network.
Once you know exactly what you’re dealing with you can coordinate an appropriate response.
3 – Communicate.
Open communication is vital in any cyber incident. Although it isn’t the best news to break to senior management, it’s critical that they are aware of the scale of the attack and that you work alongside them to devise a critical action plan.
Typically, hackers spend 30 – 90 days in exploring a compromised system before they transfer data or install malicious code. Therefore, it’s imperative that you do not alert the criminals to your discovery. They may be monitoring your network or telecoms system for signs of detection and mitigation so use out-of-band communication networks, such a personal emails or WhatsApp, which has end-to-end encryption.
Honesty and integrity are values that are highly regarded by today’s customers – be aware that open communication can actually reinforce your reputation in the wake of a crisis.
4 – Prioritise and plan.
Decisions taken in the first 24 hours can determine whether recovery is successful or not. The urgency of the situation can result in knee-jerk reactions and inadequate planning, which can bring further problems.
Plan your response operation carefully based on impact, urgency and operational priorities. What confidential data needs to be rapidly ring-fenced? Which systems need to be rebuilt first to ensure business can resume safely?
Assign roles to individuals and tackle one problem at a time. Try not to pull the entire team into regular meetings so they have adequate time and space to rebuild systems effectively. Humans under pressure make mistakes so the well-being of your team is paramount. They are your most important resource to coordinate a fast, effective response.
5 – Recover.
So, what are your ransomware recovery options?
Pay the ransom.
Law enforcement agencies and malware experts warn against payment, as it’s known to increase the frequency of attacks. The Coreware quarterly ransomware report of Q1 2021 showed a marked increase in data destruction and data wiping attacks – even after a ransom payment had been made.
Delete the infection with malware removal software.
Whilst removal software can have some success for known threats, total reliance on this process alone is one of the biggest ITAD mistakes when it comes to data security issues. Increasingly complex ransomware is always emerging so it is impossible for the removal software service to guarantee that your company is completely safe from reinfection.
Undertake complete ITAD data destruction.
The good news that you don’t need to pay the ransom or buy expensive software. IT asset disposal services offer complete data erasure to ensuring that that no remnants of the malware remains. ITAD partners can provide a rapid response cleansing the compromised system, reformatting hard drives and destroying any end of life IT assets. Understanding the importance of data destruction in the wake of a cyber-attack, data wiping services can even perform secure on-site data erasure to curtail downtime.
The inventive criminals are ruthless; once the threat is identified, it simply isn’t something you should take chances with. Professional data destruction services can guarantee complete disinfection for all devices. IT asset disposal accreditation is supplied for each individual device or piece of storage media equipment to demonstrate the ITAD chain of custody.
Businesses no longer need be held to ransom. Not only is recovery possible, outsourced ITAD suppliers can assist in the fast business restoration. Local back-ups are highly likely to be encrypted too, but an off-site back up can be employed so long as it was completely disconnected from your network during the attack. With more resource to help you reinstall OS and software applications from the trusted source media, you will get your business operation back up and running in the fastest time possible, limiting disruption, lost business and minimise the cost of recovery.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.
Resources.
Sky News, Barracuda.com, Wired, natlawreview.com, AP News, i-cio.com, www.pwc.co.uk, backblaze, coveware, tripware.com, CSO, databasix, Terranova Security, itpro.co.uk, Sophos,