I cannot tell you how often I hear company executives saying something like this: “No one wants my data, so why is anyone going to spend the time to hack me? I’m not too concerned with security”. Ugh. That point may be true to them, but it has no bearing at all on most of the cyber security today, particularly Ransomware. Do better!
Case in point, last week we had a large firm contact us about a Ransomware infection. This attack was targeted and I’m worried that others may get hit too so I’m letting people know about it as often as I can.
This firm was not a client and they were introduced to us by a current client while they were looking for help/advice. This is a firm with over 300 employees and 5 locations. They got hit with a Ransomware attack that encrypted all their servers and all their computers. Yes folks, that means that every single machine they had was inoperable and they were completely out of business. Unfortunately, they still may be (we never heard back from them but my gut tells me it will be weeks before they are functioning again and many months before they are back to normal).
Turns out that this was a targeted attack using Ryuk Ransomware. This group is targeting larger companies so they can can demand a much higher ransom. The MO of this type of attack is to infect one machine and then be in stealth mode to learn the network and work on gaining greater access. Weeks/months later when they are ready, they delete all the backups, including the Cloud, and then turn on the Ransomware encryption en masse. In way less time than you’d think (I’m talking minutes to an hour at the most), all of the machines are encrypted. This firm’s ransom was over $300,000 so they were trying to figure out the best way to recover or to pay. Often your Cyber Insurance will say to pay the ransom since that can be less expensive than paying to fix things.
The moral of the story is:
- Make sure your backups are in pristine shape – data wise, vendor wise, and setup wise. The firm that got hit was using some small 3rd party vendor for Cloud storage (the larger firms do not cost much more and they keep a copy of the backup data to avoid this) and they also had poor backup management in place. If their backups would have been in good shape, they could have recovered on their own. Not quickly, but it would have been an option at least.
- Workstations should not have administrative access. No way to install a rogue app to infect the computer if there aren’t any rights to do so.
- Have something like an artificial intelligence based anti-virus/anti-malware in place which would have done a much better job at catching this and actually stopping the activity.
- Having an EDR solution in place would have gone a long way to catch the original infection. More importantly EDR will stop the process immediately so the infection can never happen.
- It is very cost effective to implement the above. The investment for all of the above is a small fraction of paying the ransom, not to mention the business impact of not being able to work for days/weeks and the unfortunate PR with clients.
- Last but not least, make damn well sure that the original infection is gone. It happens all too often that a company will pay the ransom and get back to “normal” and then do nothing to make sure the infection is cleaned up. Months later they get another Ransomware infection from the same bad actors…..
You may not think your data is “valuable” and the Ransomware hackers don’t care about the intrinsic value of your data, but the fact you have and rely on any data at all has a ton of value to them and to you. Like I said earlier, do better!