#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 3°C Sunday 17 January 2021
Advertisement

Ransomware and remote working: If Twitter can be breached, then every company must be vigilant

Jacky Fox of Accenture Security outlines the security threats posed to busineses at the moment and offers some advice on how to handle this growing criminal activity.

Jacky Fox

Last night, Twitter was subjected to a massive security breach as many of its verified ‘blue-tick’ accounts tweeted a phishing message about the donation of bitcoins.

Some of the more high profile accounts affected were those of Barack Obama, Elon Musk and Kanye West, as well as US Presidential Nominee Joe Biden, the official Apple account, and billionaires Mike Bloomberg and Bill Gates.

The platform rushed to contain the hack but the damage had already been done. The incident has brought into sharp focus the issue of cybersecurity. At a time when much of the global workforce has moved to remote working, many employers, companies and employees will need to prioritise their security measures.

If one of the largest social platforms can be breached as Twitter was last night, then every cyber system is vulnerable. Here, Jacky Fox, Managing Director of Accenture Security, outlines the biggest cybersecurity threats and has some advice for businesses when it comes to avoiding them:

WHILE THE COVID-19 pandemic is first and foremost a health and humanitarian crisis, there’s a massive business impact which is challenging our cybersecurity world. The shift to remote working creates an attractive proposition for threat actors to step up social engineering campaigns and ransomware.

Ransomware is a type of crypto-malware, or bad software, that criminals use to elicit money from you in return for them giving you access to something they have stolen from you.

This typically takes the form of locking you out of your data by encrypting it. A ransom is then sought to promise the provision of a decryption code, or ‘key’, that will unlock access to your scrambled data.

The criminal process

Sometimes the attacker will either take or imitate they have taken, a copy of your data and inform you that they will publish your information if you don’t pay, with the promise of deletion if you do.

There is now another trend known as “doxware” gathering pace in Ireland; designed to unnerve the victim, where an attacker will claim to have private information, such as video footage of an individual watching sensitive material, often coupled with an old password from a historic breach.

Doxware usually asks for a relatively low ‘fee’ for the destruction of the mythical footage so that the victim is more likely to pay.

Ransomware is sometimes targeted at an individual or organisation but more often it is random and is contracted by either an individual being phished, clicking a link in an email or by visiting an infected website.

Some variants of ransomware can be aggressively virulent and spread easily from one system to the next autonomously. Thousands of connected systems can, and have been, infected in a matter of hours.

When ransomware infects a system, it will generally only target and encrypt your data files, making the destruction process faster. In theory, the malware will send the decryption keys back to a command and control server operated by the attackers, try to replicate itself onto more systems and display a ransom note. This note will detail how you can pay and how much time you have been given to pay until your data is destroyed, published or both.

This criminal business model often provides a ‘helpline’ to assist you with payment and decryption. The payments are requested by means of hard-to-trace currency, such as cryptocurrencies like bitcoin, or gift cards.

Historically, ransom requests were small to entice people to pay but we are now seeing this trending upwards. Ransomware actors, for example, have also taken advantage of the impact Covid-19 is having on medical organisations around the world, likely seeking to extort higher ransoms.

So, do you pay?

What are you meant to do if the ransom is small, the data is valuable to you and you have no other copy of it? If you do pay, this does not guarantee that you will regain access to your data; you may be asked for more money and the criminal may still have access to your data.

However, the criminals do recognise that if they don’t keep to their end of the transaction they will become ‘disreputable’ and people will never pay.

Law enforcement bodies and organisations such as No More Ransom advise that you should not pay the ransom. Nevertheless, we do sometimes see organisations quietly paying.

In March 2019, it was widely reported that a local US state government was hit by the Ryuk ransomware and paid $400 dollars in bitcoin to gain access to the decryption key for their files.

It can be a traumatic experience for an organisation to fight a crypto outbreak, particularly if they have not prepared for such an event. Your best hope is that:

  • ‘Patient zero’ notices that something is wrong and reports it
  • Your IT department understands how to isolate the infected systems quickly to halt the spread
  • You have backups of the data that has been lost
  • The criminals didn’t steal any of your data
  • Your response team has, at minimum, representation from legal, HR, IT, Communications and strong executive support.

Whether you decide to pay or not, you will need to wipe and reset infected systems and try to establish if you have had a data breach. At this point, you might well ask why did your antivirus software not detect and block the attack?

Much like our own immune systems, most antivirus software will only recognise malware that it has seen before – unfortunately, there are new variants of ransomware generated all the time and blocking these is not always possible.

Impact on your business

You can expect your operations to be disrupted and you might end up being offline or need to revert to manual operations, meaning that you are unable to run your business for a period.

In some cases, this has resulted in companies going out of business. For example, in 2017 the shipping giant Maersk was hit by NotPetya ransomware self-replicating worm costing them an estimated $300M in recovery costs. The virus spread to and impacted 50,000 systems in just a couple of hours. Fortunately, Maersk survived the attack.

Sadly, there are always criminals who will use social engineering to entice us to visit sites and click links that we shouldn’t.

In 2017 the UK’s National Health Service (NHS) was hit by WannaCry ransomware that encrypted thousands of systems and led to the cancellation of 19,000 medical appointments and the diversion of ambulances.

Throughout the Covid-19 pandemic too, criminals are using pandemic information as clickbait to target hospitals and laboratories who they believe will pay more readily during the crisis.

A hospital in the Czech Republic and a public health agency in the state of Illinois in the US have each reported ransomware attacks related to Covid-19. There are also a number of reports of phishing campaigns against the World Health Organization (WHO).

In such a climate, health and safety clearly come first. Securing the continuity of operations has taken on a whole new dimension—it should include culture, communication, policies and technology. And, as the Covid-19 pandemic has shown us, you can never be too prepared.

#Open journalism No news is bad news Support The Journal

Your contributions will help us continue to deliver the stories that are important to you

Support us now

If you presume that you will be attacked and focus on your incident response plans – and how you can be resilient – you will not need to pay the ransom.

You can do this by:

  • Keeping your systems and anti-malware software up to date
  • Monitoring your systems for ransomware markers like mass file updates
  • Having a good data backup regime in place and keeping copies stored offline
  • Training your staff on how to avoid getting infected by not clicking on links and visiting random websites
  • Blocking known bad websites automatically
  • Monitoring your infrastructure so that you can watch for large data movements so that you identify large data transfers proactively and historically.

Each attack is different, and while law enforcement advises that you should not pay a ransom, your organisation needs to make the right decision taking safety, the impact to your operations, potential income loss and your ability to recover into consideration.

Jacky Fox is Managing Director of Accenture Security.

voices logo

About the author:

Jacky Fox

Read next:

COMMENTS (5)

This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel