The Colonial Pipeline in the US. JBS Foods, the world’s largest meat producer and the the Irish health service have all been high profile victims of ransomware attacks in the last year, but it’s not just utilities and large-scale operations who need to be alert to the threat. Small and medium-sized businesses with poor security protocols in place are also vulnerable.
In June, the CEO of the National Cyber Security Centre (NCSC), Lindy Cameron gave a speech urging business leaders to take the threat of ransomware attacks more seriously, especially while many staff are working remotely and on their own computers.
Here, Kirstin Gillon of the Institute of Chartered Accountants for England & Wales (ICAEW) explores some of the main issues around ransomware. What is it? How can you avoid being a victim? Should you pay the ransom if you are attacked?
The basics
Hackers typically infiltrate your systems via malware downloaded when somebody clicks on a link in a phishing email, by exploiting software vulnerabilities or using stolen Remote Desktop Protocol credentials. Once your systems have been breached, they encrypt your data and demand a ransom in return for the decryption key and access to the data again, or they claim to have stolen confidential data and threaten to publish it unless a ransom is paid. If you’re unfortunate enough to have been hit, what should you do?
Should I pay?
The official advice from the police and government is that you shouldn’t pay, arguing that there is no guarantee you will get your data back or that hackers won’t publish data anyway, the money you hand over will just be used to fund other forms of illegal activity, and you would be encouraging further attacks, both on your own organisation and on others. Hackers will continue to ply their trade as long as it remains profitable.
Paying a ransom is not illegal and many victims just want to get up and running again, reasoning that the ransom is less than the cost of the loss of business due to their systems being down. Insurance can come to your aid, if you have the right policy, and hackers are known to research their targets’ cover before mounting an attack.
Outlawing payments
So, should governments take the step of outlawing ransom payments, especially when payments are fuelling the rapid growth in ransomware attacks? Governments and law enforcement agencies seem reluctant to do so at the moment. They would rather that companies share information about ransomware with them, and making payments illegal would make that harder. Some companies would probably still pay and just factor in potentially paying an additional fine. So it may make little difference in practice and disproportionately hit smaller businesses.
Governments are also looking at bigger geopolitical solutions. Many of the current attacks come from countries such as Russia, and pressure can be applied at this level. It was reported, for example, the US President Biden broached the subject with Vladimir Putin at their recent summit.
Preparation and prevention
Good “cyber hygiene”, proper staff training and a good, solid back-up strategy are acknowledged as the essential starting points for successful protection, though hackers are alive to the latter and often target your back-up systems as well, so make sure they are completely separate from the main system.
A properly thought-out and thoroughly tested recovery plan can give you the confidence to call the attackers’ bluff (and they are often bluffing anyway). It make take a while to recover in this way, but it can be less costly and disruptive.
The NCSC has a wide range of resources to help organisations of all sizes to help improve cyber security, including:
- specific guidance on mitigating malware and ransomware attacks
- questions for board members on ransomware
- guidance on home working
- the small business guide to cyber security.
Source: The ICAEW
Informed Sauce is hosting an Infinidat-sponsored event in London on 2 December about protecting businesses from cyber crime, and particularly ransomware attacks.
Short talks from the Metropolitan Police, a military-trained cyber threat expert and sponsor Infinidat’s EMEA fFeld CTO will be followed by a panel-led, room-wide moderated discussion, with plenty of opportunities for you to contribute your thoughts and ask questions.
Visit the event microsite for more details and to sign up.