Stand and deliver

Spend any time reading about the phenomenon of ransomware and you’ll quickly find that, while everyone says it’s a problem, nobody will admit it’s happened to them. And it’s not hard to understand why.

Falling victim to ransomware means having company data encrypted by a cybercriminal who subsequently demands a ransom. Pay up or never see your data again. It can happen by a variety of means, but the usual method is that someone in the company accidentally downloads software from the internet that installs malware or otherwise compromises the company’s security systems.

Having this happen is embarrassing. It demonstrates that your security procedures aren’t up to scratch and if it happens to your company, you have two options, or three if you’re lucky. The first is to give in to the demand and pay the ransom, usually demanded in untraceable bitcoin.

Nobody wants to do this and if they do it, nobody wants to admits to it. The second option is to refuse to pay the ransom and simply restore the data from a recent backup and fix the security hole that created the problem.

The third option is for those in serious trouble. These are the companies that only have partial or worse, no backups at all to restore from. This group can refuse to pay the demand and then do their best to reconstruct missing data from out-of-date records, bluffing to customers and hoping not to be found out.

If any of these happened to you, would you be in a rush to discuss them? Probably not; however, anecdotally, all of the security advisers Connected spoke to for this feature insisted that ransomware is a serious and pressing problem for Irish companies.

“We absolutely deal with this on a regular basis. It’s been on people’s radar for a while, so Irish companies are getting better at not getting caught out by it, but it’s still there,” said Michael Conway, director of security specialist Renaissance.

“We’ve had absolute horror shows from this problem with people caught out ringing us up, desperate to know what to do. All you can say is genuinely you have to go back to your backups. In one case when we said that the answer we got was that the backups were nine months old,” he said.

“In another case, a different company was being held to ransom for €12,000 in bitcoin and ended up paying out because the consequences of not paying threatened the existence of the company.

“They didn’t have backups and wanted advice on how to source the bitcoin. So it’s 100 per cent happening and it’s a real threat. To some extent people are a bit more switched on about these threats so they’re better protected than they would have been a few years ago, but it’s still happening.”

On the subject of paying ransoms, Conway is deeply conflicted.

“People have to make the decisions they have to make. The harsh reality is that if you’re a small business or a family business and your livelihood is on the line unless you pay this €10,000 or €20,000, you’re faced with a stark choice,” he said.

“You can take the moral high ground and say ‘under no circumstances am I paying these criminals’, and while I would not condone paying up, I wouldn’t condemn anyone either. The reality is you just don’t know what you’ll do until you’re placed in that position.”

The reality is that most people would probably pay the ransom and that’s a harsh fact that Irish SMEs should face up to, in Conway’s opinion. The proof of this lies in the prevalence of ransomware attacks. Globally, malware volume has been measured to have increased for the third year in a row and security specialist SonicWall claims to have recorded 10.52 billion malware attacks in 2018 through a network of around a million sensors installed in its customers’ networks.

Sonicwall recently published its annual report on this issue in which it said that while ransomware attacks are diminishing around the world as companies toughen up their defences, criminal groups are still spewing it out in an attempt to catch out the unwary or the unlucky.

It also said that, globally, ransomware incidents reached 206.4 million attacks in 2018 — an 11 per cent year-over-year increase.

“It’s very simple — if it didn’t work, criminals wouldn’t do it. To them it’s just a business and it’s all about generating money. It’s their livelihood and they don’t care. It’s nothing personal, it’s just money to them. They don’t feel sorry for people and a lot of people do pay. If they didn’t, then these attacks wouldn’t be happening,” said Conway.

So what can you do to avoid finding yourself in the situation of being held to ransom?

According to Dr Vivienne Mee, director of VM Group, the key is to double down on a combination of technology and staff education. “There’s a lot you can do, but what you should do depends a little on budgets and how much time you want to put into it. It’s usually a very good idea to train your end users in how not to fall for the standard security ploys that cyber criminals trot out. Truthfully, it’s usually your end users that are the weak link in the chain,” she said.

“You need to make your staff aware of just what ransomware is, what the consequences of an attack are and why it’s extremely important that anyone who uses company technology knows what they’re doing with it. It can be simple things like not opening attachments that arrive in email without being requested, and not clicking on links in unsolicited mails.

“Training sessions can be short presentations by an information security officer, or online sessions conducted remotely. It can be a useful exercise and it won’t break the bank.”

There are other aspects of security that companies should also look at. To start with, it’s important that security is taken seriously and that all the usual security measures are in place — that software is patched and up to date, that security software and firewalls are used and that systems are in place that can catch a ransomware attack before it gets going.

“If you have the budgets and you feel you’re exposed, then there are utilities that can be put in place that do things like activity pattern analysis on your network and can identify and flag any activity that is out of the ordinary or dangerous,” said Mee.

“But you don’t need to spend a fortune in reality — often training and improving security culture are as important.”

According to Mee, any company that is serious about security will have basic measures in place already and as long as they are configured and up to date, they should be in a good position to fight off an attack. But vulnerabilities can appear at any time.

“Things happen, so you should have contingency plans in place with good, regular backups. If you’re the victim of a ransomware attack, then the best defence is to have good-quality recent backups to fall back on. Disaster contingency planning is important, too, things like having your backups offline for example,” she said.

“We’ve come across full ransomware attacks on many occasions. We work with companies of many different sizes and you’d be surprised at the ones that get hit the worst — they’re not the small companies.”

Mee’s best advice for a company that finds itself in trouble is don’t pay the bitcoin. There are many factors to consider when in this situation, but there are often ways out if you have the right advice.

“You have to weigh up the risk of data loss versus paying the bitcoin. But even if you do pay the bitcoin, you’re not guaranteed to get your data back. You are dealing with criminals, so you’re at the mercy of people who aren’t reliable,” she said.

“We’ve worked with companies that were held to ransom, paid up, got their data back and were hit again a second time 24 hours later. So our advice is don’t pay it.”

The solution is to try to recreate the data from other sources or, if there is time to spare, often ransomware passwords are available online. There is a community of security operatives that crack ransomware applications and post the passwords on publicly available websites.

“Whether this is applicable to any individual case is a matter of luck. But you’d feel pretty silly if you paid a ransom and subsequently discovered you could have just found the decryption password online for free,” said Mee.

Some cybercriminals are extremely sophisticated, she said, and engage in targeted specific attacks, but many others are just opportunists that download a malware application from the net and deploy it in the hope of getting lucky.

“If they’re using older variants of the malware, and you have the time to hunt down exactly what they’ve used and where they got the software from, you can sometimes defeat an attack that way,” said Mee.

One positive to come out of many of the bigger cybersecurity breaches to hit the media in recent years is that many companies are now much more aware of the implications of not being fully protected. The result is that certain kinds of security issues are reducing and in Angela Madden’s opinion that can include some kinds of ransomware attacks.

“They’re not as prevalent as they were because most companies have put in place the necessary technical controls to minimise their risk. Also there has been an increase in security organisations doing awareness training around some of the typical weakness, like phishing attacks,” she said.

Madden is the managing director of Rits Information Security in Dublin and is well placed to comment on these matters.

“People are less likely to click on links today that could start a ransomware infection. Their awareness has increased, there are more technical controls in place and as a result there are fewer incidents among companies, particularly larger corporate-type companies.”

According to Madden, the majority of the incidents of ransomware she has seen recently have affected smaller companies and home users — people who typically don’t have up-to-date software and aren’t in the habit of practising good security.

At the same time, many of the larger players in the software industry producing line-of-business applications are including anti-malware features in their software by default.

“That’s definitely helped control the phenomenon, but it’s also worth saying that really a lot of this is down to how staff conduct themselves and having good processes and procedures in place to make sure they are aware of how their actions can leave the company vulnerable if they’re not careful,” said Madden.

Madden believes it’s important to remember that ransomware attacks typically have two phases — the first part where a criminal takes control of your IT assets and encrypts your data, and a second phase where they demand cash to release the encryption key.

“Awareness of the consequences of this is so important. You need to drill into your staff’s heads that they shouldn’t click on links in unsolicited emails, or even an email that looks like it’s from a trusted source, unless they’re expecting the mail and know what they’re doing,” she said.

“Most phishing attacks rely on users’ naivety and people’s behaviours, so you need them to think twice in the face of risky activity. And thankfully I think that message is getting out there. There are technologies that are helping — such as SSL inspection on websites — but the solution isn’t just found in one practice, it’s in a mix of practices, a mix of technology and culture.”

This is a sentiment that Marc O’Regan, chief technology officer for Dell Technologies Ireland, agrees with. According to him, when it comes to evading ransomware, culture is critical.

“The most common threat to any organisation remains the most straightforward — people and processes. Making every one of us in the workforce aware and responsible for our assets, including data, actions and activities, is the most important factor,” he said.

“Security is an issue for everyone and everyone has a responsibility to themselves and their organisations to keep our operating environment and behaviour clean. For instance, poor identity management can leave large gaps in enterprise cyber security when IT professionals fail to remove user access when a job function changes or an employee leaves the organisation.”

According to O’Regan, while ransomware attacks aren’t the largest or even main form of malware that Irish companies come under attack from, they do figure largely in the statistics.

“Straightforward ‘drive-by’ attacks happen more frequently now, where a criminal spreads a wide net and hopes to catch someone, but more advanced malware also happens using techniques like crypto-viral extortion, in which the malware encrypts the victim’s files, making them inaccessible, and the criminal demands a ransom payment to decrypt them,” he said.

“In a properly implemented ransomware extortion attack, recovering the files without the decryption key is an intractable problem — and it’s difficult to trace digital currencies such as bitcoin that are used for ransoms. The result is that finding and prosecuting the perpetrators is really challenging.”

Globally, it’s estimated that the number of attacks of this nature last year exceeded 180 million, and this is a trend that most observers say is increasing. Often criminals will invest time and effort into reconnaissance, as well as using social engineering techniques and special tools to get inside the defences of specifically targeted companies.

“Payouts are an interesting topic. What we have seen from the research is that almost half of all companies that have been the victim of a ransomware attack during the past 12 months made some sort of payment. Here is the interesting statistic though — of the half that made a ransomware payment, nearly 40 per cent didn’t get their data back.”

Because of this, Dell recommends prevention rather than cure, when it comes to cyber security. “We are a technology company and our job is to guide and advise on using data and technology. As a collective, we ourselves and our customers and our partners all over the world cannot participate in this progressive culture if we are being held to ransom,” said O’Regan.

“Therefore, we look to governance, control and compliance and suggest that we learn about ransomware to best avoid it. We advise companies that they should back up their data often and keep the backups disconnected from the primary sources of their data.”

How important is staff education in reducing the risk of cyber security threats, and how can companies get the balance right between technology and culture?

“We can expect the most sophisticated attacks to come our way and we try to prepare as best we can through the application of artificial intelligence, machine learning and other things. But we also need to remember the most basic principles that apply,” said O’Regan.

“For instance, we tell our children not to talk to strangers, but peer-to-peer communication is how the internet works and sometimes you can’t avoid dealing with digital strangers, so culture is critical and this is the first step, to drive a positive and active culture of responsibility and accountability.”

This need for Irish corporate culture to change is something that Gary Criddle, principal cyber resilience consultant with Sungard Availability Services, feels isn’t being properly addressed. He makes the analogy of the kind of security we all experience in high-risk areas such as airports and public spaces.

“It’s not unusual to see posters in these areas asking people to be vigilant and reminding them that if they see something suspicious then they should report it. But we don’t see the same attention paid to risk in the corporate environment, and maybe we should,” he said.

“Ransomware in all its forms bypasses technical defences by exploiting human weakness. If we don’t create a culture of cyber security throughout our business and throughout daily life, then we will never stop this sort of thing from happening.”

A case in point that demonstrates that companies aren’t taking security culture as seriously as they should is the issue of password usage. In particular, the top 100 most commonly used passwords haven’t changed in the last ten years.

“If you go back ten years, the list of the top ten most commonly used passwords looks almost exactly the same as it does today. So what does that tell you? Inside businesses, we recognise and give lip service to the idea of the human firewall, but we don’t address it properly,” Criddle said.

“A report in 2017 by Intermedia in the US said that of 1,000 office workers surveyed, 59 per cent of those hit by a ransomware attack at work paid the ransom out of their own pocket rather than informing their employer. The reason was because they didn’t feel confident enough to go to the security team and say ‘I think I might have got us in trouble’.”

Culturally these people were more ashamed of how the problem came about than they were about protecting their employer. They hoped to decrypt the data and cover up the incident.

“When it comes to security software, false positives are common and considered part of the process of safeguarding a network, but you never hear of the same thing with people reporting security issues and we should, because people are fallible and will make mistakes,” said Criddle.

Top five tips for avoiding ransomware

If you’re looking to safeguard company assets from malware and ransomware attacks in particular, it’s important to have a good overall level of security awareness. These five top tips from Antonio Pogliani, chief technology officer of Viatel, make a great starting point.

1 Security awareness

Train people and make them aware of the risks that are connected to cybersecurity — this is really important. Most of the threats out there come from human error and you can’t blame people if you don’t train them in the proper way.

2 Strong credential management

It’s crucial to have strong passwords. Technology is advancing and soon probably we will all use unique codes generated each time we log in, but for now it’s important that companies use strong passwords as this is a real weak point. Often people use the same weak passwords for multiple systems, and if one is broken they all fall.

3 Patching and hardening

There are many companies out there with legacy systems running old versions of operating systems. These need to be hardened against attack and kept up to date. If that’s not possible, make sure they’re separated from your crucial systems.

4 Managing third-party risks

A chain is only as strong as its weakest link. This is a more subtle issue, but we live in an era of collaboration. If your system is strong, but you give access to a third party that isn’t as strong in terms of security, you leave yourself exposed.

5 Culture change: security is part of productivity

You have to consider security as an integral part of how you work, not just an add-on. It’s not a problem for the IT department to worry about, it’s something for everyone to be aware of.

Ransomware can have tentacles

With ransomware, creating a strong defence is about a lot more than just deploying Windows Defender in Windows 10. That’s the message from Graeme Cross, information security architect with Auxilion Digital Services, who goes on to say that ransomware can lie dormant in a network for months or even years before being activated.

“To be able to combat it effectively you need to be able to spot patterns in the network. This takes in both technology and user education because intrusions can occur over months and potentially even years before they’re detected,” he said.

Good intrusion detection systems can see the patterns of activity that are the giveaway signs of an intrusion.

“The software we work with allows us to do this and also to look at event management holistically across the network as opposed to just at the desktop level.

“Ransomware can extend like a monster with multiple tentacles dug into your network. It can be very hard to shift it,” said Cross.

“Best practice would be to have in-depth defences, because doing this properly is about a lot more than having an up-to-date antivirus engine. You need to be able to identify anomalies and see patterns as they’re developing, and not when it’s too late.”

There have been lots of instances of malware and ransomware attacks hitting the headlines and nobody wants that to happen to them. This is the key to avoiding it, according to Cross.

“You have to be able to look at data as it comes into your network and spot potential problems at that point, examining how it comes in, decrypting traffic and telling legitimate emails from the user point of view. Then you need awareness training to help staff identify suspicious emails that make it through that gateway.”

Auxilion offers user education programmes that help inform staff how to spot suspicious emails, including scenario training where Cross and his team take customers through situations with mails to point out the ones that look legitimate but aren’t.

“We also do online user awareness training for phishing email attacks specifically. We do this using different campaigns, using, for example, social media to train people how to recognise key words and phrases. You might get 500 people in an organisation getting a mail, but how many need to click the link to create a problem?” he said.