South African companies falling prey to ransomware
It hasn’t been a good start to the year for many South African businesses as their employees returned to work only to discover that they had been locked out of their computers and company databases had been encrypted. Demands for large payments to be made, typically in the form of untraceable bitcoins, in order to regain access inevitably followed. When payments were made by those who decided to take their chances and pony up the money in an attempt to continue doing business as usual, some of them were then advised that the amount had subsequently increased. Presumably this was because the original amount was deemed too affordable given the readiness of these hapless businesses to pay up.
“We’ve recently witnessed a major surge in ransomware attacks as an unprecedented number of organisations have approached us to help them secure their servers and networks against malware”, comments Grant Chapman of local data security and CRM provider Camsoft Solutions. “There are still many companies out there with inadequate or no protection against malware and many of them are generally ignorant of the consequences. This, together with a general naivety that it might never happen to them, is going to result in many more unfortunate organisations having to pay the price in more ways than just the money. Those affected will also not be restricted to large corporations which usually try and keep knowledge of an attack a secret, knowing what the reputation damage and other fallout could be. When these organisations report that they are wiping clean all their servers and computers and reinstalling all their software from scratch it’s fairly obvious what has transpired. Some companies have even had to resort to reinstalling databases and mail servers that are over a year old after not keeping off-site backups. And then others who left backup devices connected to their servers at the time of the attack have had all their current backups encrypted as well. Regaining access to infected files by paying the ransom is also very risky because the malware is still resident on the infected machines and can very easily be re-activated for yet another ransom demand,” adds Chapman.
Ransomware has become big news in the US and elsewhere in the world and it was only a matter of time before South Africa started becoming a target too. Ransomware attacks worldwide doubled in the last two quarters of 2016, indicating just how lucrative the practice is, with the FBI estimating that profits related to ransomware exceeded a billion dollars last year.
“Usually, it is not so much the ransom itself, but business downtime and other consequences that will really disturb your business”, comments Eija Paajanen of F-Secure Corporation. “Paying the possible ransom will of course hurt. But what will probably hurt more are the other repercussions resulting from a successful ransomware attack. First, you have the lost business time. Think about an online store for example. Having your site down will have a direct effect on the bottom-line. The city of San Francisco was forced to give free rides to all commuters after ransomware hit their transportation system. A major target for ransomware has been hospitals and healthcare providers. What if you can’t access patient data or sign in patients? There would be no operations during that time. There will be other effects as well. Your IT staff has to spend a lot of their valuable time searching for the problems, isolating them and trying to fix them. In many cases, it is not just the infected computers that are rendered powerless, but also other devices need to be pulled down from the network to avoid further damage. Meanwhile, most of your employees will not be able to work and you face quite significant productivity losses, regardless of whether you pay the ransom or not. Secondly, there is the possible loss of critical data. In some cases, we have seen customers successfully back up their financial data, but not other business-critical assets. For a design agency, for example, the loss of their image and design files would be unbearable. Coming back to hospitals and other medical practices, the welfare of patients could be severely compromised by not knowing what medications or treatments they required or what their medical history was, should their data disappear. Thirdly, coming back to the potential loss of patient data, the problems that you might face with your operations are not the full story either. Privacy laws and regulations are pretty strict when it comes to personal data and the probability of facing penalties is high. As for financial data, there are other laws governing the obligations to keep archives for several years. Therefore if a ransomware attack makes you lose the data for, let’s say even the current quarter, you would face a huge task to restore the data to be prepared for a possible audit two years later…”
One key element of protecting an organisation against ransomware and other malware attacks is security awareness training, which is key to preventing employees from clicking on phishing links in e-mails. So, what should you do if and when you find out that your organisation has been hit by ransomware? Here’s some advice from Andy Patel, one of the security experts at F-Secure: “If your organisation has been hit by crypto-ransomware, stop, take a breath, and respond to the incident in a level-headed manner. You’re going to want to start by isolating and remediating affected machines before restoring data from backups and ensure that you have the right protection on your network to prevent it happening again. Make sure you don’t restore the original infection vector during that process. And when your systems are back up and running, remember to kick off a root cause analysis. Learn from the experience and improve your processes and systems in order to avoid future infections, keeping your data security software updated regularly. The more prepared your organisation is for the eventuality of a crypto-ransomware attack, the less likely you’ll end up panicking and doing something that could be more damaging.”
We’re also seeing a major shift towards hosted data, such as our Maximizer CRM solution in the cloud, due to the highly sophisticated threat environment that exists currently”, comments Chapman”. The hosted servers are protected against malware with F-Secure’s Endpoint protection by a team of specialists who take responsibility for ensuring that the servers always have the latest updates, are backed up off-site and monitored for any untoward activity. They aren’t connected storage devices, which are still susceptible to attacks, and the connections between users and the server are encrypted with SSL security. Outsourcing the responsibility for your data to experts who make it their business to safeguard it makes a lot of sense. There is also a reduced likelihood of infection from malware such as that used for ransomware attacks because sophisticated firewalls help prevent security breaches, caused for example by employees inadvertently initiating attacks by clicking on attachments in phishing e- mails. Whilst it is difficult to ensure that all IT resources are 100% protected against any potential threat, given the constantly changing nature of the threat landscape, there are tools available to minimise threats and stay ahead of the game and one should use these tools wherever possible.”
If you wish to assess your current capabilities to handle ransomware attacks – or any other type of malware attack for that matter, please check out F-Secure’s practical handbook for endpoint protection. It will give you the tools to assess your current capabilities, give guidance on best practices and help evaluate the most critical requirements for an endpoint protection solution that can stop ransomware and other malware in its tracks.