From Advent IM Director, Julia McCarron
For those of you who read my irregular blogs, you’ll know I have a passion for the TV series NCIS. When I say passion more of an obsession really. So imagine the irony when they air an episode in the UK about Ransomware, in the wake of the world’s worst ransomware cyber-attack to date … my two worlds collided in a spectacular Disney Fantasmic kind of way.
We have the aging Admiral, trying to sort out important ‘ops’ but being told the weather is too bad. Lo, he opens an email, his mind is wondering and then a skull and cross bones appears on his screen telling him his computer has been encrypted, give me money and you can have your data back.
Bring in our hero, Very Special Agent Timothy McGee. Tim is a cyber expert, he knows his stuff and says all the right things. “Did you back up your data Admiral?” Of course he didn’t because he has anti-virus software??!! – Rule No #1 (those of you who watch NCIS will see where I’m going … J).
“Is there any RESTRICTED data on the laptop Admiral?” Proudly he replies no … because he has one laptop for Navy stuff and one for personal. Well done Admiral – Rule No #2.
“How did this happen Tim?” Tim eloquently describes how the Admiral has clicked on a link in an email, and he shouldn’t have done – Rule No #3. We are going great guns here – Gibbs would be proud of us!
Then Tim lets me down big time. “What should I do Tim? The photos of my dead wife, all the memories I can’t get back … you’ve gotta help me”. Now Tim McGee is a force to be reckoned with. The bumbling probie, scared of his own shadow who went on to save Ziva from a terrorist and stop a by-plane crashing into a destroyer who now leads the team in a confident, self-assured, “I’ve earned my stripes” kind of way – and what does he say? “Pay the ransom Admiral”. PAY THE RANSOM? P-A-Y T-H-E R-A-N-S-O-M??
So that Disney Fantasmic experience turned into 2 juggernauts colliding. “Oh Timmy”, I cried as my world’s diverged.
I’ve written about ransomware before as you may know, as have many of our Team. Its unfortunately one of the worst kinds of infection a user can get. At its basic, it’s a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid … data kidnapping as it is sometimes described. Exactly what happened to our NCIS Admiral. But what started off as seizing an individual’s computer and generating maybe £100 a pop to release it, is turning into a far more sinister act.
More and more we are finding that public facing entities are being held to ransom for large sums of money to release sensitive and personal data, places like hospitals and universities. But of course this is no longer news to you. Never have we seen an attack on the epic proportions of that which occurred on Friday (12th May 2017). In a targeted global attack, the US, UK, Spain, France, China and Russia were all affected in the initial phase with disruption to over 40 UK NHS Trusts, Spanish gas and telecoms companies, Deutsche Bahn the German rail network, FedEx, Renault and Chinese energy firm PetroChina.
Research commissioned by Citrix, carried out by One Poll and released in March 2017, states that a staggering 45% of large British business have been victim to a successful ransomware attack in the recent past. For a business, as opposed to an individual user, the ransom demand can become exponential as more and more devices become affected as the malware spreads across a network. This we have seen with last week’s attack. The research claims that each of the businesses surveyed had on average 47 infected devices. It gets worse – 33% of those surveyed had more than 100 infected devices. The price goes up!
Despite the increase in attacks of this nature in the UK, 11% of the large organisations surveyed still had no form of ransomware policy (Rule #4) and 40% of those surveyed had no plans to put something in place in the next 12 months. A frightening ‘head in the sand’ statistic for an issue that cost the US a quarter of a billion dollars in 2016 and that has seen our NHS severely impeded as a result of last week’s ransomware attack. Some trusts had to turn patients away and a Major incident was declared by the Department of Health.
My fellow director Mike Director has a very interesting take on ransomware. For the sake of argument let’s replace our ‘data’ with our ‘partner’. If our partner was kidnapped this would be seen as a serous illegal act and the perpetrators sentenced for a long period of time in jail. But currently data kidnapping is not subject to the same level of criminal justice. Those behind ransomware attacks are guilty of criminal offences – either through a common law conspiracy to defraud, under section 21 of the Theft Act 1968, or as unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of computers under section 3 of the Computer Misuse Act 1990. But the sentence varies massively, in fact I’ve struggled to find anyone sentenced over an act of ransomware in the UK. Is there a difference between people kidnapping and data kidnapping? The ‘value’ of the asset is arguably as high dependent upon the ‘owner’. For the business owner the cost of downtime, loss of data, reputation, the ransom itself, replacement costs – all of this could close the business affecting 100s of staff and their livelihoods, not just the owner’s.
So, should we be paying the ransom if the victim of a ransomware attack? Well, I guess unless you walk in the shoes of the victim you cannot answer that question with certainly, but with effective cyber security practices in place the threat could become an empty one. Indeed, with the global cyber-attack we have just experienced, by Monday morning (15th May 2017) the BBC suggested only c£30,000 in ransom demands had actually been paid across the 200,000 computers infected worldwide. This would suggest that recovery was not dependent upon paying the ransom. However, the cost of chaos was high.
If we return to our NCIS Admiral, he told our Timmy that after 41 years in the Navy he’d never surrendered to the enemy yet and he wasn’t about to now. Admirable Admiral. But if we also return to the rules we started with, and add some new ones, maybe we can do something to defeat this particular enemy, or at least minimise the impact of the attack.
Rule No #1 Always back up your data
In this day and age cloud storage is part of everyday life. Do it, automate it, and ensure it’s secure in the cloud if it’s sensitive data. If you don’t want to rely on cloud storage, ensure regular data back-ups to off-line, encrypted storage devices that are themselves stored securely to minimise the loss and effect.
Rule No #2 Separate sensitive data from non-sensitive data
This could be by having separate devices like the Admiral. This could be in a network environment by adding more technical controls/applications/devices, firewalls, DMZ, segregation, permission based access. This makes it harder to get to the data with greater ‘value’.
Rule No #3 Train your staff
The majority of these incidents occur because just like the Admiral, a staff member inadvertently clicks on a link they shouldn’t have. Make sure your staff know to only click on links and open attachments from trusted sources, and make sure they understand why they are doing it. If they are not sure – leave it and report it.
Rule No #4 Have a plan
Know what to do in the event of an attack and make sure your staff know what to do to isolate the infection and minimise the damage. A policy shouldn’t be shelfware, staff need to know about it and how to invoke necessary action plans. This could form part of your set of scenario based business continuity plans, testing and exercising.
Rule No #5 Patch or replace
It is thought that many of those devices affected by last week’s attack were old devices where patching was difficult or impossible. Where budget allows always ensure you have devices that are not end of life or ‘unpatchable’ as it opens them up to major security vulnerabilities and provides an opportunity for malware attacks. If it’s not possible, limit connectivity to those with a need to access only, and ensure no remote access capability rather than having a window open to the rest of the internet. And if that’s not possible, use the ‘always off’ approach and allow external access on a request only basis.
Rule No #6 Only pay the ransom as a last resort
Don’t make a knee-jerk decision (Tim). Exhaust all other avenues first. Report it to Police Cybercrime Unit. Get your Technical Team on it. Assess the cost of ransom versus the cost of business as usual. If you have followed Rules #1-5, when you risk assess the situation from all directions it might actually be better not to pay.
So, Very Special Agent McGee stumbled over Rule #6 but did redeem himself by the end of the show telling the Admiral to hold off paying the ransom as there were still 90 minutes before the ransom was due … and therefore 90 minutes to catch the perpetrator. A smart move because, naturally, he saved the day in the end. And whilst the perpetrator was a delusional individual needing to finance his belief that he could cure stuff through cryogenics and freezing homeless guys, using a technique apparently common in the US for reviving the metabolism and preventing aging called CryoSpa … using liquid nitrogen … (!!??), the ‘needing to finance part’ is not so far-fetched and why ransomware continues to increase rapidly, funding many criminal and terrorist activities.
So the morale of this story is a) watch NCIS – its great, b) follow Julia’s #Rules to Ransomware Safety – it may prevent early aging from the stress of a ransomware attack, like the one we’ve just had, by minimising its impact. The basics are always the best foundation.
(Cue Disney Fantasmic)
- Posted by Ellie Hurst
- On 22nd May 2017
- 0 Comments