Ransomware, payouts and your business
Five ransomware attacks in fifteen days:
$1.1 Million combined ransom paid by two Florida cities to cyber criminals:
Five Ransomware hit the news in 15 days. First to fall victim was Riviera beach, a small city in Florida on 29th May 2019:
Email is still the most common way for malware to find its way into a company’s network – an email with a malicious attachment. In this case, the email attachment was opened by an employee of the police department.
A second ransomware attack story was reported by the BBC in the UK: https://www.bbc.co.uk/news/business-48661152
Norsk Hydro, a global aluminium producer was, or more correctly, is the victim of a prolonged cyber attack. The attackers had somehow gained access to the network weeks ago. The BBC report doesn’t say how the attackers got in, but the ‘how’ is not important. What matters is that they were in and spent their time understanding the structure of the network and probing it for weaknesses that could be used to exploit the network further. Think how elated they must have felt, knowing they had as much access to the network as they did.
21st June 2019 – Riviera Beach, Florida, USA;
25th June 2019 – Norsk Hydro, Oslo, Norway;
26th June 2019 – Lake City, Florida, USA;
2nd July 2019 – St John’s Ambulance, London, UK;
5th July 2019 – Eurofins Scientific, UK
The hackers spent their time well, preparing for their attack. And when they finally launched it, they affected 22,000 computers across 170 sites in 40 countries with ransomware. All computers displaying the ransom note as soon as the attack completed.
The third successful attack was, again, a city in Florida, this time Lake City
The BBC News report doesn’t say how the attack happened, but this, too, was most likely through an attachment in an email being opened.
Attack four, the charity ambulance service based in the UK, St John’s Ambulance.
Unlike some other attacks, none of St John’s operational systems were affected, but their training course booking system was. The charity was quick;y able to isolate the attack and had the situation resolved in less than half an hour.
Some of the data encrypted by the ransomware was personal information such as course students and, in some cases, details of their driving licences. However, the charity confidently reports that none of this data left their network. Despite this, they recognised the attack as a crime and reported it to the Police, the Charity Commision and the UK’s data regulator, the Information Commissioner’s Office (ICO).
Attack five, the UK arm of the Luxembourg-based forensics company, Eurofins Scientific
This attack happened almost a month earlier and their systems are only just returning to normal.
If this was a race…
So, which of these attacks stands out from the others? Well, if this were a race, I would award first place to Norsk Hydro and a close second place to St John’s Ambulance. Eurofins Scientific, and the cities of Lake City and Riviera Beach would each be disqualified and marked as DNF – Did Not Finish on the race results sheet. Why? Neither St John’s Ambulance or Norsk Hydro paid any ransom money to the cyber criminals responsible for the attacks nor did they even contact them, whereas Lake City and Riviera Beach paid over $1million between them to recover their encrypted data. Eurofins Scientific have not publicly disclosed how much ransom they paid.
Riviera Beach paid $600,000 for a city with 35,000 residents – that’s more than $17 per person. Lake City paid $500,000 – most of which was covered by Cyber Insurance, leaving $10,000 to be paid by the City’s tax payers.
What’s incredible is that Riviera Beach called a cyber security specialist for advice and then paid the ransom which was covered by the City’s insurance policy. It gets better. Rose Anne Brown, a spokeswoman for the town’s council said there was no guarantee the criminals would restore the town’s computers once the ransom had been paid.
Why have Norsk Hydro been awarded first place? The attack on them was orders of magnitude larger than that of St John’s Ambulance who, as I have already mentioned, were able to resolve the issue in less than 30 minutes.
Norsk Hydro called in long-retired engineers to help the engineers of today to work without the aid of modern computer-dependent systems; have spent the time since the attack and £45million restoring their systems, did not contact the attackers, let alone pay any ransom. So, for our race, Norsk Hydro are awarded first place and St John’s Ambulance who, like Norsk Hydro, did not contact or pay the ransom, a deserving second place.
To Pay or not to pay
So, should you pay a cyber criminal’s ransom or not? You’ll probably already have guessed what my opinion is, but let’s first take a look at what is happening here:
Your PC shows a screen indicating to you that all of your important files are encrypted, the contents scrambled so they cannot be read.
You are told the files cannot be restored without the ‘key’ or the special code which only the criminals hold.
The message tells you the ransom amount: Riviera Beach’s files were ransomed for $600,000.
It indicates that if the ransom is not paid within a short time (sometimes as little as 24 hours) the ransom will double.
There is a warning that if you do not pay, the ‘key’ will be deleted, giving you no chance to recover your files.
You know the files that have been encrypted are vital to your organisation and will include:
Customer contact data
Simply put, your company cannot function without these files.
So, in order to restore normal business operations as quickly as possible, you choose to pay the ransom.
And as if by magic, all your encrypted files are restored and business operations can continue as normal – as if nothing has happened!
Well, no! So what has happened, then? And why won’t paying the ransom recover my files as the note suggests. Ok, you might be lucky, but consider this:
Your PC, PCs or network was illegally attacked, probably by someone opening an email attachment from a seemingly genuine source.
The illegal attack was initiated by criminals.
The criminals have no interest in you, your company or your customers
Their only motive is profiting from your loss.
You are dealing with criminals. What interest do they have in restoring your files? What guarantees do you have that you will get the ‘key’ to unlock your files?
Even if you do get the key, what do you do with it?
The files were encrypted using the program that was attached to the email.
To unlock them, you are going to need another program that uses the decryption key. Are the criminals going to supply it? I doubt it. They’ve been paid. So they have what they want.
You, most likely, will have to pay someone to write the program for you, more expense, on top of the ransom.
What happens if you pay and you don’t get the decryption key? You are no further forward.
It’s ok, though. Both Riviera Beach and Lake City reported that they had insurance to protect them against an attack like this. I don’t think it worked, guys. Instead of you, it’s your insurance company that pays the ransom to the… wait one moment… oh, yes – to the criminals. And that comes with the same guarantees of success as if you had paid the ransom yourself – None! And your insurance premiums will go up next year – In the case of Riviera Beach and Lake City, that means the residents’ taxes will increase.
[Ok, that description is not fair to insurance companies. Their business is all about risk management. But even that description isn’t helpful. Pay a higher insurance premium, the risk is lower? Not really, no. To me, insurance companies compensate you when something does go wrong. They can’t prevent them from going wrong in the first place]
Paying a ransom of this sort is not helping anyone. In fact, it will only make matters worse. All you are doing is funding the criminals to the tune of $1.1million (in the case of the two Florida cities) and more , if you include other organisations that have been attacked – and paid the ransom. And with that funding, they can continue to operate, creating more and better cyber attacks such as the ransomware that has attacked the five organisations discussed in this article.
It is not acceptable on any level to pay criminals who are blackmailing organisations like this. And for an insurance company to offer protection against attacks like this by paying to those criminals? I’m sorry, but that is not protecting your clients.
One insurance company told me they pay the ransom to help get the company up and running again as quickly as possible. And if you look at it like that, it seems reasonable to pay. If your car gets damaged in an accident, then the money the insurance company pay will get the car fixed. Paying criminals gives no such guarantees of success.
On no account should a ransom like this be paid. Both Norsk Hydro and St John’s Ambulance have been praised by the IT Security for their response to cyber attacks. Both have demonstrated it is possible to recover from ransomware attacks and St John’s Ambulance have shown this can be done with minimal business interruption, if you are properly prepared for an attack.
It’s not only the damage that is done to the data, but the possibly irreparable damage to your company reputation. You were attacked and you paid a ransom to criminals?
The reputations of Norsk Hydro and St John’s Ambulance, to my mind, has gone up – because they did not pay. The others, not so much.
In the UK, there were 5.6million small businesses at the beginning of last year (2018). Of those, 43% reported a breach or cyber attack; that’s over 2.5million companies or more than 4 in 10.
So, with figures like this, if your company hasn’t been attacked, successfully or not, then you are lucky.
But you have had plenty of warning. Ransomware has been around for a very long time, but only really hit the news for the first time in 2013 and, more memorably, in 2017 when a worldwide spread attack hit the NHS in the UK and caused huge problems, causing hospitals to turn away patients and cancel operations.
And, it seems, ransomware attacks are on the rise!
But it isn’t just ransomware…
Ok, there are millions of malicious programs out there just waiting to attack your computers and your data, but if just consider for a moment what ransomware does. It prevents you from accessing your important data.
There are other ways this can happen that do not involve any ransom or ‘required’ payment to criminals.
Here are just a few ways you can lose access to your data:
Hard drive failure
Are you protected against disasters like these? How can you protect against these? The answer is regular, reliable and tested backups;
For ransomware protection – or more correctly, protection against any form of malware:
Cyber security training for all your staff is a vital step. If they understand what to look for, they can prevent an attack before it happens.
Up to date antivirus software
Ensure your operating system and applications are supported and fully patched.
Nobody can guarantee 100% protection against a cyber attack, but you can make it very difficult for them to succeed and with a proper backup policy, you should be able to recover from an attack quickly – without ever having to resort to paying criminals.
In summary, don’t wait for the inevitable attack to happen. Prepare for it now. Ensure you have recoverable backups, up to date programs, operating systems, anti-virus software and you make sure your staff are trained in cyber security. Spotting an attack before it starts is the best way to prevent it
13th July 2019