“Oops, your files have been encrypted! Don’t waste your time looking for a way to recover your files – you can’t without our paid decryption service. You only have 3 days to pay us £989 of bitcoin. After that the price will be doubled. After 7 days, you won’t be able to access your files forever. We look forward to receiving your payment soon.”
This type of message is becoming all too familiar for an increasing number of organisations and unfortunately for them, it may already be too late. If successful, such ransomeware can paralyse an entire organisation by disrupting its standard business operations, usually at a significant financial loss. The costs of recovery and reputational damage are also likely to be high.
This article outlines some organisational and technical controls that organisations can use to reduce their risk of falling victim to a similar attack.
What is ransomware?
A cyber attacker utilises ransomware as a form of malware to encrypt a victim’s computer or files so that the victim cannot access their data. The cyber attacker subsequently demands, usually via a notification on the screen, a ransom from the victim within a specified timeframe, in exchange for the decryption key which will purportedly restore the victim’s access to the data.
If the victim does not have data backups or the ransomware encrypts the backups as well, the victim is faced with paying the ransom to recover access. However, there is no guarantee that the attacker will restore access even upon payment.
The Kaspersky Consumer IT Security Risks Report 2021 found that 56% of global respondents that were a target of ransomware paid the ransom to restore access to their data, but 17% who paid did not have their access restored. Only 29% of respondents who experienced such incidents were able to restore all their encrypted or blocked files after an attack, 32% lost a significant amount of files, 18% lost a small number of files and 13% lost almost all of their data.
A minor inconvenience?
An organisation’s failure to implement appropriate safeguards in respect of ransomware may constitute a breach of Article 5(1)(f) of the GDPR, which prescribes that: “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” As such, being a victim of ransomware can signal that your organisation is in breach of the GDPR and, if you are considered critical infrastructure, you may also be in breach of the NIS Directive requirements as well.
Furthermore, there is a significant cost involved. The BBC reported that the Scottish Environment Protection Agency had, as of April 2021, spent a total of £790,000 on recovery from an attack on Christmas Eve 2020, and that it was expected that a full recovery would in fact take up the remainder of 2021-22. In addition, South and City College Birmingham, which has approximately 13,000 students, had to close all of its campuses in March 2021 following a ransomware attack.
The most common attack vectors for ransomware are:
- phishing emails that masquerade as originating from trusted sources to lure the victim to click on a hyperlink or open an attachment containing a malicious file;
- USB and other removable media. For example, in September 2016, residents of the Australian city of Pakenham reported receiving USB devices in their mailboxes masquerading as a promotional offer from Netflix;
- malicious ‘drive-by downloads’ that happen without the knowledge of the victim when they visit a compromised website. It is important to appreciate that this is not restricted to obscure or illegal websites. For example, AOL, BBC, New York Times and NFL websites were all compromised through hijacked adverts; and
- using a brute force attack to compromise a legitimate Remote Desktop Protocol (RDP). The RDP is intended to enable authorised IT administrators to remotely configure or use a user’s machine.
The remote working practices and impacts from COVID-19 have exacerbated many organisations’ vulnerabilities to these sorts of attacks.
Prevention is the best cure
Since ransomware is so difficult to recover from, the best protection from such malware is overwhelmingly preventative. In light of this, organisations should consider implementing:
- organisational controls, namely:
- appropriate policies and training to educate employees to identify and not interact with phishing emails or suspicious websites, and not to use unauthorised USB or removable media; and
- a business continuity and disaster recovery plan, which is subject to regular testing;
- technical controls to:
- install antivirus software;
- accept authorised security patches / updates to operating systems and software to proactively address vulnerabilities;
- disable USB ports and RDP if they are unnecessary;
- ‘whitelist’ authorised USB devices and software;
- configure necessary RDP so that it is only accessible through an internal network, subject to multi factor authentication and strong passwords; and
- use regular backups following the 3-2-1 rule (3 copies of the data, 2 different types of media and 1 version stored offsite).
Trilateral’s Data Governance and Cyber Risk Team has significant experience supporting organisations in implementing appropriate security measures in respect of personal data, and / or raising internal awareness of the importance of data protection. We offer a range of data protection services, including audit and assessment, vulnerability scanning and penetration testing, and compliance support services. For more information please feel free to contact our advisers, who would be more than happy to help.