Labour has recently introduced a bill to parliament which would require all organisations over $10m turnover to notify the Australian Cyber Security Centre before they pay a ransom to recover access to their files, so what is Ransomware?
Ransomware is software which prevents an organisation from accessing some or all of their data until an amount is paid to the people who are holding the data hostage. There are a number of different methods attackers can use to infect systems, but the intention is always the same — block access to files and make an organisation pay to restore access rather than lose valuable information. In more recent cases, attackers have threatened to release confidential information or intellectual property to competitors or the public to prevent the organisation from simply restoring backups and not paying.
How do you become a victim of a Ransomware attack?
In general there are three main methods used to hold files hostage — malicious software, phishing scams and remote access.
- Malicious software — Malicious software was previously the most common attack method. Generally this software came in the form of an email or link. The software encrypted every file on your computer and/or network and would include instructions on how to pay to get the files unlocked. While this does still happen most modern anti-virus products are generally quite effective at blocking this type of attack so phishing scams and remote access have become more popular.
- Phishing scams — In general the aim of a phishing scam is to send a legitimate looking message (email, sms, voicemail, zoom etc.) which encourages a user to provide usernames and/or passwords. These usernames and passwords can be used for a variety of purposes but some of the most common are Ransomware, theft of cash and theft of personal information. In their use of Ransomware the usernames and passwords can be used to connect to an organisations network in the same way a user would when working from home.
- Remote access — The COVID-19 pandemic brought many opporutunities to work differently and this was no different for Ransomware. With the rise in working from home and the sometimes rushed out nature of remote access solutions, there has been an increase in attackers exploiting vulnerabilities or using stolen credentials (see phishing scams above) to access an organisations network. These attacks can be some of the most damaging and difficult to recover from as the attacker can take their time looking around the network, documenting the software and systems in place and planning the attack for maximum effectiveness. These attackers will often identify the backup location first and ensure the backups are made unavailable along with the rest of the environment to make restoring from backup more difficult than paying the ransom.
What can I do to prevent Ransomware?
Especially with the remote access attack above, Ransomware attacks can be very hard to detect and stop outright. If the attacker has enough time and resources to focus on your specific organisation, for an extended period there is a possibility they will gain access. For most small and medium organisations, having a few basic items in place can make your organisation a lot less attractive target for attackers. Things like: multi-factor authentication, building good password policies (including password blacklists to prevent people using Password01), locking down remote access to only those who need it and keeping software and systems up to date, are all simple steps that make access for attackers much more difficult. In addition, ensuring backups are not accessible on the organisation’s network can provide a recovery path if you are attacked.
As with any business risk there is a trade-off between the likelihood, the value of the data your organisation stores, the cost of downtime and the cost of prevention but, the cost of a successful Ransomware attack can quickly add up even if you don’t pay the ransom.
How can PKF help?
Prevention: PKF have worked with several clients around providing an independent review of the IT design and technology in place and advised on where it can be improved to provide more resilience and visibility over things like Ransomware.
Cure: We have also assisted organisations work with their existing IT providers after an incident has occurred to provide assistance with the recovery and post incident reviews to see where processes and technology can be improved to prevent future incidents.
Get in touch with our team today to see how you can get better protected.