AJ Thompson, CCO at IT consultancy Northdoor, looks at how companies are dealing with ransomware attacks and how they can better protect themselves from the worst-case scenario. Cyber resilience can play a crucial role in protecting business critical data in the event of a successful cyber-attack, he suggests.
The recent weeks have seen a spate of high profile ransomware attacks. One criminal gang, Avaddon, has been particularly active, targeting hardware and software companies, oil and gas organisations, the Indonesian government’s airport company, finance companies and perhaps most significantly the AXA insurance Group.
AXA is an interesting example as it is not only one of the leading cyber insurance companies in the world, but had also recently confirmed that it was to stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. Avaddon claims to have stolen 3TB worth of data including medical records and passport screenshots from AXA’s Asian business. This is obviously hugely sensitive data, but it seems, unlike other companies hit recently, AXA is not paying out the ransom.
The ‘To Pay’ approach
This was not the approach that Colonial Pipeline took when it was hacked by Eastern European cyber criminals recently. The US’s largest pipeline was taken offline by another criminal gang, Darkside, taking control of its infrastructure, leaving fuel shortages in North and South Carolina, Georgia, Virginia and Florida.
It is reported that Colonial paid out $5 million in order to take back control of its systems, with the gang sending across the decryption tool to allow the company to carry on as normal. This approach obviously sets a precedent and the FBI has previously warned about paying such ransoms. $5 million seems a huge amount of money as well. The oil line itself does not seem to have been impacted and so paying out such a large amount of money to regain control of internal systems sets a precedent that many others will not be able to or will be unprepared to undertake.
The ‘Not to Pay’ approach
In a hack that fits in with recent malicious targeting of healthcare organisations in the midst of a pandemic, the ransomware attack on the Irish Health Service Executive (HSE) saw the organisation take down all of its IT services. The attack was identified as the human-operated ransomware variant known as “Conti”. It operates on the basis of a double extortion attack, meaning that it not only shuts down systems, but also threatens to release information stolen from victims unless the ransom is paid.
At a time of COVID-19 vaccination roll-outs and the general importance of an online service during a pandemic it was a purposely timed attack and one that the Irish Minister of State for eGovernment, Ossian Smyth, described as “possibly the most significant cybercrime attack on the Irish State”. It is not only COVID-19 related services that are affected, with X-Ray appointment and laboratory services in particular being severely affected.
Despite this, and in stark contrast to Colonial Pipeline’s approach, the Irish government has vowed, in line with its own policies, that it will not be paying any ransom. This also reflects the approach of another public-sector organisation, the Scottish Environment Protection Agency (SEPA). Like the Irish HSE, SEPA refused the pay to get back its 1.2GB of stolen data after the same Conti method of attack was successful in getting through defensives.
Cyber resilience
The amount of attacks getting through security layers highlights the need for organisations to think again about how they protect the data that lies within their organisations.
Cyber defences can only counter known threats and methods of attacks, and even then, only if companies are routinely implementing updates and patches. However, this reactive approach is always going to be behind the curve of increasing sophisticated attacks. The cybercriminal tends to be one or two steps ahead of defences, so sitting behind firewalls and anti-malware software can no longer be considered an effective approach. Having cyber defence in place remains critical, without it just leaves an open door. However, businesses also need to better prepare for the worst-case scenario.
Many companies also have Disaster Recovery (DR) solutions in place. Cyber resilience does not replace DR, and in fact presumes that it is already in place.
Unlike DR approaches to data, cyber resilience identifies the key data and claims it. DR simply takes the data pushed from the website or infrastructure. It is not specifically identified as key data and come in huge volumes. DR then takes the large quantity of data collected and places it in a data centre and in some cases a secondary, backup data centre. In contrast, the cyber resilience solution takes the business-critical data collected and holds it in separate offline silos, ensuring that the data is inaccessible to criminals who might gain access to infrastructure.
The way the data is collected also means that the silo is only open for the split second it needs to grab what it has identified as business critical information. The DR solution approach means that the portal is almost constantly open, offering cybercriminals an easier route in. The advantage of cyber resilience, is that the most business-critical data is safe, isolated and away from the hands of any criminals that successfully get through defences. This is the data that organisations need to ensure that they can carry on working, offering services and support, before, during and in the aftermath of any cyber-attack.
Business resilience
Resilience has been the key word for all businesses over the course of the last year. By showing resilience business have been able to continue through uncertain and ever-changing times. This resilience should be taken into protecting data, which is now more valuable and sensitive than ever before. By using cyber resilience tools alongside existing DR solutions companies can have some peace of mind that they are building more resilience into their business. Cyber resilience not only helps to keep the cybercriminal out, but also ensures, in the worst-case scenario, that the most business-critical data is safe, allowing companies to continue working in spite of the success attack, mitigating damage to infrastructure, reputation, and finances.
