New research also reveals that two thirds of UK businesses have no official ransomware policy to guide employees in the event of an attack
There are many reasons organisations do not follow the latest software releases but what seems to constantly fail, is the “thought process” around protecting what you have, warns Colin Tankard, managing director of data security company, Digital Pathways.
Tankard explains that in the most recent cyber attack that affected the UK’s NHS as well as organisations around the world, the malware was delivered through spear-fishing emails which, when opened, triggered a cyber-contagion on the internal network.
Being a hybrid design it had a worm element, allowing it to spread through internal systems for maximum reach and effect. “What was interesting is that the infected system’s settings were scanned to work out the user’s language, then displayed the ransom demand in the correct language for the victim. It also changed the desktop backdrop in order to ‘grab’ the victim’s attention - no subtlety there,” he says.
“From reports it seems the fix was published back in March but, as with many patches, some organisations were slow to update. However, this malware also attacked older Windows operating systems which Microsoft had removed support of years ago, and are no longer supported. This is why the NHS was so affected.”
Some 74 countries were affected by the attack, and organisations hit included Fedex, Honda the German rail systems, universities and national telco, Telefonica.
New research from Timico, an end-to-end, managed cloud service provider in partnership with Datto, a business continuity solutions provider, reveals that the effects of ransomware attacks on UK businesses cause unquantifiable financial cost and immeasurable data loss.
Yet, despite this, there is an alarming lack of awareness when it comes to being prepared, with two thirds of UK businesses having no official ransomware policy, to guide employees on what to do in the event of an attack.
The research report entitled The Reality of Ransomware, polled 1,000 UK organisations, all of whom were ransomware victims and many attacked within the last 12 months.
The research found that well over half (68 per cent) of respondents said that the effects of an attack were almost instant with data systems going from fully functional to essentially useless within seconds and minutes.
Nearly a quarter (23 per cent) reported lockdown within just a few seconds, and 18 per cent said that systems were down within a minute of the attack. A further 26 per cent reported systems being blocked within a few minutes.
Going forward, Tankard advises that machines running old versions of Windows can be protected in other ways, such as locking the core of the machine down so no external program is allowed to launch or modify the settings. Secure ’communities of interest’ can also be created, where core resources are only accessible to selected user communities, and are hidden for all others, including both rogue and good programs.
“In this way, any infection is contained within the community but, if an infection occurs outside of the community, the internal community remains safe,” he says. “This process requires greater control of users and resources but, we often see organisations that are so poorly organised that users have access rights to data or services they really should not have. This is not only a privacy issue it also means that a breach can quickly compromise the entire network.
“The main problem with the hack we saw over the weekend is it that it was brought in by users clicking on a link, or being duped into thinking the message was genuine. It falls on the organisation to protect and educate the user but far too often this does not happen. User education needs to be ongoing to enforce the companies policy on data handling or website visits.
"We have seen an 80 per cent fall in user bad practice when monitoring software, which prompts the user if they are about to breach a company policy. This is because the majority of users do not mean to do ‘bad things’ but sometimes they simply forget, once reminded they quickly learn!”
A second issue is that most malware can stay on the system for up to 200 days before it is triggered, reports Tankard. “This brings into question how long back-ups should be held for, as most organisations, at best, keep a back up for a month. What is needed is for monitoring of the core system attributes (its DNA) to look for anomalies, those subtle changes in the systems operating system which are changed by malware, viruses worms etc, and to alert the system managers of the threat.
“These checks can even automatically quarantine or ‘fight off’ the infection before it takes a grip. This means you don’t wait 200 days to know there is something afoot.
“Those who have been infected by this malware will no doubt be rapidly downloading the patches and fixes, ‘shutting the door’ and locking everything down.
“All businesses should ensure security patches are up to date and ‘kill off’ SMBv1 at the very least, block access to it from outside your network. It’s understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them.
“Our advice, update your installations, drop everything and get patching and do something about your users and their random clicking on attachments or links!”
If you like this, you might be interested in reading the following:
Opportunities and threats, by Colin Tankard
The boss of one of the UK’s leading data security firms welcomes faster connectivity but warns that it can also mean the ‘surface area’ for attacks is greater
Smart city services cyber attack ‘likely’, says survey
A survey by Tripwire reveals that 88 per cent of state and local government IT professionals are concerned about cyber attacks targeting critical city infrastructure
Blackmail for a digital age, by Colin Tankard
Consider creating a honeypot - a server or network that is used solely for attracting, and then trapping, would-be hackers or rogue code