Act quickly to minimize damage from cyber attacks
Advice for businesses that have been hacked or attacked by ransomware: hire professionals as soon as possible to negotiate with the attacker, pay the settlement and then restore the integrity of the company’s data or network.
“In movies, police tell victims of crime that they shouldn’t pay a ransom,” says Joseph Khunaysir, chief technology officer with Canadian IT service provider Jolera Inc. “But law enforcement can’t help you with a cyber attack and there’s little you can do to help yourself. It’s best to have a professional negotiate a settlement with the attacker as quickly as possible.”
Database hacks and ransomware attacks have similar consequences: a disruption of business and a demand for cash, usually denominated in Bitcoin. However, the method of attack is very different.
“Ransomware is generally an automated targeted attack,” says Khunaysir. “It comes in through various routes, but it is usually a link that leads you to the malware, commonly delivered via an email phishing scheme where somebody is tricked into downloading a sophisticated virus. These attacks spread quickly, encrypting the data and locking down the servers. There is a message that comes up telling you that the data is inaccessible and whom to contact to restore it. Once contacted, the person or team behind the attack run you through a series of steps and tell you how much ransom you need to pay to unlock your data from encryption. In our experience, they’re asking for between $2,000 and $15,000 from small to medium-sized businesses.”
Once the ransom is paid, the victim receives a decryption key and tool that runs to unlock the files.
“These attacks are generally orchestrated by businesslike organizations that, surprisingly, pride themselves on customer service,” says Khunaysir. “After you pay, the attacker will generally deliver as promised.”
Another threat to contend with are hacks, which are much more sophisticated and typically involve data theft from large enterprises. Once inside the system, attackers take their time, exploiting various vulnerabilities to roam from database to database until they hit the jackpot in the form of sensitive user data, at times including credit card and social insurance information.
“The attackers use anonymous email addresses or YouTube accounts to send screenshots or smartphone footage of the ‘hostage’ data to the companies,” says Khunaysir. “The companies will be able to see the file names and directories and samples of the data to prove the attackers are holding it. They might offer to destroy their copy of the data and even explain which vulnerabilities they exploited to get into the system once they receive a settlement amount — and that settlement is typically much higher than what’s requested for an automated ransomware attack.”
Why wouldn’t hackers simply indulge in identity theft, make fraudulent charges to credit cards and empty bank accounts instead of asking for a ransom payment?
“I’ve communicated with some of the assailants over encrypted chat and I’m going to go suggest that most of the hackers feel they’re performing a service by showing an enterprise how it can do a better job of protecting its data,” says Khunaysir. “Once they receive payment, destroying their copy of the hostage data is a matter of honour. On the other hand, if no payment is made, the data will likely be sold to the highest bidder on the Dark Web.”
Jolera typically initiates two teams to deal with hacks: one to secure the network and minimize the impact of the breach, and the other to negotiate with hackers for payment and information regarding the attack.
“You need to develop a level of trust between the negotiator and the assailant holding the data hostage,” Khunaysir says. “You can’t do that effectively while you’re working to repair the damage they caused.”
Time is always of the essence.
Khunaysir recalls a client who was compromised by an attacker employing passwords used by company personnel on other sites. The attacker then used those passwords in a series of guesses before successfully gaining access to the company server and installing the ransomware virus. The client approached Jolera two weeks after the attack and the arrival of a demand for $15,000.
“The client didn’t want to pay the ransom and thought they could restore everything from backup,” says Khunaysir. “Unfortunately, their backup contained corrupt, unrecoverable files. By the time they were willing to pay, the attacker was no longer responding and had moved on. They lost far more than $15,000 on the services of a data recovery lab and on business losses before they could resume operations.”
However, the best response to threats of hackers and ransomware is still a good defence — one that stops attacks before they happen.
“Train your staff, develop a good password protocol and secure your servers and IT infrastructure,” says Khunaysir. “Back up your data regularly and make sure your networks are monitored for suspicious activity. Also make sure to have a response protocol in place to deal with potential attacks. Cyber attackers are becoming more sophisticated, but we’re continuing to develop more advanced tools to curb their attacks and protect customers.”