24 Jul Ransomware attacks: how to prepare for?

This article is in response to the huge increase in ransomware attacks in recent months. The intention is to focus on the basic steps that can be taken by organisations to prepare for and reduce the potential for successful ransomware attacks.

Recent ransomware attacks

In the two most recent cases, meat company JBS reportedly paid $11M to the attackers, and REvil reportedly demanded $70 Million in what may be the most significant ransomware attack the world has seen.  The US Independence Day weekend attack on managed service providers (MSPs) started by targeting an MSP software tool provider called, Kaseya. Overall REvil estimated that 1 million systems were hit in the attack.

It does not matter whether a nation state or criminal organisation masterminds ransomware attacks, any business today is exposed. Whether you are a large organisation or a small one, criminals have learned to leverage attacks on MSPs to reach scores of businesses as an easy means to maximise profits.

These two recent attacks, and the earlier one on Colonial Pipeline ($5m) show that ransomware is truly a business risk and should be a wake-up call about the risk of cyberthreats.

Ransomware is a business problem and something that should be high on the agenda of all board members no matter the industry sector. The answer is not merely to stash bitcoin to pay for the ransom in the event of an attack – a strategy in any event under review following the introduction of the Ransomware Payments Bill 2021 (the Bill) to the Federal Parliament in June 2020. If passed, the Bill would require public and private entities to report to the Australian Cyber Security Centre (ACSC) any ransomware payments made. It would also enable the ACSC to disclose information contained in reports under certain circumstances.

Ransomware

Ransomware is a type of malicious attack where attackers encrypt an organisation’s data and demand payment to restore access to it.  Attackers may also steal an organisation’s information and demand an additional payment in return for not disclosing it to authorities, competitors, or the public.

Ransomware disrupts or halts an organisation’s operations and poses a dilemma for directors. The choice is, (i) pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or (ii) not pay the ransom and restore operations independently. The second option is only feasible if the organisation has vital information backed up, accessible and integrous.

The methods used to gain access to an organisation’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. At a minimum, organisations should endeavour to implement the Australian Government’s Essential 8.

While this is not as easy as may appear, the Essential 8 include the strategies to mitigate cyber security incidents to assist organisations protect their systems against a range of adversaries. These include:

1. 1. Application control to prevent execution of unapproved/malicious programs.
   2. Patching applications with ‘extreme risk’ vulnerabilities within 48 hours, always using the latest patches to prevent the execution of malicious code.
   3. Patching operating systems with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version to avoid the compromise of systems.
   4. Restricting administrative privileges to operating systems and applications based on user duties to avoid the ‘keys to the kingdom’ falling into the hands of adversaries.
   5. Configuring Microsoft Office 365 Macro Settings to block and limit macros from the internet, because they can be used to deliver and execute malicious code.
   6. Configuring user application hardening to block/uninstall Flash, advertisements and Java on the internet which may deliver malware.
   7. Implementing Multi-factor Authentication for remote access and privileged users because stronger user authentication makes it harder for adversaries to access sensitive information and systems.
   8. Make Daily Backups of important data, software and configuration settings. Store these off-site, retained for at least three months. Test restoration initially, annually, and when ICT infrastructure changes to ensure information can be accessed following a cyber security incident including a ransomware attack.

Director duties

In light of the increase in ransomware attacks it will become more difficult for directors to explain why the basic steps of cyber hygiene in the Essential 8 have not been adopted and implemented.

We understand that not all directors are expected to have a detailed knowledge of all things cyber, but directors do have a right of access to information, and they need to ask relevant questions.

In addition to the Essential 8, we would like to share with you a preliminary draft of the Cybersecurity Framework Profile for Ransomware Risk Management, which includes five Cybersecurity Framework Functions and further basic steps for identifying and protecting critical data, systems, and devices from ransomware, and preparing to respond to any ransomware attacks that do succeed.[1]

For directors of companies that are owners and operators of critical infrastructure, we suggest this material will be particularly valuable. If you would like further information or specific advice on cyberlaw, security, data privacy and governance, as well as the Security Legislation Amendment (Critical Infrastructure) Bill 2020, we are here to help.

Tags: Security Legislation Amendment (Critical Infrastructure) Bill 2020; Cybersecurity Framework Profile for Ransomware Risk Management; Ransomware Payments Bill 2021; NIST; ACSC Essential 8; Director’s Duties; Corporations Act 2001 (Cth).

Notes:

[1] NISTIR 8374 (Preliminary Draft). Cybersecurity Framework Profile for Ransomware Risk Management https://csrc.nist.gov/CSRC/media/Publications/nistir/draft/documents/NIST.IR.8374-preliminary-draft.pdf