The world’s biggest ransomware attack, which is thought to have affected around 150 countries¹, has brought critical institutions such as hospitals, governments agencies and private business to a halt. The speed of the attack was unprecedented.
As Australian businesses returned to work after the weekend, they at least had the benefit of advanced warning: having seen the ramifications of the attack in earlier timezones, they may have had the opportunity to take preventative action on their own networks before switching on computers on Monday.
Such measures could actually be quite straightforward: scan staff emails for phishing messages, and update the operating systems. Effectively implement application whitelisting to prevent the malware from running.
Nonetheless, it’s astonishing how many businesses still leave themselves vulnerable by neglecting their basic cyber hygiene.
Ransomware: holding businesses hostage
The impact of a ransomware attack cannot be underestimated. The UK’s national healthcare system, the NHS, for example, found that some health services and hospitals were unable to access patient data because their computers were locked. Some hospitals were forced to cancel all outpatient appointments and divert ambulances².
In the aftermath, the UK’s home secretary Amber Rudd admitted “we can all do better to protect ourselves” – and this is a regret that every business, large or small, should heed. (Small to medium-sized private businesses, as well as government agencies, have also been targeted in this latest incident.)
Ransomware is estimated to cost the Australian economy AU$1 billion a year¹. Research has shown that last year, Australia was the most targeted country in Asia-Pacific for ransomware attacks³. At time of publication it looks like three Australian organisations have so far fallen victim to this attack.
How could the cyber attack have happened?
Ransomware is a form of cyber attack that encrypts the files on a computer, making them inaccessible to anyone without the encryption key. A ransom is then demanded in order to unlock the files. If it isn’t paid, chances are that the files on that computer are irretrievably lost.
This weekend’s incident is driven by a worm, a particular virus that replicates itself across a network, meaning it starts on one computer, and can infect every computer it’s connected to. Each computer received a separate ransom demand – in this latest incident, reportedly a minimum US$300 per computer.
Likely, though not confirmed to be the cause of this incident, ransomware generally gains entry to a network through phishing – a simple, classic scam that involves sending an infected email which is activated if one of the links is clicked. If the email is deleted and not acted upon, it doesn’t pose a threat.
Phishing is still the most effective tool for cyber criminals. PwC’s 2017 Global State of Information Security Survey revealed that phishing has emerged as a significant risk to businesses of all sizes and across industries. Over the past year, 38% of organisations both globally and in Australia reported phishing scams, making it the top vector of cyber security incidents.
A problem on your doorstep
Ransomware is an increasingly prevalent threat, with a rising number of variations designed to target networks. In spite of this, many organisations still treat it as a crime of the future, or assume that it will happen to someone else.
The likelihood of any organisation becoming a victim is in fact very real, and very immediate. The cost of recovering from an attack is significant.
How can it be stopped?
There are pragmatic steps which organisations can take to reduce the likelihood of incidents, limit their impact if one does occur, and to recover swiftly and effectively.
These span several aspects of IT operations and security and include:
- Robust business continuity planning and exercising and the ability to restore rapidly from backups;
- Crisis and incident response planning and testing to ensure incidents are managed to resolution swiftly;
- Strong security hygiene policies and user awareness to prevent ransomware entering your IT environment through both technical controls and vigilant employees;
- Rigorous patch and vulnerability management ensuring you make effective use of work already done to address vulnerabilities.
Our priority recommendations for management and IT colleagues to consider (subject to the operational impacts of such changes) are:
- Provide your desktop and server IT operations teams with all the support they need to rapidly deploy Microsoft’s April and May security updates, along with MS17-010;
- Accept that addressing issues may require temporary disruption to some services on your IT systems as additional controls are implemented and vulnerable services disabled – for example, enabling two-factor authentication for all external access to systems (e.g. VPN and RDP).
The ransomware bind
It is exceptionally hard for perpetrators of such attacks to be caught and stopped. Therefore, for the foreseeable future, ransomware will continue to be a lucrative proposition for criminals.
We never recommend paying a ransom – unless there are extreme circumstances that warrant payment. It just fuels the ransomware economy, funding development of additional ransomware techniques and campaigns.
The most important course of current action is for government agencies and businesses to take pragmatic steps to reduce the risk of incidents occurring, and limit their impact when they do occur.
The steps outlined above are nothing new: they form the bedrock of basic cyber security. Hopefully, this incident is a wake-up call to all businesses to implement them robustly and without exception. Prevention is far, far more effective than the cure.
PwC has released a report containing more technical details and recommendations about this ransomware. To request a copy, please email threatintelligence@uk.pwc.com.
