We hear about ransomware attacks with increasing regularity, yet many organisations either do nothing or very little to prevent it. A few businesses from TouchstoneFMS’ customer base of several hundred have been hit last year, and we’ve help them rebuild from the devastating impact such an attack can have.
In the first of this 3-part blog series, we look at what a ransomware attack is, and how your business could become victim of such an attack, as well as looking at some of the real-life consequences of these attacks.
What is a ransomware attack?
Ransomware is a type of malware that threatens to publish the victim’s (business or personal) data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system and might be reversed by a specialist, more advanced malware cannot.
It uses a technique called cryptoviral extortion to encrypt the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In such a cryptoviral extortion attack, recovering the files without the decryption key is almost impossible, in which case they are lost forever.
The ransom is typically demanded in cryptocurrency and so difficult to trace, making finding and prosecuting the perpetrators almost impossible too.
How does it happen?
Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. From there it goes on to infect any computers on the network that are not suitably protected.
However not all attacks begin with a Trojan, some exploit vulnerabilities in the operating system. The most infamous case being the worldwide WannaCry ransomware cyberattack in May 2017, which targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in Bitcoin. It propagated through a vulnerability in older versions of Windows.
Microsoft had released patches previously to close the vulnerability. Much of WannaCry’s spread was within organisations that had not applied these or were using older versions of Windows that were past their end-of-life. Our own NHS was one such organisation. These patches were imperative to organisations’ cyber security, but many were not implemented due to ignorance of their importance.
Can it affect SunSystems® users?
The most recent example and directly related to users of SunSystems® 6.3 (PS21 and above) and SunSystems® 6.4 is the exploit found in Log4j, an open-source logging library commonly used by apps and services across the Internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
SunSystems® author Infor has now issued patches to close this vulnerability in the software versions affected. Our strong advice is to get your system patched up if you are running these versions of SunSystems®. For more information on the Log4j issue you can find a wealth of advice on the National Cyber Security Centre website.
A massive disruption to the business
One of our customers, a long established SME business of 200+ employees with c£40m turnover, experienced a ransomware attack last year. Most of their business systems were on premise and managed in-house.
Their network was infected through a Trojan and ransomware propagated across the entire corporate network which encrypted all the data files on all servers. A ransom of £100,000 was demanded, the customer was not prepared to pay and decided to rebuild the entire network estate from back-ups and security copies.
It took the IT team (4 FTEs and 2 Contract staff) over a month to put a basic infrastructure back in place to allow the business to function. In the interim manual records were kept on new PCs and laptops that were either purchased or hired in. This customer also spent several thousands of pounds re-instating SunSystems®.
The disruption to the business was massive: they lost revenue as they were unable to fulfil some orders, source goods in a timely manner and IT and staff costs increased significantly during the outage.
Cost of business disruption often higher than the ransom
Another of our customers also hit last year estimated the cost to the business was well over the £500,000 ransom requested.
This large corporate, with 550+ employees and £300m turnover, had a mixture of business systems: the majority (60%) still on premise and the rest in Cloud hosted environments such as AWS.
Again, the network was infected through a Trojan with all data files being encrypted until a ransom of £500,000 was paid via Bitcoin. The customer rightly decided not to pay, however due to the criticality of the systems they brought in a significant number of contractors to help quickly reinstate the systems, including spending more than £30k with us to rebuild SunSystems® from a very old backup.
This was the only way they could be sure they would not be held to ransom again.
Some businesses will choose to pay the ransom, as did one of our customers. They opted to pay the six-figure ransom as the disruption to the business was just too great if they had gone down the road of reconstituting their systems. There is however no guarantee that once you have paid, the criminals will decrypt the data or keep it for future attacks or extortion.
A situation best avoided
Quite simply, a ransomware attack has the potential of putting you out of business, whether that’s through the release of sensitive and personal data into the public domain or worse still to cyber criminals, or by locking you out of critical business systems such as online ordering, billing, banking, cash management, purchasing, inventory, HR and payroll.
Without any of these critical systems, in particular customer facing/front of house systems, a business may not be able to function for more than a few days, at best a couple of weeks. Arguably, back-office systems such as financial ledgers and reporting may not be as important but even without those systems a business would be seriously impaired if it had to do without them for more than a month or one reporting cycle. The criticality and effect of the attack will depend on the nature of the business and any resilience it has built in through continuity planning.
If you have concerns about your business’s vulnerability to ransomware attack, get in touch for a chat about your options.