Autumn2019. On Friday afternoon, employees of the logistics company reported a problem with the system operation to their IT supplier- an external company. Employees of this company- let’s call them IT Specialists, checked that this inaction is due to data encryption performed by hackers. IT Specialists left solving the problem until Monday, claiming that they had system backups. Only then it turned out that the backups of the storage system were also encrypted. Without the system, the company was virtually paralyzed, although other systems (e.g. accounting package) could be launched.
The hackers demanded a ransom of $ 5000 in bitcoins.
Our Incident Response Team received a report of a ransom attack on Tuesday (4 days after the incident!) because only then the IT Specialists informed The Company about the seriousness of the problem. The pitfall was the lack of backups of the storage system. Our task was to investigate the possibility of data recovery as well as to launch the systems and provide a level of security that would prevent similar attacks.
Actions taken
- We examined the encrypted samples, confirmed that there was no known method to decrypt the data and as a result, there was no point in paying the ransom: apart from the ethical aspect (contribution to the delinquency), in this case, the algorithm used by the criminals prevented the decryption of large data files. We stopped throwing good money after bad.
- We analyzed the actions taken by IT Specialists to restore the operation of the systems and infrastructure in The Company: we identified errors and omissions which enabled attacks, we presented a list of actions to be taken to mitigate the risk of further „successful” attacks and make their consequences much less painful (if they occur).
- We verified the place of the attack. Initially, IT Specialists claimed that the reason was that one of the employees had clicked on a suspicious link. We demonstrated that the errors in the setup and securing the servers, which allowed almost „everybody” to take control of the Company’s IT infrastructure, were the real problems.
Why was the attack possible at all?
The company dealing with IT infrastructure management did not secure remote access to the systems in an appropriate way. Although the procedures for securing remote access existed, the administrators prepared a „temporary” facilitation for the convenience of one of the providers. Unfortunately, everyone forgot about it.
What were the consequences of the attack?
- One week of total business lockdown and two weeks until full customer service was restored
- High contractual penalties
- Loss of customers
Such large consequences were caused by organizational and technical factors:
- The method of creating and storing backups of the storage system did not meet the basic security requirements, therefore the backups were also encrypted
- The external IT company marginalized the problem and postponed solving it until Monday, reporting it with significant delay. Our client did not have sufficient human resources to deal with the problem or even verify the activities of an external company.
- The company was not prepared for incidents resulting in its systems failure and as a result it was completely paralyzed: a switch-over to „manual control” and servicing the high-priority clients was only possible after a week.
- The company did not know how to communicate problems to contractors, so the blackout occurred.
What can you do to be wise before the event?
- Make sure that your IT team is committed to ensuring the security of your infrastructure, and if so, does it do properly?
- Make sure that your IT providers are contractually obliged to provide the security of your data and systems. Check whether they have professional liability insurance policies covering „cyber” incidents- so you can be sure that in the event of their mistakes resulting in hacking attacks you will be entitled to receive compensation.
- Check if your IT infrastructure is resistant to attacks. Have an external audit and security tests carried out. This has nothing to do with trust or questioning the competences of your IT employees: security specialists track hackers’ activities, they have seen attacks from outside and inside the organization many times, and will indicate the places that could surprisingly become a source of problems.
- Prepare for the worst and do not go blind in case of problems: develop Incident Response Plans, Disaster Recovery Plans, and Business Continuity Plans. Such plans will allow you to take action in the event of a failure or an attack and will clearly describe:
- how, step by step, will your IT department (and external suppliers, if necessary) restore systems and make them fully operational?
- How is your company supposed to work when the systems are down?
- How to properly communicate with contractors and employees?
- How and when to notify the relevant services (a hacking attack is a crime).
Do you think this is unnecessary and complicated bureaucracy? Try to imagine what would happen if the key systems failed in your company. Now imagine that the person responsible for IT has just gone on vacation that had been postponed for years. And he or she does not answer the phone because „there is no signal”. Are you ready for all of those?
And if you already have plans developed, make sure they are tested: at least once a year and after each significant infrastructure change.
- Consider whether you should not take care of decent „cyber” insurance for your Company that will protect you from harmful, financial costs of security incidents and that will provide you with the support of high-class specialists when the incident happen.
Feel free to contact our team: we will help you take care of your safety: we will check your infrastructure and help you prepare „for the worst”.