At a glance
When an employee at Moorabool Shire Council, in Australia’s state of Victoria, clicked on a link in an innocuous-looking email, within 30 seconds, IT systems coordinator Gary Pugh had received an email alert that his organisation had just been attacked with ransomware.
Pugh rushed over to the employee’s computer and disconnected it from the server to prevent the virus spreading. Staff were alerted about the possibility of other dangerous incoming emails, and the computer was wiped clean.
Less than a month later, the council was attacked a second time.
Harm was again averted due to a timely alert from file server monitoring, and because the council did regular back-ups, avoiding data being lost.
Nonetheless, the frequency of attacks was concerning, so the council implemented a raft of additional protective measures.
“We carry information about [approximately 40,000] ratepayers, such as their names and addresses, which is classified as personal identifiable data,” says Lalitha Koya, manager – information and communication technology.
“We know that an attacker will gain status in the hacking community by successfully breaching a government body such as ours – and we would lose public trust if such an attack were successful.”
However, most organisations are not as well prepared for a ransomware attack, which usually starts with an email that entices the receiver to click on a link or open an attachment.
If an employee takes the bait, malware then encrypts files and data, meaning it becomes inaccessible. The perpetrators demand that a ransom be paid to restore access, or to avoid the data being exposed to the public.
Ransomware attacks can be incredibly serious.
“In the most extreme case, a ransomware attack could wipe out a company,” says Josephine Phan FCPA, assurance partner at PwC Malaysia and former president of CPA Australia’s Malaysia Divisional Council, pointing out that a ransomware attack will rarely compromise only a company’s data.
“For example, if the data that has been encrypted is critical to operations, [there could be a severe] impact on the organisation’s ability to manage its cash flow and a prolonged disruption to its supply chain.”
Blind to the risks
Last year, 53 per cent of business owners globally reported a ransomware attack that caused a financial or reputational loss, which may have been incurred as a result of extended downtime, according to IT security provider Mimecast’s The State of Email Security Report 2019. This is up from 26 per cent the year before.
According to research by IT security company Sophos, the most frequently targeted industries include media, technology, telecommunications, utilities and transport.
“Attackers tend to target institutions with a low level of IT security infrastructure or if they possess highly confidential data,” says John Donovan, Sophos managing director Australia and New Zealand.
Despite the increasing prevalence of online blackmailing, many organisations are lax in their approach to protecting themselves. This is often due to the mistaken assumption that only large organisations are targeted.
In fact, 91 per cent of small and medium businesses in Australia reported a ransomware attack in the past two years, which was the highest rate of any country, according to a 2019 report by IT solutions provider Datto.
“Not taking steps to protect yourself from ransomware attacks is like not having locks on your store. However, many businesses fail to protect themselves, even though for most businesses nowadays, the intangible assets are far more valuable than the tangible ones,” says Garrett O’Hara, a Sydney-based principal technical consultant at Mimecast.
Making matters worse
Nick Abrahams is the global head of technology and innovation at law firm Norton Rose Fulbright, and he acts as a “breach coach” when a client is hit by ransomware. He recalls how one client, who cannot be named for confidentiality reasons, waited two days before contacting his team.
“Unfortunately, the internal IT team had attempted to back up the system from the archives, but they were not security experts, and it led to the ransomware encrypting the archives as well. The company was at a standstill – production, logistics, sales and finance were crippled,” recalls Abrahams.
His client then discovered that its insurance policy was limited in scope, so it was extremely fortunate that it was able to piece back its systems and files – and thus avoided needing to pay the ransom. Experts say that being able to “jail break” data in this way is rare.
However, the organisation had to notify every individual affected, as well as the Australian Privacy Commissioner, because under Australian law, the credit card data that was exposed is classified as potentially causing serious harm, and thus disclosure is mandatory. The privacy commissioner’s office investigated and compelled the client to upgrade its security systems.
To pay or not to pay?
According to global data from Sophos, the average ransom paid from ransomware is US$730,000 (A$1.04 million). However, O’Hara notes that, wherever possible, companies will conceal the fact that a ransom was paid, and how much was paid. As he notes, “dealing with criminals is never a good look”.
Last year, two local governments in the US state of Florida paid a combined US$1 million (about A$1.4 million) in bitcoin to ransomware hackers.
The malware caused one council’s computer systems and landline phones to go down, and the city’s 65,000 residents were unable to pay their water and electricity bills or get building permits online. The effects were crippling, so after two weeks, council members voted to pay the ransom.
Other organisations have been known to bargain the hackers down to a more “acceptable” amount, says Donovan.
“Many cybercriminals run smart, commercial organisations with a business model, teams of people and salaries to pay, and so they approach the ransom as a sales negotiation and will sometimes allow the organisation being blackmailed to haggle a bit,” he says.
He adds that some ransomware outfits even have their own call centres, so that if a victim doesn’t know how to pay with bitcoin, a customer support representative can walk them through the process.
High-profile ransomware cases in Australia this year include government agency Service NSW, steel maker BlueScope Steel Australia and financial services company MyBudget, along with two attacks on global logistics company Toll Group.
During the second attack on Toll Group in May, it was forced to resort to manual processes after its online systems were shut down.
The cybercriminals gained access to employees’ salary information, superannuation details and tax file numbers, and threatened to publish the confidential information on the dark web if a ransom was not paid after a week.
However, Toll publicly declared it would not pay.
“Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network,” it said.
“Paying the ransom validates the business model of hacking, and provides an incentive for them to do it again,” O’Hara says.
Be warned that, if you do pay up, there is no assurance that the perpetrators will decrypt the data. Phan notes that, sometimes, rookie hackers set up the decryption algorithms so poorly that the key doesn’t work.
Paying the ransom can also end up costing more, because recovery costs must be factored in, as opposed to ignoring the ransom demand and doing a complete rebuild of data systems. According to Sophos research, the total cost with a ransom payment factored in amounts to US$1.4 million (about A$2 million).
“However, some people will pay the ransom because they just don’t have the ability to recover from these sorts of attacks,” Donovan says.
Phan says that deciding whether to pay will come down to commercial considerations – including if the data potentially leaked is extremely sensitive – or if not paying could endanger life.
“If losing access to the data could be life-threatening, such as if it relates to medical reports, there may be no choice but to pay,” she says.
With no cure, prevention is vital
While it is impossible to prevent a ransomware attack, having strong systems in place can make an organisation less appealing to attackers. Knowing what to do after an attack can prevent panicked decision-making and may enable staff to continue working.
PwC works with organisations to improve resilience by simulating ransomware attacks. Just as in military exercises, there are “red teams” and “blue teams”, with the red team looking for weak spots and the blue team defending the attack.
“These ‘ethical attacks’ are based on various scenarios, such as a disgruntled staff member. They are carried out unannounced, with only a few senior management staff aware of what is happening,” Phan says. She adds that the aim is to test whether the attack is detected and how fast the response is.
No matter how good an organisation’s IT security systems are, educating staff about potential risks is absolutely vital. With more employees working from home than ever before, it is especially important to drive home the message that, when in doubt, you should not click on a suspicious-looking link.
CPA Australia podcast:
You've been attacked - what next?
If an attack occurs, it is worthwhile informing the police - but be aware that there is very little the police can do.
“The police will investigate, but it’s not as though they can decrypt your files,” says Garrett O’Hara.
Prosecution is virtually impossible due to the perpetrators being offshore or untraceable.
Nonetheless, it is vital to seek legal advice before paying a blackmailer, as there may be legal consequences. Those with cyber insurance should get their insurance company involved, as they can advise on whether or not to pay a ransom. It could be that the insurance policy is voided by paying a ransom.
Another tip is to preserve the evidence and complete an incident response report, as this will help with an insurance claim.
In the absence of insurance, No More Ransom provides free assistance to help retrieve data without paying a ransom. It is supported by the Australian Federal Police and global IT security companies.