Whilst the opportunistic ransomware attacks exploiting small sums of cryptocurrency may have dwindled, the new year suddenly saw a much more targeted attack on big business
Travelex, the currency exchange provider, was hit with a Sodinokibi ransomware attack that demanded a ransom to restore operations but also threatened to expose sensitive customer data that could have major implications under GDPR. Reports put the ransom demand at around £4.6m, heavy enough in itself, but a sum that almost certainly will be surpassed by the knock-on effect.
The company’s cashiers were reportedly resorted to going back to using pen and paper to maintain operations at their bureau de changes facilities in high streets and airports with online orders suspended. As a result, major banks such as Barclays, Lloyds, Royal Bank of Scotland and Sainsbury’s Bank were unable to offer online currency services provided by the company. Reports in the media suggested that Travelex was still working on restoring full services more than a month after the attack. Reputational damage to the company is difficult to predict but this attack is a clear indication that cyber criminals are focusing on large organisations rather than small sums from individuals, although undoubtedly smaller ransomware-as-a-service variants will continue to hit SMBs.
A costly exercise
In addition, in the Travelex case, the criminals could also leverage the threat of leaking personal, financial, customer information on top of simply restoring business operations. Whilst data can be restored, restoring public trust, particularly for loss of financial data isn’t such an easy fix. Travelex has maintained that there is no evidence that customer data has been compromised but transparency in disclosure is also important. Originally, the issue was reported as “planned maintenance” and an admission of a cyberattack only came a week after the breach.
The Travelex example is also indicative of the fact that the amount of downtime from ransomware for organisations is also on the increase. According to the Ransomware Marketplace report₁, the average number of days a ransomware incident lasts has increased to 16.2 days. Larger organisations with more complex networks take longer to restore data via backups or to action decryption. Calculating the actual cost of downtime can be challenging as it has different effects on different businesses and organisations. Business interruption costs are estimated to be often five to ten times higher than direct costs.
Estimates on ransomware demands are difficult to establish particularly if companies decide to pay and not disclose the issue but it’s estimated that there were nearly half a million ransomware infections reported globally last year, costing organisations at least £4.3bn ($6.3bn). The average demand is estimated to be around £64,450 ($84,000₂). Downtime costs are even more difficult to calculate. Many observers state that companies should avoid paying the ransom at all costs. Firstly, there is no guarantee that access to files or systems will be returned and secondly that payment only perpetuates the issue further. Recently, it was discovered that the data recovery mechanism used by Ryuk, a popular ransomware virus, didn’t actually provide a complete recovery of some types of files which resulted in data loss even if the payment had been made. There are of course many variants.
Reports put the ransom demand at around £4.6m
To encourage companies to make the payment a ransomware known as Maze has a different tactic. It simply places the company name on a website. If a payment is not forthcoming immediately, it then places a small amount of the stolen data on the site as proof that it has access to the data. Payment is usually in bitcoin or another hard-to-trace cryptocurrency.
Any size or type of company can fall victim
Whilst companies like Travelex are exposed because of their scale and public awareness, almost any size or type of company can fall victim. In the UK alone, there was a massive 195 per cent increase in reported incidents according to SonicWall reflected in an estimated 6.4 million ransomware attacks in the first half of 2019. The growth, following a drop in the previous year, has been largely attributed to the growing preference of criminals for ransomware as a service (RaaS), as well as open-source malware kits becoming cheaper and more readily available. GrandCrab is the most popular example of this, enabling criminals with only limited malware knowledge to use an online tool to undertake an attack and pay for the service on a sliding scale. Spread through phishing emails and containing malicious JavaScript, it infects the system when downloaded.
According to the Ransomware Marketplace report₁, the average number of days a ransomware incident lasts has increased to 16.2 days.
Ransomware constantly evolves and there is no reason to think that it won’t remain a serious threat to companies. Criminal ransomware gangs employ increasingly sophisticated tactics and they look for a backdoor entry into corporate networks and then wait until they are ready to cause the maximum disruption by encrypting as many devices as possible. Reports suggest that Travelex may have been breached some six months before the ransomware was finally unleashed – 206 is the average number of days to detect a breach according to Cybercrowd₃. These attacks typically occur during the night or early morning hours when oversight from security admin staff is limited. Travelex was said to be hit on New Year’s Eve which supports this theory.
Robust security
Whilst there’s no complete solution to protect a business from ransomware or any other form of malware, resellers can help their customers to minimise the attack surface. The best defence is to have a robust security suite in place.
An obvious but sometimes forgotten step is to make sure that the antivirus software is up-to-date. Nowadays, most have some form of feature to spot any suspicious behaviour that’s associated with ransomware. It’s important to know what’s happening on the network by deploying intrusion prevention and detection systems that can spot any traffic anomalies and suspicious activity. With more remote working and non-corporate devices being brought into the workplace combined with the growth of IoT, it’s key to understand what’s connected to the office network. Hackers will look for the easiest point of entry. Making it harder by segmenting networks and by limiting the number of administrator accounts is also good practice. If a computer becomes infected it’s important to immediately disconnect it from the network.
93 per cent of data breaches start with a phishing campaign
Whilst, it’s important for employees to be trained to be alert for phishing or scams by never opening an email from an untrusted source, content scanning and email filtering provide the best way to prevent someone from clicking on a potential ransomware link by stopping it reaching the mail box in the first place. Cybercrowd₃ estimate that 71 per cent of cyber-attacks start with phishing e-mails. In addition, remote workers should be cautious with public wi-fi and avoid using it when working on sensitive, company information. A secure VPN is recommended. However, nearly a third of ransomware can be attributed to brute force attacks where hackers try to access servers and other devices by trying as many passwords as possible in the hope that passwords are too weak or worse still set to default.
Companies need to ensure passwords are strong and changed regularly. Using two factor authentication also adds an extra layer of security. On the basis that a ransomware attack is inevitable, it’s vital to have secure and up-to-date backup of all business-critical information. The ability to restore data and become operational again quickly minimises the impact. To do that requires a well-rehearsed and tested recovery plan both from a technical standpoint as well keeping customers, suppliers and possibly regulators informed.
Last but certainly not least, ensure software patches are up-to-date. This was highlighted in the 2017 WannaCry attack which caused massive disruption to the NHS, yet it appears from reports that Travelex was breached for the same reason. Whilst patching software flaws can be timeconsuming and tedious, it’s vital for security reasons. It’s perhaps another opportunity for resellers to keep engaged with their customers by providing that service either themselves or as a white label service through Exertis.
Security isn’t a one-time effort
Ransomware is just one of the many ruses that are used by cybercriminals and no-one is immune from the possibility of attack. Exertis has an expert team of specialist, security experts and a great portfolio of security vendors that can help you to keep your customers secure. We can provide security audits and pen testing, in partnership with CyberCrowd, where we can undertake a simulated cyber-attack against a computer system, network or web application to check for exploitable vulnerabilities. These insights can help your customers fine tune their security and patch any detected issues before they occur, as well as measuring the compliance of an organisation’s security policy. Security isn’t a one-time effort and larger companies should regularly undertake pen testing. The cost is minimal in comparison to the cost of a breach – estimated to be £2.7million for a large UK organisation by Cybercrowd₃.
In addition, companies should be deploying the latest firewalls from trusted vendors like SonicWall. These can detect and prevent cyber-attacks from denial of service attempts to phishing scams and ransomware. For Office 365 or G Suite, SonicWall Cloud App Security provides best-in-class advanced threat protection to stop targeted phishing attacks, zero-day threats and email fraud, such as business email compromise and account takeovers. It also ensures consistent security policies across all SaaS applications, including email, file storage and file sharing. Exertis can also offer resellers solutions from Aquilai, a vendor that specialises in anti-phishing technology using machine learning and AI.
According to the vendor, 93 per cent of data breaches start with a phishing campaign and unfortunately almost a third of employees are sucked into opening the email. In just 82 seconds, the employee and the company become a victim. As mentioned earlier, a multi-layered protection approach is best practice. Kaspersky Lab security solutions enable companies to detect, block and stop ransomware from spreading. Their Endpoint Security for Windows solution combines multi-layered, next-generation threat protection with additional proactive technologies such as Application, Web and Device controls, vulnerability and patch management and data encryption into an EDR-ready endpoint agent with an extensive systems management toolkit.
The vendor also delivers automated security awareness training to help organisations and their employees change behaviours with regards to security – more than 80 per cent of all cyber-incidents are caused by human error, claims Kaspersky.
Don’t let your customers become the next victim to a cyber-attack, call your Exertis Enterprise account manager for more details.
The 2020 SonicWall cyber threat report
SonicWall recently announced its annual threat report findings, which highlight the evasive tactics cybercriminals leverage to target businesses and consumers.
The 2020 SonicWall Cyber Threat Report is the result of threat intelligence collected over the course of 2019 by over 1.1 million sensors strategically placed in over 215 countries and territories. SonicWall Capture Labs threat researchers collected and analysed over 140,000 daily malware samples, blocked over 20 million daily malware attacks and recorded 9.9 billion malware attacks.
SonicWall Capture Labs spotlights attack trends to help organisations and users stay ahead of cyber threats as attackers become more targeted and move into business-critical systems.
2019 global cyberattack trends
- 9.9 Billion Malware attacks
- 187.9 Million ransomware attacks
- 4 Trillion Intrusion attempts
- + 27% Encrypted threats
- 34.3 Million IoT malware attacks
- + 52% Web App attacks
Malware down, but more targeted & evasive
9.9 malware attacks were logged by SonicWall in 2019, a 6% dip from the record-breaking 10.52 billion recorded in 2018.
Fileless malware
Cybercriminals used new code obfuscation, sandbox detection and bypass techniques, resulting in a multitude of variants and the development of newer and more sophisticated exploit kits using fileless attacks instead of traditional payloads to a disk. While malware decreased 6% globally, SonicWall observed that most new threats masked their exploits within today’s most trusted files. In fact, Office (20.3%) and PDFs (17.4%) represent 38% of new threats detected by Capture ATP.
Ransomware found a new target
Ransomware is being used to surgically target victims that are more likely to pay given the sensitive data they possess or funds at their disposal (or both). In 2019, this meant that many of the 187.9 million ransomware attacks were against state, provincial and local governments, as well as education systems.
Encrypted threats continue steady rise
Savvy cybercriminals continue to use TLS/ SSL encryption to mask their attacks from inspection by traditional security controls. In 2019, SonicWall Capture Labs threat researchers recorded a 27.3% year-overyear increase of malware sent over TLS/SSL traffic. Almost 4 million encrypted threats were identified.
IoT attached volume rising
In 2019, SonicWall discovered a 5% increase in IoT malware, with total volume reaching 34.3 million attacks. But with a deluge of new IoT devices connecting each day, increases in IoT malware attacks should not only be expected, but planned for. Criminals continue to deploy ransomware on ordinary devices, such as smart TVs, electric scooters and smart speakers, to daily necessities like toothbrushes, refrigerators and doorbells.
Web app attacks
Sonicwall reported over 40 million web app attacks detected, 52% year-over-year increase.
₂To download the complete report, please visit www.sonicwall.com/ThreatReport. Exertis Enterprise provides resellers with the full suite of SonicWall security solutions.
Ask your account manager for details.
₁ https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
₂ https://www.infosecurity-magazine.com/news/ransomware-costs-may-have-hit-170/