'No silver bullet' to save firms from the menace of ransomware
Companies warned to take pragmatic approach by backing up data and being prepared to sacrifice some of it when hackers strike
There's no such thing as immunity to ransomware. While public sector attacks, such as those made on Government websites this year, tend to occupy headlines, surveys indicate that almost a quarter of Irish SMEs have also been targeted with ransomware.
The publication in 2015 of a National Cyber Security Strategy and the launch of the National Cyber Security Centre are promising steps but - with new hacks developed every day - how can Irish businesses defend themselves?
"There's a whole economic model behind ransomware now," said Conor Flynn, managing director of Information Security Assurance Services (ISAS), an independent information security consultancy working with public and private sector companies.
"This is like a person parachuted in behind enemy lines - it's a very small and stealthy piece of software. The dropper sits on your machine for a period of time and evades detection while doing reconnaissance."
Another method is to hide the malware in an unsolicited email attachment - something made to look 'official', which won't raise the victim's suspicions until the damage is done.
Once installed, the dropper maps its location, connecting to a command-and-control server which profiles the victim and decides on a mode of attack. If the dropper is embedded in a server with a large amount of bandwidth, they might use it as a botnet-a network of infected computers.
On a corporate or public sector network, a ransomware attack might prove more lucrative.
Commercial products such as CryptoWall, CryptoLocker and TeslaCrypt have given rise to a malware economy, where ransomware can be bought on the dark web and implemented with minimal skill.
Investigations point to criminal gangs as perpetrators: groups traditionally linked to gunrunning, drugs and human trafficking who have embraced cybercrime as lower-risk and potentially more rewarding.
In recent years, 'crimeware as a service' has evolved to mirror conventional business software. In return for their cut, the ransomware author will maintain a help desk, often 24/7 and operating in multiple languages.Each campaign is monitored with software akin to Google Analytics-a kind of CRM system for crime-which tracks profit margins and the number of email attachments opened, links clicked and computers infected.
For victims, meanwhile, once the malicious link has been clicked or the email attachment opened, malware spreads through their network encrypting files one by one.
With no visible signal, the user only discovers something is wrong once the malware has reached as many files as possible, whereupon it displays a pop-up message with a countdown (usually 48 to 72 hours) and instructions for the user to pay up or risk losing access to their files forever.
"That's the 'screen of terror' people report," said Flynn. "The hackers will give you all the information you need to make the payment.
"They will even give a helpline number, so that if you don't have a bitcoin wallet already they can talk you through setting one up."
Successfully extorting hundreds of millions of euro per year, ransomware's perpetrators can prove impossible to trace, hidden behind their tools-bitcoin and PKI (public key infrastructure).
Add to this a startling rate of evolution-ransomware servers are now capable of generating thousands of new variants per hour-and traditional protection like antivirus and firewalls are essentially rendered useless.
But there are still measures a business can take. Human error is inevitable, but education is a worthwhile investment. "User awareness is hugely important," said Flynn. "Don't open unsolicited email attachments, and be careful of websites which seem slightly 'off'.
"It's about being aware of your environment the way you would be in the real world. On holiday, you wouldn't walk down a dark lane in an unfamiliar city with your wallet about to fall out of your pocket. You're more aware of your situation in the real world, but people are far too trusting of what they see online."
Flynn advises that preparation is the best defence. By anticipating ransomware and backing up data frequently, you can minimize the damage.
You'll also be in compliance with Privacy Shield, the EU's new framework for data exchange, which demands that companies hold less customer data for shorter amounts of time.
With consistent backups and a strong business continuity plan, SMEs can successfully survive a ransomware attack without having to pay the fine.
Flynn said of his work with ISAS, "As security professionals we're working towards helping people with their resilience.
"It's worth asking, how long will it take to restore your data? How much data are you potentially prepared to lose?
"This might sound like a defeatist attitude, but people need to be pragmatic in terms of understanding that technology cannot entirely defend them."
Flynn advises talking through options with your IT manager or IT provider, agreeing on a feasible amount of downtime and a plan to restore operations as quickly as possible. Rather than taking on the Sisyphean task of prevention, the best option is to assess the risk, prepare for attacks and limit your losses.
"There's no silver bullet for guarding against attacks," said Flynn. "With ransomware, there's no such thing as '100 per cent safe'."