“We have your precious data! Pay us or lose it forever!” This is a message no organization or individual ever wants to see. Nevertheless, given trends over time in cyber security, ransomware remains a concern for many organizations. Here is a look at interesting examples of successful ransomware attacks and some lessons we can learn from each.
Arizona Beverages Company leaves company crippled by ransomware attack after backup recovery strategy fails.
Even cyber attackers can’t resist taking a refreshing sip from a can of the popular American drink brand, Arizona Beverages. While many of us simply love to indulge in consuming the product, cybercriminals targeted the company hoping to indulge in a quick ransomware funded payday. The attack occurred in March of 2019 when hundreds of servers were encrypted, and technology team members were faced with pop-up windows, essentially stating that payment would be required to regain access. The ransomware variant used in this case was iEncrypt and was delivered through capabilities enabled by another malicious attack, Dridex. Using Dridex, attackers are able to get unlimited access across the network to confiscate passwords, spy on traffic traversing the network, and more. Using the access, they were eventually able to launch ransomware into the company network.
Like any company prepared to respond to a ransomware attack, Arizona Beverages Company attempted to revert to their system backups. If data is adequately backed up, an organization can simply wipe the ransomware encrypted machines and reinstall a clean image from the backups – usually rendering the attacker attempt unsuccessful. Unfortunately, in this case, the backups were misconfigured and did not work as planned. The company elected not to pay the ransom and endured the painful and expensive process of rebuilding the assets that were lost.
Aebi Schmidt employees were sent home after ransomware hit.
Aebi Schmidt, a global manufacturing company specializing in transportation services, was hit by a successful ransomware attack in early 2019. Following the attack, critical operational systems, including the email system, were impacted by the incident. It’s been reported that while a technologist worked tirelessly to respond to the attack, employees were forced to go home on unpaid leave until the incident was contained.
Baltimore government was stung by ransomware.
The city of Baltimore became one of the latest headlines regarding ransomware in May 2019. The Maryland city found itself in hot water when a successful ransomware attack brought down a portion of their government systems. The incident resulted in an impact to critical communication technology such as email and voicemail, parking and vehicle citation systems, taxation technology, and a utility payment system. The Mayor of the city expressed his reluctance to pay the ransom, and the city is instead working to recover. The Mayor also noted that the option would be considered if absolutely necessary. There have been mixed arguments across the industry regarding whether ransom should be paid. While it may seem like a quick “fix” to the solution, the majority of the organizations who pay the ransom still never see their data again. The attackers tend to take the money and disappear.
Eurofins shares press release in the wake of a ransomware attack.
In April 2019, a food, environmental, and pharma organization called Eurofins endured a successful ransomware attack against its assets. Upon detection, the company quickly worked to take systems offline and prevent the attack from spreading to other systems. The company was able to confirm that there was no unauthorized access to information warranting breach notifications, but the impact to systems forced them to publish a press release explaining that they were still working to restore systems weeks after the incident was discovered.
Key lessons learned from this year’s ransomware attacks.
There are several valuable lessons that we can learn from recent ransomware attacks. The first is the need for back-ups. Companies with reliable backup procedures are generally able to bounce back more quickly from these incidents and resume normal operations without paying the ransom. Also, as seen in the case of the Arizona Beverage Company, testing backups and ensuring systems can be fully restored from them is equally important. Otherwise, they can create a false sense of security and, when the time comes, the organization will face more significant challenges. One of the worst times to discover that your backups are not working is in the middle of an attack when you need them the most. In addition, while responding to ransomware is one reason why having reliable backups is a good idea, this same practice can also mitigate a host of risks beyond ransomware such as hard drive failure.
Through these attack example, we are also reminded that standard security best practices, such as maintaining a regular patch cycle, are still critical. While this recommendation has existed for decades, companies still struggle with keeping their systems up to date. Attackers often scan for vulnerabilities and system gaps within such companies and then target them – as suspected in the city of Baltimore’s case.
In addition, working with third-party partners prior to an incident to outline incident response and general support commitments can help in the wake of a ransomware attack. As seen in the case of Arizona Beverage Company, their backups did not work due to missing patches and other system limitations. It’s been reported that, desperate for help, one option considered was working with a key vendor of some of the impacted systems to fix the issue. They found that in order to do so, a costly contract was required. Working towards these kinds of agreements prior to impact or issue can give the company better negotiating power instead of paying premiums in the middle of the crisis.
Closing
Hundreds of companies have already lived through the gut-wrenching feeling of receiving a ransom note holding their most prized digital possessions hostage. It’s essential to learn from challenges that other companies have faced to avoid being up next. Check out our quick guide to responding to ransomware attacks to learn more about what you can do if you find yourself reading the message we all dread one day: “We have your precious data! Pay us or lose it forever!”
Veriato offers an advanced solution for ransomware detection and response called RansomSafe. For more information, click here.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.