CPD Session – Ransomware – A Cyberdemic

On the topic of commercial crime and cyber risks, Gauteng Women In Insurance (GWII) hosted a Continuous Professional Development (CPD) session on 18 May, proudly sponsored by Camargue.

Speaker Camilla Stevenson, Commercial Crime and Cyber Risks Underwriter at Camargue spoke about cyberattacks and ransomware.

Here are some key takeaways from her presentation.

What is ransomware

The rise in connectivity gives rise to a cyberdemic. Every day more people and organisations fall victim to cyber attacks. “Almost every company has some kind of network, database or online presence that puts it at risk,” she said.

What is ransom ware? “It is malicious software which holds data hostage. If the ransom is not paid, data is deleted. It infects the system or enters a network when a user opens an email containing malware or is lured to a malicious website. Newer variants are known as drive by downloads and involve less human effort. Another vulnerable place of access is remote desktop access. If a ransom is paid, a decryption key is sent to unlock data, but there are no guarantees,” she added.

“The two main types of ransomware including crypto/encryption ransomware, which encrypts valuable files so that they become unusable, and locker ransomware, which does not encrypt files but locks the victim out of their device,” said Stevenson.

History of ransomware

Ransowmare has been around for years, according to Stevenson.

The AIDS Trojan, also known as the PC Cyborg virus, was the first ever ransomware virus documented.  It was released via floppy disk before most of us ever had the opportunity to touch a computer in 1989.

The AIDS trojan, according to KnowBe4 and Stevenson, was created by a biologist Joseph Popp who handed out 20 000 infected disks to attendees of the World Health Organization’s AIDS conference.  The disks were labeled “AIDS Information - Introductory Diskettes” and included leaflets that warned that the software would “Adversely affect other program applications” and also stated, “you will owe compensation and possible damages to PC Cyborg Corporation and your microcomputer will stop functioning normally.”

The program would count the number of times the computer was booted and once it reached 90 it would hide the directories and encrypt or lock the names of the files on the C drive.  To regain access, the users would have to send $189 to PC Cyborg Corporation at a PO box in Panama. The AIDS Trojan was pretty easy to overcome as it used simple symmetric cryptography and tools were soon available to decrypt the files.

Ransomware today

Ransomware today is the second most lucrative form of cybercrime. “Cybercriminals will hack into systems weeks before the attack. The effect of a cyber attack could be devastating to almost any business: network downtime, loss of important data and loss of credibility when customer information is compromised (not to mention the litigation that would follow, if the hacker were to use that information to plunder the customer’s bank account),” she said.

Where data is leaked it is called double extortion – denial of availability and leaking data. Top industries targeted, according to the security X-Force 2020 survey are – manufacturing companies 25%, professional services (17%) and government organisations (13%).

According to Sophos State of Ransomware 2021 survey, with a focus on South Africa, 24% of respondents had experienced a ransomware attack, 42% believe ransomware attacks are getting more sophisticated. The average cost of remediation was R6.5 million and 31% cannot stop users compromising security.

Recent notable ransomware attacks in South Africa include the City of Joburg, Life Healthcare, PPS and Transnet incidents.

On 22 July 2021, Transnet became a victim of a ransomware attack. The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth and Cape Town. Bloomberg News stated that the attackers encrypted files on Transnet's computer systems thereby preventing the company from accessing their own information whilst leaving instructions on how to start ransom negotiations. The Bloomberg article quotes a source from the cybersecurity firm Crowdstrike Holdings Inc. which states that the ransomware used in the attack was linked to "strains known variously as “Death Kitty,” “Hello Kitty” and “Five Hands.”" and likely originated from Russia or Eastern Europe. The Department of Public Enterprises stated that none of Transnet client’s data had been compromised in the attack.

More ransomware attacks

Stevenson went on to provide more examples of cyber attacks.

Michigan Practice Brookside ENT closed its doors following a ransomware attack. The ransomware attack encrypted the computer systems at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital.

“This shows it is crucial to have strategies and backups in place.

To pay or not to pay?

There are a few issues to keep in mind, according to Stevenson:

  • Complacency in cybersecurity - some companies may not go into an investigation with the attack.
  • Encourages more cybercriminals – if it is a lucrative business, these criminals will not stop and may become more sophisticated. Criminals will invest in the research and development of better cyber attack tools;
  • Legislative prohibition and sanction – some countries do have legislative requirements or rules when it comes to ransom attacks and payments; and
  • Uncertainty around decryption keys – if you pay, there is no guarantee of codes or keys working.

Is this the way to go?

When Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company faced a ransomware attack, they handled it in a different way. They refused to pay the ransom and took up the task of removing the virus from the equation altogether. The company decided it would not pay the ransom, instead opting to reach out to cybersecurity experts.

Meanwhile the attack’s virus crippled the company’s network and stalled production in all of its manufacturing facilities. Norsk Hydro made the decision to shut down access to the network and switch over to manual operation of its most critical systems. Next came shutting down the company’s own internal network to prevent propagation of the virus.

While the benefit of a downed network means easier identification of a malicious virus (as suspicious activity is more prominent), the ramifications were costly. How do you run a manufacturing company without computers, even for more than a single day? They had to figure out how to handle it for weeks.

To combat the attackers, the company, with the help of agencies including Microsoft’s cybersecurity response team and the Norwegian National Cyber Security Centre, set up a trio of teams working to investigate the virus corruption, day to day business operations, and rebuilding the network in parallel to the current one.

Essential systems, like manufacturing-specific software, had to be rebuilt over the course of about three weeks. Other systems, including the company’s user directory and cloud services (which were luckily untouched), took as long as three months to bring back online.

Avoid becoming a ransomware headline         

So, how do you stop yourself becoming a victim and avoid becoming a ransomware headline?

  1. Employee awareness training – individuals need to be trained. They must be taught which links to click and not to click;
  2. RDP and access control – properly secure your RDP and access points;
  3. Patch management – install software patches;
  4. Backups – have clean, comprehensive backups so that you have a back up to recover your data, if you are attacked;
  5. Multifactor authentication – passwords are no longer good enough. A simple cost effective measure is two factor authentication;
  6. Install and update anti-virus – make sure you are updating and installing next generation anti-virus software;
  7. Email security settings; email gateways are key. Using something such as Mimecast, for example, so that if something suspicious lurks, it will be flagged; and
  8. Endpoint security – activate an endpoint security programme.

“Implementing all eight measures should make you less of a target. Although, there are no guarantees, these measures could make it much harder to attack,” she concluded.

GWII would like to thank Camargue once again, for their continued support and sponsorship.

See photo album here