Published Dec 22, 2022 by Xiph
If the fallout of the cyber attacks on Optus and Medibank has taught us anything, it’s that many companies (big and small) aren’t adequately prepared to deal with ransomware attacks. The failure of Australia’s second-largest telco and the country’s largest private health insurer to mitigate the risk and impact of those ransomware attacks should be a wake-up call for all enterprises to bolster their cyber intelligence and avoid the same fate.
Optus vs Medibank’s ransomware response
The Optus data breach saw the personal information of about 10 million Optus customers and former customers compromised including names, birthdates, home addresses, phone and email contacts, passport, and driver’s licence numbers. Overall, Optus responded to the cyber attack somewhat quickly, notified affected customers within 24 hours, and offered to pay identification replacements for those affected by the breach.
In the case of Medibank, hackers accessed the personal and health/medical information of about 9.7 million current and former customers and some of their authorised representatives. The health insurer was much slower at notifying customers of the breach and in dealing with the fallout.
Soon after their respective mass data breach incidents, both Optus and Medibank were hit with ransom demands, with hackers asking millions of dollars in cryptocurrency not to publish customer information on the dark web. When Optus refused to pay the ransom ($1.5 million), the hackers uploaded several text files of 12,000 records to a data breach forum and promised to leak more records if the telco didn’t pay up. When Medibank also refused to engage with the alleged international crime syndicate that demanded a $15 million ransom, sensitive medical records were leaked to the dark web, under files named ‘abortion’, ‘mental health’, and other suggestive names. The last trove of data was released.
What is ransomware?
Ransomware is a type of extortion malware designed to either encrypt files or deny user or organisation access to files unless a ransom is paid (usually in the form of cryptocurrency which is untraceable). These can be coupled with the threat to publicly publish sensitive information. Often, ransomware will encrypt files stored on a business IT system, after which hackers behind the attack will demand a ransom payment for the decryption key. As we’ve seen with Optus and Medibank ─ ‘double extortion’ is also a growing ransomware trend, whereby data encryption and threats to publicly release sensitive information are combined tactics to pressure companies to pay up. Businesses should always employ cloud backup and other data backup solutions to mitigate the risk of data loss.
How does ransomware work?
Ransomware can infiltrate businesses in multiple ways including through phishing emails, supply chain attacks (as more companies integrate systems with others), brute force attacks or vulnerable web servers.
Once malware gets onto your organisation’s devices or systems, it begins encrypting targeted files or blocks business users from accessing internal data. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. This is intending to put enterprises in a position in which paying the ransom seems the easiest and cheapest way to regain access to their files. Hint: it’s not and you should never engage with ransom demands.
Types of ransomware attacks
Historically, the two main types of ransomware attacks were crypto and locker, but double extortion and ransomware as a service (RaaS) are also becoming increasingly popular today. Here’s what each ransomware type entails:
- Crypto ransomware: Encrypts files or data on systems and demands a ransom from the victim in exchange for a decryption key.
- Locker ransomware: Blocks access to computer systems entirely and prevents users from carrying out basic computer functions until a ransom is paid.
- Double extortion ransomware: Encrypts files or steals sensitive data with threats to publicly release it if a business doesn’t pay a ransom.
- RaaS: Provides ransomware tools to anyone who pays either a subscription or a percentage of any ransom payments received from ransomware. RaaS providers host their ransomware on dark web sites and allow criminals to purchase it as a subscription, much like a Software as a service (SaaS) model.
How does ransomware affect a business?
Ransomware attacks can have a devastating impact on businesses, usually resulting in not only a breach or loss of essential data, but also loss of reputation, customer trust, reputational damage and more. Ransomware is an easy way for hackers to make a quick buck, which is why enterprises should bolster their defences to avoid being a target in the first place.
Ransomware is one of the fastest-growing cyber threats, with a whopping 80% of mid-sized organisations in Australia reporting an attack or ransomware attempt in the past year, according to the State of Ransomware 2022 Report released by Sophos.
How can your business prevent a ransomware attack?
The truth is that you can’t always prevent a ransomware attack on your business, but you can be prepared for it. Ransomware response is all about mitigating data loss and operational downtime which will in turn reduce damage to your bottom line and brand. The first step is to have a robust data backup plan to future-proof your business information, operations, and protect your employees and clients. We discuss some must-have cyber security measures below:
- Use the 3-2-1 method of data backup: This involves making three copies of your data, two local (on identical but separate hard drives) and one offsite in cloud storage. The best recovery method from a ransomware attack is to restore from an unaffected backup.
- Regular monitoring & patching: Effective and timely monitoring and patching of all possible entry points to your network can help detect vulnerabilities before hackers do.
- Regularly update your devices: Prevent cyber criminals from infiltrating your devices/network by ensuring all computers and remote work devices are set to automatically update and conduct regular scans.
- Implement access and application controls: Only give business users access and control to software and applications they need to perform their duties. This helps limit your networks’ exposure to malware.
- Turn on ransomware protection: Have the latest anti-virus and anti-malware software. Some anti-virus products offer ransomware protection. Make sure you enable this function to protect your devices.
- Educate your employees: Employees are the first line of defence to combat online threats. Make sure your employees are clued up on how to recognise and flag phishing attacks, how to identify a malicious link or attachment, etc.
Should your business pay the ransom?
You should never pay a ransom to malicious actors as this will only incentivise further ransomware attacks if targeted organisations continue to pay up. There’s also no guarantee that you’ll get access back to encrypted/stolen files or systems, nor will it prevent sensitive data from being sold or leaked online.
While there’s currently no specific law that prohibits the payment of a ransomware demand in Australia, there are provisions under Commonwealth, State and Territory laws that prohibit payments to threat actors that could be used to fund illegal activities.
A final word
The only protection against a ransomware attack is preparation. Make sure your business has robust backup data policies, and multi-layered security on devices and networks. The best way to protect your business against ransomware is to be proactive and have a plan in place in case of an attack. For more cyber security tips, contact us via email: [email protected].
Posted in: Security