You can't help feeling that the attack was an accident waiting to happen. Photo / 123RF
You can't help feeling that the attack was an accident waiting to happen. Photo / 123RF
COMMENT:
Imagine popping into work at Travelex on New Year's Eve, waking up the computer and instead of the familiar Windows desktop seeing a message that your files are encrypted and to get access to them you have to pay a few cool million in Bitcoin.
The foreign exchange giant is the latest high-profile organisation to be hit by ransomware criminals. As more details on the attack emerge, you can't help feeling that it was not only an accident waiting to happen but also that Travelex might have dodged an even bigger bullet.
Yes, really: last year, security researchers say they alerted Travelex to critical networked software vulnerabilities that if left unpatched would leave systems wide open to attacks.
Travelex appears to have taken months to patch the vulnerabilities. Other researchers noted that some of the company's internet-connected cloud servers exposed a Windows remote control service that is currently under large-scale attack as a serious bug in older versions allows hackers to connect to it without authentication and gain full access to systems.
Marcus Hutchins, the security researcher credited with taking the edge off the WannaCry attack, said he didn't understand why after breaching a company that processes something like $100 billion a year the hackers decided merely to ransomware Travelex.
If indeed the attackers were in Travelex's network for six months they had every opportunity to cause "material financial impact".
As of writing, Travelex is still down and it's not clear when staff will be able to put down their pens and paper and start using computers again. At least Travelex has now removed the "planned maintenance" page on its sites and owned up to the Sodikinobi/REvil attack.
Either way, 2020 must be the year to sit down and figure out how not to get hit by ransomware.
The problem is that ransomware has low barriers to entry and is difficult to defend against.
It's easy to obtain malware and use it pseudonymously enough from Eastern Europe or elsewhere to avoid getting arrested immediately. Usually it takes hackers going on a luxury overseas holiday to be arrested and extradited to stand trial but that can take years.
The ransomware attacks are getting nastier too. In December the Maze ransomware crims started posting some data taken from victims' who hadn't paid up. That's one hell of an escalation that could cause serious damage to those ransomed and individuals and companies whose information is being leaked.
Travelex is a currency exchange specialist. Photo / Getty Images
From companies trying out the digital transformation thing by leaving sensitive data in unprotected cloud storage to ageing and extremely vulnerable computers in schools, universities, local councils and healthcare organisations, there's rich pickings for ransomware raiders everywhere.
Most organisations need IT to function nowadays, but that doesn't mean they know how to manage it well.
Even leaving IT security to the experts can backfire. Last year saw several Managed Service Providers (MSPs) being compromised by ransomware attacks. If you wanted to infect a large number of organisations with ransomware, using a trusted MSP as the attack vector would be the way to do it.
Nevertheless if you're hit and don't have backups or they're deleted, should you pay the ransom?
If you pay, you're growing an already large criminal enterprise.
Not paying could make things even worse if the hackers publish sensitive data however.
Importantly, there's absolutely no guarantee that the decryptor you pay for will work. It's not like ransomware criminals care about thoroughly testing and ensuring their code is safe to use and bug-free, and that's assuming you receive a decryptor after paying ransom.
If at all possible, don't pay the criminals. The Dutch police and Europol's cybercrime unit working with security vendors have set up The No More Ransom Project site which is a good place for advice and for obtaining tested decryptors for an ever-growing list of ransomware.
Unfortunately, there's no easy answer here. Maybe encouraging Russia to actually disconnect from the global internet (they've done a test run already and it worked) would bring temporary relief but beyond that, more knowledge and understanding of the problem will help.
Think like ransomware criminals breaking into your systems. How might they get in? What would they find in them? Would your organisation survive if the systems and the data they hold were inaccessible, maybe permanently?
Do you need to store sensitive data, especially on internet connected systems? Could it be deleted so that the information doesn't sit on potentially vulnerable servers like a loaded gun, exposing your organisation to mega fines under strict new privacy laws?
There are accredited security firms that can help answer the above questions and other pertinent ones, but if you don't act your organisation could be the next Maersk, Pitney Bowes, Beiersdorf or Travelex. Expect things to get worse.
