NI firms open to ransomware attacks, asking for bitcoin
Belfast-based cyber security consultancy Vertical Structure is increasingly being approached by local SMEs to assist after their corporate data has been encrypted by hackers. The cyber criminals are looking to earn a ransom before they’ll unlock it – and it’s usually paid in cryptocurrency such as bitcoin, helping the hackers to remain anonymous.
It’s impossible to know how many local companies have been hit by ransomware, but evidence gathered by local cyber security professionals suggests that the incidences are not uncommon.
In one of the most high-profile ransomware attacks, WannaCry hit 80 NHS organisations, although it’s unclear if any of these were in Northern Ireland. In total the financial hit to the NHS from WannaCry amounted to a reported £92m.
In that incident, the initial infection was likely through an exposed vulnerable internet-facing Server Message Block (SMB) port. [Source: NHS Lessons Learned document]
“Attacks aren’t only directed at large enterprises,” said Simon Whittaker, co-founder of Vertical Structure. “Oftentimes the hackers are only asking for a few thousand dollars in ransom, illustrating that they aren’t making a huge amount of money overall on these attacks, but the havoc, as well as monetary costs from cleaning up after an attack, can be devastating for a small company.”
Criminals will attack any open environment and there have been recent examples of attackers compromising virtualised servers, Simon says. Depending on strategies employed, even if a company has a data backup plan, the backups are impacted too. “These ransomware infections can compromise a host/parent server, but this may compromise any child servers, too – in which case backups may also be lost,” says Simon.
Still, many organisations have woefully inadequate data backup strategies.
“Sometimes companies only keep a backup for one day – and by the time the malware is discovered, the backup will already be written over with encrypted data rendering it useless.”
“If you’re hit, there is only so much anyone (including law enforcement) can do to help recover data from a ransomware attack, the PSNI especially will help wherever possible and it is definitely best to contact them.” Simon says, noting that hackers are often located abroad.
So how are these hackers getting in? It’s scarily easy, in some cases, demonstrates Simon.
Most companies now, for good reason, desire employees to work remotely. Remote access is offered to employees, sometimes enabling them to get a desktop connection from anywhere. Using the common port for RDP (remote desktop protocol), a Shodan search brings up 61,650 in the UK and Ireland. The search – open and available to anyone on the internet – displays all the IP addresses, and in some cases even shows employee’s usernames.
“Without strict security protocol – including two-factor identification, very strong passwords, or an extra level of protection – hackers can get into these accounts and take over the entirety of an organisations’ data,” says Simon. “Files, emails, documents, everything.”
Insecure RDP user accounts are easily found in the UK from organisations including a prominent charity, a well-known school, a medical trust, a travel website, and many others.
The alarming thing is that, by knowing a username, that means employees could also be vulnerable. Brute-force methods of entry into a system can be deceptively simple using passwords available from previous breaches or simply ineffective password usage.
Simon says, “This not only exposes the organisation to risk, it also exposes real people.”
“We aren’t trying to spread scare stories,” he insists. “Its about telling people what is here, and what could happen, and how they can prevent it. We don’t want organisations to have to ring us up in desperate situations.”
Simon points to the National Cyber Security Centre for help. “Their user guides for small business are a great place to start.”
He goes on, “This is scary but it’s so preventable. Nobody is saying don’t allow users to work remotely – but if you’re going to have a remotely exposed machine, use a VPN, use two factor authentication, make sure you have a suitable and updated antivirus protection. We also advise that organisations undergo a security and penetration test to understand their exposure.”