After a global freight organization was hit by the Petya (or perhaps the NotPetya) cyber-attack at the end of June, they didn’t want to switch to their backup systems because they had no clue what would happen. In fact, it shut down its entire network to protect its applications from being infected. “We didn’t kick in the backup system because we feared it would be infected as well,” said the Chief Operating Officer.
Meanwhile, a major logistics company wasn’t so fast or so lucky. As you may remember, businesses in Ukraine were hit hardest, and since many of this company’s operations and communications are based in that country, a significant proportion of its systems were infiltrated and the data was compromised. The impact was severe – they lost critical information about shipments in their care.
And they are still recovering, weeks later. This company says that “manual processes” are still being used to put packages through the system and they believe that it is “reasonably possible” that some information will never be fully recovered.
Was Everything Ship-Shape?
There are plenty of lessons to be learned from both companies. Let’s start with the first example, the freight shipper.
After they learned they were hit by a ransomware attack, they shut down their primary systems to prevent further damage. However, they did not know what would happen if they brought up their backup systems, so they didn’t. This suggests a few probable scenarios:
- There was possibly no adequate plan for a ransomware attack
- There were possibly insufficient test exercises to recover from a ransomware attack
- There was possibly no robust “live fire” exercise to recover from a ransomware attack
While that organization in question is no longer in the news, the global logistics company is, and has admitted that they may never fully recover.
Since the cyber-attack, the logistics organization’s staff had to use WhatsApp Messenger for internal communications as company email was inaccessible. Their much larger parent company has taken on processing large volumes of orders as a contingency, which has put a huge strain on their own infrastructure.
And in fact, until very recently, some depots were finishing the day with tens of thousands of packages still waiting to be processed, instead of just a handful as usual. Stuck in the pile of packages are medical supplies, wedding dresses, and other time-sensitive deliveries. Some customers have taken to Facebook and Twitter to express frustration with their supplier’s delivery delays.
Think this will reflect badly on their reputation? Certainly. And their bottom line? Definitely.
A spokesman for an online cycling retailer already cancelled many of their shipments, using another courier for packages outside of Europe, since only deliveries within the EU could be processed. Even if other customers don’t switch to another vendor, the cost of rebuilding systems, repairing infrastructure, and claims from customers who have suffered damages are going to put a dent in their profits this year.
What Did We Learn Today?
Here are some immediate best-practice steps to help prevent organizations from falling prey to a ransomware attack:
- Implement least privilege. Most Ransomware cannot spread without admin privileges.
- Ensure that the organization’s SIEM is up to date and can send notifications to on call personnel when something pops up on its radar.
- Implement solutions which can warn if systems differ from their baseline configuration or have been modified without authorization.
- Monitor what privileged accounts are doing and shut them down before damage can be done.
- Make the linkage between cyber and business continuity teams and practice cyber incident response.
- Plan, test, perform live fire exercises which will let you recover from a cyber-attack.
Finally, and most importantly, organizations should ensure offline backups of key systems and data. If backups are only online, they can be encrypted or destroyed just as easily as the production systems and data.
While online backups and storage snapshots can lower the time needed to recover (RTO), only offline backups are safe from cyber-attack. It may take longer to recover using offline backups, but at least there is definitely something to recover with.
If you found my perspective interesting then this Whitepaper may well be of further interest:
