Hackers demand Bitcoin ransom in cyber attack
6 Aug 2018
Following an attack on their servers, one CCI client endured major business disruption with more than 200 staff unable to operate at full capacity for at least 48 hours. The steps taken immediately after the attack reveal factors that made all the difference. No ransom was paid and no customer data was compromised.
The attack might have carried the potential for a claim being made against the organisation but important mitigating factors were already in place before the incident. The key to this particular client’s favourable prognosis can be found in the following three steps:
Cyber security specialists DXC Technology, and a spokesperson for the client who managed the aftermath of the attack, say the response was swift because the incident was quickly reported. There was also one critical factor at play beforehand that helped to significantly reduce risk exposure. A practiced data restoration plan helped the company to bounce back in a matter of hours.
“I think it’s important to consider a replica of your system,” explains the General Manager Finance & Corporate Services for the client.
“Plan the replica process and how you will speed up your data restoration,” he says.
“I strongly advise that you check with your IT service provider and come up with a tested plan that will work to restore data quickly. We learned how important it is to streamline the process of making a replica server so it can be done rapidly.”
Peter Graham, from DXC Technology, is a cyber security specialist and panel speaker at CCI’s 2018 Cyber Focus Forum. He helps clients predict attacks and respond to threats to their data, applications, infrastructure, and endpoints. He says low awareness of vulnerabilities and a lack of clear governance is a common problem among organisations assessing their own cyber security needs.
“Cyber risk exposure needs to become a ‘whole’ of business conversation and should be driven at the highest levels of management.”
The General Manager thinks organisations need to attach more importance to developing an actionable plan.
“The most important advice is this: plan and make it an agenda item of real importance, ensure your staff become educated in recognising scam emails and teach more about email use, because staff education is a vital line of defence.”
Following the attack on their server, the client’s communications were immediately shut down and some business processes sabotaged.
“Our finance and HR systems suffered. Some staff couldn’t log on and communicate or check calendars. The hack didn’t affect the supply chain and no personal data was compromised but we did experience some other issues. We couldn’t pay suppliers,” he said.
“For computers and emails to be up and running again, the recovery process was around 38 hours. In the space of two days we had a cyber attack and a cyclone leaving much of the town without power. We used our generator, but the city of Darwin was in chaos. Some powerlines were down and many areas had no power.”
Having a coordinated approach reduced downtime for the business, even though the client sees room for improvement in their initial response to the incident.
“What worked well was being quick to respond to the attack. It was detected at 3am and we were alerted by our IT service provider within half an hour. The ransom demand was denied, and it took two days to restore the data.”
Despite communications disruption, the client was happy they could reach staff and move the response forward.
“We learned that communicating with our staff quickly was a job we did well. We communicated with them using SMS. We made a decision to contact them by 11 am but looking back I think it’s important to try to make that communication happen within half an hour. In hindsight, we allowed the IT provider an hour or two for analysis, I think information received immediately should have been passed on straight away.”
The organisation lost two days of productivity and there were financial costs, but it could have been far worse. Having the right partners to address the incident made the process easier.
“Dealing with DXC was easy, they contacted us and things were explained in just two phone calls. They sent us the incident report form and gave us questions to ask our IT provider, and we talked about the technical aspects of the incident,” says the General Manager.
Additionally, CCI clarified the mandatory reporting rules to the client, and assisted debriefing with their IT provider.
“We identified that the vulnerability and exposure was through an old Citrix system that we were in the process of replacing. The attack happened during our transition between Citrix and Ericom. The analysis revealed the old Citrix system had been exposed.”
While transitioning to Ericom and upgrading the security of some remaining Citrix systems, the client has continued to build its cyber resilience.
“For this incident we were notified by our IT provider at 3.30 am but there are solutions with detection software that can trigger an alert when there’s foreign interference.”
Key factors in the successful management of the hack attack were:
- The client responded quickly to the attack. Once becoming aware they contacted CCI (within 2 hours) and within 3 hours CCI had advised DXC – our Cyber claims managers
- The client ignored the ransom demand and managed to restore the hacked servers
- 220 staff were unable to operate at full capacity for two whole days when servers were restored but adapted to the work disruption
- Some manual entry of data was done by HR staff when data could not be restored for a period of time
- The client lost 2 days of productivity for 220 staff, but managed communications among staff well, and no client data was compromised
- Since the incident, the client has undertaken further lock down of the system’s external access and has put in place a new remote access solution for their staff
CCI’s Cyber policy coverage was expanded in 2017 to include more first party losses including: computer system interruption, credit monitoring costs, crisis containment, cyber extortion, data breach notification costs, forensic services, loss of electronic data, and software damage.
CCI’s total cyber risk solution includes an incident hotline.
Call 1300 089 974
About Peter Graham
Peter is an Information Security consultant with over 25 years of experience working across IT Governance, IT Risk Management and Audit/Compliance, Data Protection frameworks, PCI DSS Compliance, IT Security, Business Continuity and Disaster Recovery. He has applied his skills in multiple industry sectors and completed several international assignments and secondments, including a global B2B project implementing IT Security, recovery strategies and infrastructure requirements. He leads IT Governance, IT Security, Assessment and Compliance, Risk Management and Business Continuity projects across a range of industries.