Ransomware – What you really need to know and how we can help

What is ransomware?
Ransomware makes data or systems inaccessible until the victim makes a payment. Think about it as a plane hijacking. It takes months in the planning and sees your whole business held hostage.

A ransomware attack starts (in 95% of cases) with a phishing attack: you or one your employees will innocently click on a link in an email or on a web page and malicious code gets onto your network. They won’t know they’ve done anything wrong. Typically, the malicious code will then lie dormant, often for more than 90 days.

At some point the ransomware will then be detonated by its ‘Controller’. It will do what it is programmed to do – call out to the Internet, trying to contact 1,000s of web sites which you or I would never know exist, often on the dark web. Amongst the list of websites that the ransomware tries to connect with will be one or two that the criminals control. Communications are then established.

Then the malicious code will encrypt all data held on your servers. This will render your business systems paralysed until you pay the ransom, and the data is unlocked. Some businesses choose to pay up, only to find that the criminals won’t unlock the files. This not only leaves you short of the ransom fee but in no better position. Some businesses pay up and their data is unlocked.

In other more sophisticated cases your data gets encrypted, you pay up and your data is unencrypted, only for the criminals to return. This is a double ransom scenario. The criminals ask you for more, else they will release your data or tell your regulator that you have lost data.

In other less sophisticated cases, you will get a call to say that you have been a victim of ransomware and will be asked for money but be given little evidence that anyone has been in your system. You are then left with a tough call. Is this a scam?

Will they come after me?
Many mid-market companies assume that criminals will focus their efforts on bigger businesses. They are wrong. You are in the mid-market sweet spot. Criminals see businesses like your own as being not too big (and well defended) and not too small (able to pay). A school in the US was recently subject to an attack. The criminal asked for $40m, but they negotiated down to a ‘reasonable’ sum.

Collateral damage
Not all victims of ransomware attacks are targeted specifically, nor are they asked for money...but their businesses are compromised, nonetheless.

In 2016, Russian hackers attacked a Ukrainian Tax Software vendor. Their objective was to compromise as many Ukrainian businesses as they could. To this end, they infiltrated the software update server. Every time a customer downloaded an update to their tax software, they were compromised. One of these customers was Maersk, the massive shipping line. Whilst they only had a small satellite office in Ukraine, their global network was quickly infected. Whilst Maersk weren’t specifically targeted and had no requirement to pay, they suffered very significant consequential losses.

How do I defend my business?

1. Be assertive about password discipline. Length and complexity really matter. Accept no excuses.
2. Adopt MFA. Requiring multi-factor authentication significantly reduces your risk.
3. Be religious about backups. It might sound boring and administrative, but it is strategic. When you get the call from a criminal demanding cash, the first thing you want to know is that you have access to a useful backup. To be useful, your backup needs to be held on servers that are not connected to your network (air gapped and off site) and incremental – capable of being rolled back to before the malicious code was introduced to your system. You are looking for ‘immutable’ storage.
4. Really worry about phishing. This is the means by which your systems will get compromised. Make sure you have the right hardware/software installed. Education is key. Train your people on how to recognise phishing attacks, and then train them again. You should also use a PDNS (protective DNS) system. There are many free and reliable options available.
5. Get to cloud. If you don’t run a data centre for a living, work with someone who does. The data centres that Node4 and Microsoft operate are substantially more secure than any independent business can build and maintain themselves. It is inherently, and therefore statistically, safer. Organisations like Node4 and Microsoft run data centres for a living.
6. Take out cyber insurance. This should give you access to incident response teams who have trained ex-police and military hostage negotiators. They are much better placed to engage with criminals on your behalf. They will also purchase bitcoin and other cryptocurrencies on your behalf if it comes to that. The last thing anyone wants to do in a crisis is get scammed twice – once by ransomware and again when buying bitcoin.
7. Contract a company to listen on the dark web. You’ll want to know when your company name is referenced – ideally before an attack.
8. Look at what the NCSC has to offer. Their ‘Exercise in a Box’ will help you better understand the impact that an attack might have on your business before it happens.
9. Continue reading!

If you follow these steps, you will be much safer and should expect to sleep more soundly.

Recovering from a disaster
In September 2020, one of our Dynamics NAV customers was subject to a ransomware attack. Their live system was rendered inaccessible. Worse still, they backed up to the same server, so had absolutely nothing to work with. They didn’t know who owed them money – or who they owed money to – and no visibility of stock across four locations in the UK and Europe. This was an existential crisis. They needed to implement a ‘new’ Enterprise Resource Planning system and find a way to keep the business alive whilst doing so. TNP got the call and had a team assembled within hours. Whilst we are proud of the role we played in their recovery, we have huge respect for what their internal team achieved. The business survived and now thrives once again.

Disaster Recovery
Whilst we’re always happy to serve in a Disaster Recovery emergency, we’d prefer that you did not have to ask. To mitigate that risk, we’d rather be proactive. How? Using the expertise within TNP and our parent company Node4, we can help you:

1. Review

We’re happy to independently review your preparedness. We’ll engage with your team and identify:

• The list of key business applications deployed within your business
• Where these business applications are deployed – on-premise or in the cloud (public or private)
• The extent to which vulnerability is being minimised – password discipline, firewalls, intrusion protection, multi-factor authentication
• How long will it likely take to you to recover from an attack – review your backup strategy, backup integrity (are they regularly tested?) and assess the availability of replacement hardware

We’ll write up our findings and make any specific recommendations.

2. Secure

We’d be delighted to help you improve your preparedness. This might include moving some of your systems into Node4’s highly secure data centres or configure a dedicated 'NAV Vault' for you. This provides:

• An air-gapped, off-site backup service
• A standby Dynamics NAV or Dynamics 365 Business Central environment that we can switch to live on short notice.
• Daily incremental SQL database backups
• A weekly, tested restore of the SQL backup database onto your dedicated NAV/Business Central system

Fundamentally ‘preparedness’ is about two things:

1. Minimising the risk of an attack
2. Reducing the time it will take you to recover from an attack because, whatever you do to minimise the risk, an attack will come.

TNP and Node4 are here to help you with both. Get in touch to discuss how.