Held to ransom
Responding to a ransomware attack is best done with the help of specialists and by ensuring you have committed your recovery plans to muscle memory.
Quick take
- Ransomware attacks are still a common cyber threat and you won’t know you have been attacked until it’s too late.
- If attacked, best practice is to call on a response team, which comes as part of your cyber insurance cover or that you can engage on a retainer basis.
- The key to getting back up and running quickly after an attack is to have a well-tested recovery system in place that includes an offline backup hackers cannot access.
If your firm hasn’t been the target of a ransomware attack yet, experts say it’s just a matter of when, not if.
An April 2023 survey found over half of Australian and New Zealand organisations had experienced a ransomware attack in the six months prior. It is consistent with global figures for 2022 that show the number of organisations attacked was 66%, according to a Sophos report.
A ransomware attack, where attackers gain access to your systems and freeze them (called encrypting), then demand a ransom to release your data, is not the only cyber threat accounting firms need to worry about. However, it is one of the more common ones, mainly because firms possess sensitive client data that hackers know they can demand a hefty price tag for.
Just ask victims Nexia Melbourne and PKF Perth, where their quick action and IT infrastructure mitigated the threats. Nexia Melbourne emerged unscathed in 2020, but in 2021 PKF Perth wasn’t so lucky. Even though PKF shut it down in just four minutes, the firm still needed to inform clients, as the hackers had managed to encrypt one directory on its server.
Statistics indicate ransomware attacks may have peaked a few years ago but they are still occurring at high rates and attacker strategies have evolved.
Anu Kukar CA, managing director and cybersecurity strategy lead at Accenture ANZ, says she is seeing hackers going after multiple stakeholders in an organisation, including directors, employee family members, customers and suppliers. The trouble is you won’t know of the breach until the ransom notice appears.
Pictured: Anu Kukar CA, Accenture ANZ. Image credit: Graham Jepson
Don’t touch anything
Hackers can spend weeks and months coasting around your digital environment searching for critical information – like an Excel spreadsheet titled passwords, bank details and cyber insurance coverage – to determine what they can ransom.
Once they have identified their bounty, they delete the firm’s backups and detonate ransomware, freezing you out of your working environment. A ransom note on your computer screen is likely to be the first time you learn of the attack.
At this point do not touch anything. Under no circumstances make contact with the attackers. That is the advice from Simon Goodall, cyber incident manager at Solis Security, which is owned by CFC.
“Do not contact the attacker, as things can go south very quickly. And don’t try and fix or delete anything, because it’s very much a forensic crime scene and any changes to the environment limit our forensic visibility,” says Goodall.
“If you’ve got cyber insurance, call your provider immediately. If you don’t have cyber insurance, call a cyber incident response specialist to come in and assist you. I’ve seen many IT providers, internal or external, try to fake it until they make it and they end up losing data.”
Calling in the specialists
Ransomware attack response is a specialist skill that IT providers are unlikely to have. A response team comes with an army of specialists to the crime scene – including forensic analysts, negotiators, legal experts and PR people – to help minimise losses and restore the working environment.
Joseph Fitzgerald, partner at Wotton + Kearney New Zealand, says a response team works in partnership with a firm’s IT providers to assess the attack and determine what has been stolen, which includes forensic analysis and contacting the attackers with a request to prove what data has been taken.
“Specialist response teams do this day in, day out. Because certain attack groups are so prolific, there’s quite a lot of information out there about how they operate. Going in cold when you’ve never been involved in one of these negotiations before is not the way to go,” Fitzgerald says.
A response team will usually be part of cyber insurance coverage, something Fitzgerald highly recommends. For firms who struggled to get cyber insurance a year ago, he says it is worth trying again because the market has settled and getting
coverage should be easier.
Initiative Group recently secured cyber insurance for their firm, which costs them A$1000 per year. Director Kim Jay CA says the process was easy and only took a week, probably because of their firm’s strong cyber hygiene credentials.
“Our firm has been using cloud-based software for around a decade. We find these providers are more often than not at the forefront of implementing tight security as standard practice. For example, we’ve been using two factor authentication for over five years, and we also have internal policies for cybersecurity and provide regular training and updates for our team,” Jay says.
You can also pay a cyber specialist team a retainer for a range of cyber-related services, including on-call support in the case of an attack. Goodall says the cost can be equivalent to hiring an in house security engineer, with experts on call 24/7.
Recovery depends on backups
The other key asset to have in an attack is a proven recovery system. For firms that do, return to normal business operations can be days or a week. For firms that don’t, where backups have been deleted by hackers, you could be offline for weeks and even months, while specialists and your IT team attempt to recoup what data they can find.
Kukar says the key to ensuring you can recover quickly from a ransomware attack is having a playbook in place that has been tested and has become muscle memory for staff, similar to a fire-drill response.
“A playbook goes through what you will do when a ransomware attack happens. Who’s meant to be doing what and what’s the timeframe? Who do you need to call?” says Kukar.
“We run simulations with boards, executive teams and crisis management teams to put them through the stress and build skills so they are prepared.”
Having the right backup strategy is part of the playbook. Nexia Melbourne was only offline for 12 hours during its attack, because the firm had an offsite server hackers could not access.
Goodall advises having at least one backup version on a cloud-based platform that is disconnected or ‘air-gapped’ from your firm’s network. “If you’ve got backups that are viable, in the event of an attack you can start restoring from those backups while a response team works on the forensics. That’s probably the quickest way you can get back up and running,” he says.
“Make sure you’ve also got the basics like firewall and endpoint detection software [EDR] on all of your machines, and make sure everything is maintained and up to date.”
To pay or not to pay
Many victims of attacks who do have adequate recovery systems in place end up paying the ransom to get their data back. Government and experts sing from the same song sheet on ransoms: do not pay. The risk of paying is that the attackers provide you with a key to unfreeze the data (called a decrypter) as promised, but the decrypter does not work. Or they release your data onto the dark web anyway and mark you down for another attack, knowing you will pay.
“It is invariably cheaper in the vast majority of cases to rebuild than it is to consider paying a ransom,” says Fitzgerald.
“We would never advise someone to pay to avoid a leak of information on the dark web because, from a privacy perspective, the damage has already been done. Attackers are putting stuff up months after attacks, so you can’t assume that because it’s been six weeks that it’s not going to go up.”
A ransom payment appears to be an act of last resort when all data retrieval efforts have failed. Should a firm reach that point, Kukar says a playbook is crucial to ensure you are doing the right thing by your business and the law.
She says this includes how you would arrive at a decision to pay or not to pay, who makes that call, and the legal and insurance implications.
Notify the right stakeholders
A playbook can also guide you on notifying stakeholders when you need to.
In Australia, if the attack is likely to cause serious harm and your firm’s annual turnover is more than A$3 million, you will need to notify the Office of the Australian Information Commissioner (OAIC).
The Australian Cyber Security Centre (ACSC) asks you to notify it as well, and it could be prudent to add the Australian Prudential Regulation Authority (APRA) to your list.
In New Zealand, privacy breaches need to be shared with the Office of the Privacy Commissioner (OPC) within 72 hours of the breach occurring. It’s recommended you also notify New Zealand’s Computer Emergency Response Team (CERT NZ) but, as with the ACSC, it is not mandatory.
The experts say to lean on a response team for the timing of these notifications. Fitzgerald says a response team often comes with PR and crisis communications support for help with communications to clients and other key stakeholders.
“It’s not to try and make yourself look good and burnish your reputation. It’s to ensure that you’re providing information that’s helpful and you’re not leaving any ambiguity,” he says.
“Do not contact the attacker, as things can go south very quickly. And don’t try and fix or delete anything.”
Avoid the crime
Instead of being a victim, it’s naturally better to avoid the crime. Multi-factor authentication (MFA) is one of the key defences against a ransomware attack. That’s why it is one of the Essential Eight mitigation strategies put forward by the Australian Signals Directorate, and is also one of CERT NZ’s Critical Controls. All of the experts agreed that putting in place the Essential Eight or Critical Controls will go a long way in protecting your firm, and that the majority of ransomware attacks they have seen would not have occurred if people had followed these protective steps.
“The overwhelming majority of attacks we see are not complicated. It’s the same things coming up time and time again: no MFA on remote access, people clicking on links they shouldn’t because they haven’t had training, or backups that don’t work the way they should,” Fitzgerald says.
“So, if you look at those mitigation tips, you’ll be in a really good place.”
Ransomware in numbers
1. Globally in the first half of 2023, the second most targeted industry for ransomware attacks was professional services, including law firms. The prevailing industry – by a margin of a mere 0.2% – was internet software and services.
2. In 2022, if businesses had adequate backups 45% were up and running one week after an attack, while 24% took between one and six months to recover.
3. One in five New Zealand businesses has no plan to deal with a cyberattack.
4. In the attack on law firm HWL Ebsworth in Australia this year, the attackers requested a US$4.6 million ransom. The global average ransom request in 2022 was US$1.54 million.
5. Ransoms were paid 46% of the time in 2022, with larger organisations more likely to pay.
Sources: 1. Flashpoint Cyber Threat Intelligence Index: 2023 Midyear Edition; 2. Sophos The State of Ransomware 2023; 3. Kordia New Zealand Cyber Security Report 2023; 4. and 5. Sophos The State of Ransomware 2023.
The other threat: business email compromise
Another growing cyber threat, according to the experts, is business email compromise. This is where attackers gain access to your mailbox and hang around to spot an email involving a payment. The attacker will send an email on your behalf, without you knowing, requesting that a supplier payment be made to their own bank account, robbing you of those funds.
To avoid this type of attack, Simon Goodall recommends using unique passwords for your email account and portal logins, ensuring you have multi-factor authentication (MFA) enforced, and avoid using SMS-based MFA.