Ransomware attacks are among today’s most significant organisational threats. They aim to lock organisations out of their systems and files (usually through encryption). They’re designed to cause so much disruption and chaos that for most organisations paying the ransom appears to be the only feasible course of action to recover critical business systems.
Despite this reputation, ransomware is like most other types of malware; it’s typically delivered by email and usually preventable if the correct controls and user education is in place.
It attempts to damage not only critical business systems, but the infrastructure and systems designed to protect and recover those systems, during such events. The major difference between ransomware and other malware is in the kill-chain (the step-by-step approach attackers use during a cyber attack) and the down-level impact on systems and services used for recovery. This is why there are certain steps that entities should take in advance to plan for and facilitate recovery.
As an example, consider a hypothetical entity that has invested heavily in a data protection and recovery solution that reduces recovery point and time objectives (key disaster recovery metrics) down to minutes or even seconds with hot and online standbys. It might find its recovery system rendered useless if the ransomware is able to spread to other systems, including the replicas and recovery sites.
When under a ransomware attack, unprepared entities may find:
- their data protection systems and online replicas are also infected with ransomware
- they must resort to traditional backup and recovery
- they have neglected to invest in their traditional backup systems in lieu of online replicas and hot-standby systems
- the backup/recovery servers they now need to rely on may also have been impacted by the ransomware incident, due to lateral movement.
What can entities do?
- Research and understand the value of traditional backup and recovery systems, particularly those with offline/immutable copies (or alternative protection mechanisms).
- Implement additional encryption and security controls on backups, so even if an attacker can escalate privileges to administrator level, backups remain secure.
- Challenge all accepted disaster recovery norms and assumptions (that is, expect not to be able to use online replicas, backup servers, device deployment systems, and so on during a ransomware attack).
- Plan for an attack and test ransomware recovery by simulating scenarios like the example above.
- Talk to your software service providers, cloud service providers, and so on, and make sure they have their own plans and testing in place.
- Make sure backups are secured, immutable and kept away from corporate networks.
- Above all LEARN and DOCUMENT, ensuring your recovery playbooks consider the above scenarios and are updated annually after each test.
Other advice
- Prevention is better than recovery but always plan for compromise.
- Build your support networks in advance (know your contacts at the Queensland Government Cyber Security Unit (CSU), understand whole-of-government indemnity, and/or consider partnering with a third-party digital forensics and recovery partner).
- Security is all about layering protection – there is no one product or solution that can protect against all threats. Layer your controls. Start with the Australian Cyber Security Centre’s Essential Eight.
- The most common attack method is phishing emails and calls, so train your staff to know what to look out for. Regular training and reminders should be your first line of defence; help educate staff to be your greatest ally, rather than your greatest risk.
- Ensure your chief executive officer and board (if you have one) understand the operational and reputational impacts of a successful attack.
Resources
- Queensland Government’s Cyber Security Unit
- Australian Cyber Security Centre’s Essential Eight
QAO reports to parliament
- Managing cyber security risks (Report 3: 2019–20)
- Security of critical water infrastructure (Report 19: 2016–17)
- Traffic Management Systems (Report 5: 2013–14)
QAO blog posts
- Increasing concerns around cyber security risks
- The role of governance committees in managing cyber security risks
- Evolving digital services in government
- Are your ‘everyday’ internal controls strong enough to prevent a fraud attempt?
- Have you considered physical security as part of your cyber security strategy?
- Learnings from our cyber security report to parliament
- Returning to the office: does this affect your control environment?
Glossary of terms
Ransomware |
A type of malware designed to lock organisations out of their systems and files (usually through encryption). The attacker will typically demand a ransom to decrypt or provide access to the files and systems and/or threaten to leak the organisation’s information publicly. |
Kill chain |
A step-by-step approach attackers use during a cyber attack (which is also used by cyber security teams to defend against attacks). |
Recovery point objective |
The maximum acceptable data loss after a data-loss incident, expressed as an amount of time. |
Recovery time objective |
The expected time taken to recover a system or systems, after a disaster/disruption. |
Immutable backup |
A backup that is fixed, unchangeable and can never be deleted. |
ACSC Essential Eight |
The Australian Cyber Security Centre’s eight essential strategies for protecting against cyber attacks, limiting the impact of cyber attacks, and improving recovery in the event of an attack. |