Melbourne bus company Firefly Coaches has avoided becoming the latest victim of ransomware by maintaining redundant and air-gapped storage backups.
Over the weekend the business discovered all of its data held on a local server had been encrypted and its Windows machines were locked down.
A ransom notice was left demanding $5000 for the decryption key to unlock the data. The company's outsourced systems provider Interactive was called in to help.
Dozens of victim businesses have gone on the public record detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data -- or in lost productivity by choosing to cut losses. Police are aware of scores more who have kept their plight quiet.
But Firefly, a small family owned business in Avondale Heights, avoided both scenarios by maintaining regular, tested and air-gapped backups of its data.
Crucially, a second harddisk backup was kept physically separated from the network, preventing attackers from encrypting the data.
Interactive customer support officer Carlo Attana said the business was up and running within two hours of discovering the attack.
"Backups are as import as live data and are only as good as at the stage that you need them," Attana says. "If they are not verified, and tested, then they are basically good for nothing."
The encryption used in most high-end ransomware attacks -- usually distinctive by a ransom demand of thousands of dollars rather than hundreds -- is often too difficult to break, and can only be undermined if implementation flaws exist.
Attana said businesses are increasingly at risk of having their backups encrypted as they migrate from tape to harddisk storage.
"You've got to remove external harddrives, or they will attack them and lock them down."
In keeping with public accounts from ransomware victims and police, the attackers had breached Firefly's network by brute-forcing open RDP credentials.
The function, which allows remote access, was unused and port 3389 has now been disabled.
Trail of victims
In December, a Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not foot the funds and after bargaining with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.
In the same month, two South Australian businesses were hit while a gold coast medical practice also became one of many to lose its data to ransomware attackers.
In September, a Northern Territory business had vital financial records encrypted, forcing it to pay a $3000 ransom, while Deanes Buslines in November was similarly confronted with a $3000 ransom after having its critical data locked down.
CERT Australia said stakeholders should consider the following specific mitigations to protect against this cyber security risk.
Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.
Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running Remote Desktop Protocol (RDP) services, as well as computers that are used to access them.
Limit remote access to your systems directly from the Internet.
Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.
Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.
Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.
Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.
Those affected by ransomware can try Sophos' ransomware decrypter tool to subvert buggy cryptography or its bootable antivirus for locked-down machines.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.