Melbourne biz beats ransomware with backups

Powered by SC Magazine
 

Air-gapped data saves small business $5000.

Melbourne bus company Firefly Coaches has avoided becoming the latest victim of ransomware by maintaining redundant and air-gapped storage backups.

Over the weekend the business discovered all of its data held on a local server had been encrypted and its Windows machines were locked down. 

A ransom notice was left demanding $5000 for the decryption key to unlock the data. The company's outsourced systems provider Interactive was called in to help. 

Dozens of victim businesses have gone on the public record detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data -- or in lost productivity by choosing to cut losses. Police are aware of scores more who have kept their plight quiet.

But Firefly, a small family owned business in Avondale Heights, avoided both scenarios by maintaining regular, tested and air-gapped backups of its data. 

Get the latest on ransomware attacks

Crucially, a second harddisk backup was kept physically separated from the network, preventing attackers from encrypting the data.

Interactive customer support officer Carlo Attana said the business was up and running within two hours of discovering the attack.

"Backups are as import as live data and are only as good as at the stage that you need them," Attana says. "If they are not verified, and tested, then they are basically good for nothing."

The encryption used in most high-end ransomware attacks -- usually distinctive by a ransom demand of thousands of dollars rather than hundreds -- is often too difficult to break, and can only be undermined if implementation flaws exist. 

Attana said businesses are increasingly at risk of having their backups encrypted as they migrate from tape to harddisk storage.

"You've got to remove external harddrives, or they will attack them and lock them down."

In keeping with public accounts from ransomware victims and police, the attackers had breached Firefly's network by brute-forcing open RDP credentials. 

The function, which allows remote access, was unused and port 3389 has now been disabled. 

Trail of victims

In December, a Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not foot the funds and after bargaining with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.

In the same month, two South Australian businesses were hit while a gold coast medical practice also became one of many to lose its data to ransomware attackers. 

In September, a Northern Territory business had vital financial records encrypted, forcing it to pay a $3000 ransom, while Deanes Buslines in November was similarly confronted with a $3000 ransom after having its critical data locked down.

CERT Australia said stakeholders should consider the following specific mitigations to protect against this cyber security risk.

  • Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.

  • Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running Remote Desktop Protocol (RDP) services, as well as computers that are used to access them.

  • Limit remote access to your systems directly from the Internet.

  • Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.

  • Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.

  • Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.

  • Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.

Those affected by ransomware can try Sophos' ransomware decrypter tool to subvert buggy cryptography or its bootable antivirus for locked-down machines.

Copyright © SC Magazine, Australia


Melbourne biz beats ransomware with backups
Flickr
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1426

Vote