Melbourne biz beats ransomware with backups

By on
Melbourne biz beats ransomware with backups
Flickr

Air-gapped data saves small business $5000.

Melbourne bus company Firefly Coaches has avoided becoming the latest victim of ransomware by maintaining redundant and air-gapped storage backups.

Over the weekend the business discovered all of its data held on a local server had been encrypted and its Windows machines were locked down. 

A ransom notice was left demanding $5000 for the decryption key to unlock the data. The company's outsourced systems provider Interactive was called in to help. 

Dozens of victim businesses have gone on the public record detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data -- or in lost productivity by choosing to cut losses. Police are aware of scores more who have kept their plight quiet.

But Firefly, a small family owned business in Avondale Heights, avoided both scenarios by maintaining regular, tested and air-gapped backups of its data. 

Get the latest on ransomware attacks

Crucially, a second harddisk backup was kept physically separated from the network, preventing attackers from encrypting the data.

Interactive customer support officer Carlo Attana said the business was up and running within two hours of discovering the attack.

"Backups are as import as live data and are only as good as at the stage that you need them," Attana says. "If they are not verified, and tested, then they are basically good for nothing."

The encryption used in most high-end ransomware attacks -- usually distinctive by a ransom demand of thousands of dollars rather than hundreds -- is often too difficult to break, and can only be undermined if implementation flaws exist. 

Attana said businesses are increasingly at risk of having their backups encrypted as they migrate from tape to harddisk storage.

"You've got to remove external harddrives, or they will attack them and lock them down."

In keeping with public accounts from ransomware victims and police, the attackers had breached Firefly's network by brute-forcing open RDP credentials. 

The function, which allows remote access, was unused and port 3389 has now been disabled. 

Trail of victims

In December, a Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not foot the funds and after bargaining with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.

In the same month, two South Australian businesses were hit while a gold coast medical practice also became one of many to lose its data to ransomware attackers. 

In September, a Northern Territory business had vital financial records encrypted, forcing it to pay a $3000 ransom, while Deanes Buslines in November was similarly confronted with a $3000 ransom after having its critical data locked down.

CERT Australia said stakeholders should consider the following specific mitigations to protect against this cyber security risk.

  • Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.

  • Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running Remote Desktop Protocol (RDP) services, as well as computers that are used to access them.

  • Limit remote access to your systems directly from the Internet.

  • Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.

  • Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.

  • Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.

  • Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.

Those affected by ransomware can try Sophos' ransomware decrypter tool to subvert buggy cryptography or its bootable antivirus for locked-down machines.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
backup cert australia encryption ransomware rdp security sophos storage

Sponsored Whitepapers

Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Future of work: Support your distributed HR workforce with digital document processes
Future of work: Support your distributed HR workforce with digital document processes
Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights

Events

Most Read Articles

Westpac replaces branch phone systems with iPhones, Teams Calling

Westpac replaces branch phone systems with iPhones, Teams Calling
Australia Post nears end of massive telco transformation

Australia Post nears end of massive telco transformation
Westpac loses its group head of data and advanced analytics

Westpac loses its group head of data and advanced analytics
NBN Co to charge free fibre recipients that don't stick with higher speed plans

NBN Co to charge free fibre recipients that don't stick with higher speed plans

Log In

Email:
Password:
  |  Forgot your password?