Melbourne biz beats ransomware with backups

By on
Melbourne biz beats ransomware with backups
Flickr

Air-gapped data saves small business $5000.

Melbourne bus company Firefly Coaches has avoided becoming the latest victim of ransomware by maintaining redundant and air-gapped storage backups.

Over the weekend the business discovered all of its data held on a local server had been encrypted and its Windows machines were locked down. 

A ransom notice was left demanding $5000 for the decryption key to unlock the data. The company's outsourced systems provider Interactive was called in to help. 

Dozens of victim businesses have gone on the public record detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data -- or in lost productivity by choosing to cut losses. Police are aware of scores more who have kept their plight quiet.

But Firefly, a small family owned business in Avondale Heights, avoided both scenarios by maintaining regular, tested and air-gapped backups of its data. 

Get the latest on ransomware attacks

Crucially, a second harddisk backup was kept physically separated from the network, preventing attackers from encrypting the data.

Interactive customer support officer Carlo Attana said the business was up and running within two hours of discovering the attack.

"Backups are as import as live data and are only as good as at the stage that you need them," Attana says. "If they are not verified, and tested, then they are basically good for nothing."

The encryption used in most high-end ransomware attacks -- usually distinctive by a ransom demand of thousands of dollars rather than hundreds -- is often too difficult to break, and can only be undermined if implementation flaws exist. 

Attana said businesses are increasingly at risk of having their backups encrypted as they migrate from tape to harddisk storage.

"You've got to remove external harddrives, or they will attack them and lock them down."

In keeping with public accounts from ransomware victims and police, the attackers had breached Firefly's network by brute-forcing open RDP credentials. 

The function, which allows remote access, was unused and port 3389 has now been disabled. 

Trail of victims

In December, a Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not foot the funds and after bargaining with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.

In the same month, two South Australian businesses were hit while a gold coast medical practice also became one of many to lose its data to ransomware attackers. 

In September, a Northern Territory business had vital financial records encrypted, forcing it to pay a $3000 ransom, while Deanes Buslines in November was similarly confronted with a $3000 ransom after having its critical data locked down.

CERT Australia said stakeholders should consider the following specific mitigations to protect against this cyber security risk.

  • Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.

  • Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running Remote Desktop Protocol (RDP) services, as well as computers that are used to access them.

  • Limit remote access to your systems directly from the Internet.

  • Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.

  • Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.

  • Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.

  • Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.

Those affected by ransomware can try Sophos' ransomware decrypter tool to subvert buggy cryptography or its bootable antivirus for locked-down machines.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
backup cert australia encryption ransomware rdp security sophos storage

Most Read Articles

Telstra to have Australian agents answer all inbound calls from 2022

Telstra to have Australian agents answer all inbound calls from 2022
Critical F5 BIG-IP vulnerability made public

Critical F5 BIG-IP vulnerability made public
CBA hit by nine-hour online banking, payments outage

CBA hit by nine-hour online banking, payments outage
Govt ponders new sovereignty rules for datasets

Govt ponders new sovereignty rules for datasets
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?