Melbourne biz beats ransomware with backups

Melbourne bus company Firefly Coaches has avoided becoming the latest victim of ransomware by maintaining redundant and air-gapped storage backups.

Flickr

The encryption used in most high-end ransomware attacks -- usually distinctive by a ransom demand of thousands of dollars rather than hundreds -- is often too difficult to break, and can only be undermined if implementation flaws exist. 

Attana said businesses are increasingly at risk of having their backups encrypted as they migrate from tape to harddisk storage.

"You've got to remove external harddrives, or they will attack them and lock them down."

In keeping with public accounts from ransomware victims and police, the attackers had breached Firefly's network by brute-forcing open RDP credentials. 

The function, which allows remote access, was unused and port 3389 has now been disabled. 

Trail of victims

In December, a Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not foot the funds and after bargaining with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.

In the same month, two South Australian businesses were hit while a gold coast medical practice also became one of many to lose its data to ransomware attackers. 

In September, a Northern Territory business had vital financial records encrypted, forcing it to pay a $3000 ransom, while Deanes Buslines in November was similarly confronted with a $3000 ransom after having its critical data locked down.

CERT Australia said stakeholders should consider the following specific mitigations to protect against this cyber security risk.

• Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.

• Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running Remote Desktop Protocol (RDP) services, as well as computers that are used to access them.

• Limit remote access to your systems directly from the Internet.

• Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.

• Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.

• Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.

• Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.

Those affected by ransomware can try Sophos' ransomware decrypter tool to subvert buggy cryptography or its bootable antivirus for locked-down machines.

Copyright © SC Magazine, Australia