The rise and rise of ransomware in Australia


    By Derek Cowan

    Current restrictions might have slowed business activity and disrupted daily life, but COVID-19 has done nothing to hinder the activities of cybercriminals, in fact it has sadly encouraged this.

    Lured by the prospect of strong financial terms, criminals continue to hone their techniques and seek out potential targets. Indeed, according to a report from the Australian Cyber Security Centre (ACSC), a cybercrime is reported, on average, every 10 minutes*.

    Of all the threats currently circulating, the ACSC says the most significant for Australian businesses is ransomware. This is due to the fact that the technique requires only minimal technical expertise yet results in significant impact on an organisation far beyond just downtime. In fact, a lot of businesses suffer more from the reputational damage of being attacked, and a lack of customer faith as a result. This is something that we see too, and the concern is becoming a major reason for businesses to re-evaluate data protection partners outside of normal hardware and software refreshes.

    Defending against ransomware, therefore, is something that must be on the priority list of every Australian business. The first step in this process is understanding where weak points exist and how they are being exploited. These can be summarised in three key points:


    1. Humans are still your weakest link

    All it takes is one click on an un-screened phishing link and – job done – the network defences are breached and the malware is in!

    Hardening those defences against human fallibility calls for a mix of awareness training plus tools to filter out malicious content before it can cause harm. However, it’s a far from precise science and even the best laid plans need to be kept under review and continuously adapted to cope with the furious rate at which ransomware is evolving.

    Take the massive rise in home working during the pandemic, for example, gifting hackers a whole new and very naïve audience, un-familiar with protecting themselves from threats. According to security vendor Kaspersky, that led to Microsoft RDP (Remote Desktop Protocol) attacks soaring globally in the wake of Coronavirus lockdown.

    1. They know where you live

    Hackers are waking up to the fact that different industries present their own unique vulnerabilities. Something they are now exploiting by moving away from scattergun phishing expeditions towards more targeted attacks. Some, for example, will focus on individual businesses, typically, high profile organisations with the most to lose, while others, target a particular sector using malware tailored to the IT used by that industry.

    One recent example was the ransomware attacks on logistics company Toll. The company revealed it had suffered two attacks that had caused significant disruptions and led to it shutting down IT systems as it worked to resolve the issue.

    1. Pressure is the perfect driver

    Ransomware is becoming a much more diversified “business”. As well as being locked out of critical data, for example, victims are now threatened with release of sensitive data harvested during the encryption attack. Either simultaneously or as a follow up demand.

    There is also growing evidence of ransomware routinely targeting backup and disaster recovery systems as well as live data. Or at least appearing to do so, because it takes time to verify the integrity of these last-ditch defences.

    Keeping pace with ransomware

    This begs the question: what can a typical enterprise-scale organisation do to protect itself against what is fast becoming the number one threat to its core IT systems?

    There are no easy answers or simple tools that will do it all for you. Moreover, its mostly baby steps rather than big leap: delivering better end-user security awareness and training, updating anti-malware tools on the desktop and back-end infrastructure, and making sure backup strategies and tools are robust enough to stifle ransomware threats and enable a rapid recovery.

    All are worthy of review but, as the last line of defence, it’s backup that’s the most important. Especially given the widespread use of NAS (Network Attached Storage) appliances to support backup and archiving which, by their very nature, are an easy target.

    It’s the “network-attached” bit that puts NAS appliances most at risk, making them easy to identify and, once found, easy to attack. Often without anyone knowing until the ransom demands hit the inbox.

    The first line of defence is to lock down the network to which NAS appliances are attached while, at the same time, ensuring that NAS firmware is up to date with all the latest security patches applied. Beyond that it’s worth taking advantage of two factor authentication, where available, and the use of SSL to better secure remote access if used.

    Other features worth looking for include automatic blocking of IP addresses following repeated failed ‘brute force’ login attacks plus the use of onboard data encryption and NAS-specific firewalls.

    A belt and braces approach is the most secure, which means taking frequent and regular backups of NAS storage and storing those copies remotely (preferably off site) and unconnected to the network. This is the only way of insuring there’s a clean, restorable version of your data that’s not too old to be of use. Bear in mind, however, that this should be combined with regular integrity checks and malware scans to ensure data being copied hasn’t been compromised already.

    It’s clear that the threat of ransomware continues to remain very real for Australian businesses. But there are things you can do right now to ensure you have a level of protection that can outstrip the attackers attempts:

    Defend Backup Data – Staying vigilant and having in place effective protection measures such as immutability, encryption inflight and at rest, air-gapped backups, and WORM technology (write once, read many) can really ensure you have a strong defensive line.

    Restrict Access – The ability to restrict access to systems and workloads is also a vital component, so ensuring you have role-based-access control (RBAC), multi-factor authentication will also limit the damage an attacker can do. , while also  the chance of falling victim can be lowered significantly.

    Detect – Ransomware can sit on a server for some time. Each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath. Vulnerability scanning is a useful technique, looking at updates and upgrades to applications that present opportunities for attackers. Ransomware detection is possible with tech that evaluates change rates of data, assesses anomalies in data transfer, access and other patterns based on your regular behaviour – a bit like a fraud check by a credit card company does when it notices irregular spending or new merchants.

    Response – Possibly the most important part of dealing with ransomware. How you recover, when you can recover, and IF you can recover, are absolutely key.

    Risks related to cybersecurity and data governance are now the top concerns of chief executives and corporate boards. Something has to give, and either uncertainty around cybersecurity and data handling will seriously impact business performance, or CEOs and fellow business leaders will develop ways of managing this risk better and with more transparency. Those who can achieve growth will view cybersecurity as necessary and (potentially) equal to other fundamental business concerns, such as finance and HR.

    * Cybercrime in Australia 2019

    Derek Cowan
    Derek Cowan is Director of Systems Engineering, APAC for Cohesity where he has a keen focus on data infrastructure management in support of public and private sector enterprise customer organisations. He has 25 years of experience in the IT industry having worked in technology engineering consultant positions for leading organisations, including IBM, EMC, VMware, Nimble Storage and Microsoft.