Late last week City Power was struck by a ransomware attack forcing the utility to bring its vending system, network and other ICT infrastructure offline.
The team was able to restore some services by Friday but the weekend was likely spent working hard to restore the rest.
Among the myriad questions that followed the news, our biggest was how this happened.
To find out more about ransomware attacks we spoke with Lucas van der Merwe, specialist sales executive dealing with security from T-Systems South Africa.
“This type of attack is normally perpetuated using a Trojan. A user is fooled into downloading or opening a file that is received via email which appears legitimate,” explains van der Merwe.
Of course, there are exceptions to this rule. As we saw in 2017, the WannaCryptor (WannaCry) ransomware was able to self-replicate and spread the infection without user input.
In it’s State of Email Security Report 2019, Mimecast noted a 26 percent increase in the amount of ransomware it sees year-on-year. This means that businesses should be preparing for when an attack happens rather than if.
“Obviously, prevention is preferred but still fallible. An advanced attack which encrypts data may be impossible to reverse without having access to the encryption key,” van der Merwe explains.
To that end, it would make sense that business owners want to pay the ransom criminals demand so as to regain control off their data.
The trouble is that because one is dealing with criminals, there exists the probability that even once the ransom is paid, no decryption key will be provided.
So how does one protect their data against a ransomware attack?
The 3-2-1 method
Speaking to regional manager for Veeam in Africa, Kate Mollett, back-ups are a good way to safeguard your data from ransomware.
“Solid business rules should still apply when it comes to protecting data, and while every organisation tries to mitigate for both internal and external issues which may impact security, one key piece of advice that we have been sharing with the industry for years is our 3-2-1 rule. This rule states that organisations must have at least three copies of their data, store the copies on two different types of media, and keep one backup copy offsite. By following this approach, organisations will always have an available and usable backup of their data and systems,” said Mollett.
With that having been said, if your back-ups contain the offending ransomware, your business could get stuck in an infinite loop of restoring infected back-ups.
User education is still vital
In the heat of the moment it’s very easy to point a finger at an employee for clicking a link they shouldn’t have clicked. While negligence is something that should be addressed, T-Systems South Africa argues that user education is key in fending off ransomware attacks.
“Companies should execute regular cyber awareness initiatives to educate their users. Such programs should be supported by the highest levels in the organisation and continued amendment is required for the content to remain relevant. Individuals should be made aware of the severity of such attacks and obliged to participate in the programs,” says van der Merwe.
The executive points out that phishing attacks are becoming more convincing. To that end, van der Merwe has advice for users.
“The sophistication of these attacks is rapidly increasing and the malicious e-mail may appear to originate from a trusted co-worker and even reference a familiar topic or meeting. If you suspect that you may have been affected, disconnect your device from all networks and seek assistance from the relevant support team,” the executive said.
How long before business as usual?
As of noon on Monday 29th July, City Power appears to still be working to restore its ICT systems. When exactly normal service will be resumed is hard to say and that’s a common thread with ransomware – restoration times differ wildly.
“Recovery from a ransomware attack depends on a multitude of factors including the type of attack, access to recent unaffected backups, the extent/size of the affected data set, performance of the systems in restoring the backups and the type of system affected,” says van der Merwe.
Restoration can take anywhere from 24 hours to months depending on the damage that has been done.
But as you restore systems, business can’t continue as usual as Mollett explains.
“Downtime is not just an IT problem, it’s the entire leadership team’s problem,” says Mollett.
Ransomware has once again be thrust into the public conversation and while businesses have been making moves to secure their houses, we do wonder how government and the public sector are securing its systems.
Here’s hoping this attack alerts the public sector to the dangers it faces, or else we might find our utilities the target of continuous, unrelenting cyber attacks.