Protecting data from ransomware attacks. We talk to an expert.

At TIMG, we have a wealth of talent and we value our industry connections who contribute to our broader mission. We caught up with Adam Marshall, to talk about Ransomware and the steps businesses can take to mitigate risk. . . .

At TIMG, we have a wealth of talent and we value our industry connections who contribute to our broader mission. We caught up with Adam Marshall, to talk about Ransomware and the steps businesses can take to mitigate risk.

“Ransomware is one of the most important IT security topics of the last decade and is continuing to impact organisations the world over.”

Adam Marshall,
Technical Account Manager at New Relic

Q Adam, thanks for agreeing to have a chat with us today about the prevalence and threat of ransomware attacks. Before we get started, can you tell us more about your tech background and your time at TIMG?

AM – No worries, thanks for the invite to catch up. As you know, I was the Cloud Backup and Data Restoration Consultant for TIMG Australia which meant I worked very closely with your Online Backup, eBusiness and Sales and Account Management teams. Externally, I worked directly with clients and industry partners to develop online backup and disaster recovery solutions. I also looked after the data recovery business at TIMG, mainly from legacy media such as data tapes.  So, I dealt with the cutting edge of backup and disaster recovery software across the public, private and hybrid clouds, as well as dusty old tapes from the turn of the century, found in old storerooms, with who knows what on them!

Q – OK, so what is ransomware? 

AM – In essence, a ransomware attack, also known as crypto malware, is a type of malware attack that locks data by encrypting it. A message is then presented to the attacked party requesting payment to recover files, sometimes also threatening to expose private data. If the payment is not made, the encryption key is destroyed by the attackers and the data is not recoverable. In many cases, if the payment is made, the key is still not provided. Typically, there is a very short window for payment to be made, usually 3 days.  

Q – How long has ransomware been around?

AM – The first ransomware type virus was released via floppy disk in 1989!  Whilst this attack was very unsophisticated and easy to circumvent, it was the first example of a computer virus being used to extort money. It also had one of the greatest lines I’ve ever seen in an End User License Agreement – “You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life… and your [PC] will stop functioning normally…”

A bit of a game changer came along in 2009 when the Bitcoin digital currency was released and by July of 2013, a single bitcoin was worth $110 USD – today, a single Bitcoin can be worth as much as $75,000 USD! This decentralised, non-regulated digital currency was the perfect means by which to conceal the ransomware money trail and while we are not inferring that crypto currency is used for criminal purposes, it was a perfect storm moment back in 2013 where criminal elements managed to exploit a digital loophole to conceal money trails. Today, internet scammers and criminal syndicates still commonly use Apple store cards and pre-paid Visa debit cards as payment options for victims.

Q – How does an organisation mitigate risk and recover from a ransomware attack?

AM – The only foolproof way to recover from a ransomware attack is to restore data from a good backup set.  And whilst good cybersecurity practices are of utmost importance to avoid as many incidents as possible, properly implemented, well tested backups are the most crucial part of a robust data protection strategy. In my opinion, engaging a qualified third party, like TIMG, to discuss and review your backup and recovery strategy, is the only way to get an independent opinion on the cost of a real data security plan.

Q – Is there a moment or incident that you can recall when ransomware switched into overdrive – from being something that is reported now and then to becoming a widespread phenomenon?

AM – Yes, I do actually. In September of 2013, arguably the most famous ransomware variant, Crypto Locker first appeared. This attack used a large botnet (a group of infected computers controlled remotely and used to make further attacks) targeting primarily office documents and AutoCAD files and from then, until 18th December 2014, an estimated $30 million USD worth of Bitcoin was paid to ransomware attackers. This signaled the first large scale, organised ransomware attack specifically aimed at businesses, and was only shutdown thanks to a targeted operation by the US Department of Justice.

I was working as a Systems Administrator in Sydney at the time and vividly remember the stir in the IT community. Ransomware and protection methodologies were being discussed on all the industry forums, and not a week went by without a post by someone completely unprepared, being hit. After the Crypto Locker shutdown, the buzz died down somewhat but has steadily grown since then with a new variant coming out every other week. One of the most major events since then was the WannaCry attack. This attack particularly highlighted the risk of running out-of-date or unpatched windows operating systems, as up-to-date systems were not vulnerable to the attack. It was also unique in that no-one who paid the ransom received a decryption key and furthermore was mitigated thanks to a young UK based cyber security freelance, who discovered a “kill-switch” in the code, bought the kill-switch domain and effectively shut down the worldwide attack. 

Q – Adam are there steps organisations can take to prevent an attack?

AM – There are steps everyone in an organisation can take to help prevent an attack and ensure if/when one happens that the impact is easily mitigated. Firstly, there is a need for a proper cybersecurity policy that spells out a ‘best practice’ guide for all staff because it really is down to the end user to understand that everything that they have access to, is ultimately vulnerable to a ransomware attack. Users need to be very cautious, not only with emails from unknown sources, but also from seemingly known sources – it is for instance very easy to mistake a domain name – emails from domains with extra letters that slip through our consciousness or even from the correct domain.

The best rule of thumb is – was I or would I expect an email of this sort from this person?  Would they send me a link like this or this sort of attachment? To prevent malvertising and drive by downloads, we need to be especially circumspect with our browsing at work or on any device with important data. And at the end of the day, communication is key – call the person purporting to send the email to confirm it and ANYTHING you think is even slightly suspicious – talk to your IT department to confirm.  They have the tools and skills to safely verify suspect data and prevent it occurring again in the future.

Q – Adam thank you very much for your time today. What’s your last bit of advice to people who maybe don’t know the risk associated with cyber crime?

AM – It’s my pleasure. Those who know me are tired of hearing me bang on about this and I will do so again –

No 1: Backups, backups, secure, air-gapped backups!

No 2: If you are unsure of an email or link, check with your IT staff – it’s better to wait for 15 minutes to be sure of something than risk a possible attack. It’s as easy as that.

Click here to learn more about TIMG’s Online Backup and Disaster Recovery solutions