Lessons from a ransomware attack
- Published: Friday, 26 April 2019 07:47
In the wake of a reported ransomware attack on global manufacturing firm Aebi Schmidt, Peter Groucutt outlines the steps companies should take to prepare for such incidents. A clear cyber incident response plan and maintaining frequent communication are critical.
The details of the attack on Aebi Schmidt remain light at this stage, but early reports suggest it was severe, with systems for manufacturing operations left inaccessible. The manufacturing sector has recently seen a number of targeted ransomware attacks using a new breed of ransomware known as LockerGoga. Norwegian aluminium producer Norsk Hydro and French engineering firm Altran have been hit in Europe. In the US, chemicals company Hexion was also attacked. The reasoning for these targets is clear – paralysing the IT systems for these businesses has an immediate effect on their production output. That means significant losses, potentially millions of dollars per day. Unlike mass ransomware attacks that might net the attacker a few hundred pounds, the ransom is correspondingly higher.
If you are hit by a ransomware attack, you have two options. You can either recover the information from a previous backup or pay the ransom. However, even if you pay the ransom, there is no guarantee you will actually get your data back, so the only way to be fully protected is to have historic backup copies of your data. When recovering from ransomware, your aims are to minimise both data loss and IT downtime. Defensive and preventative strategies are essential but outright prevention of ransomware is impossible. It is therefore vital to plan for how the organization will act when compromised to reduce the impact of attacks. Having an effective cyber incident response plan in place is critical to your recovery.
The Incident Response Team or Crisis Management team must have the authority to make large-scale, operational decisions to take systems offline in order to limit the spread of infection. And they must be able to make that decision very quickly. Once the ransomware has been isolated and contained, in order to begin eradication and recovery you must find when the ransomware installation occurred in order to be able to restore clean data from before the infection took hold. Once the most recent clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.
Communication is critical during this process. Looking at the recent Norsk Hydro ransomware attack, the level of communication provided was outstanding. They were honest and transparent with frequent updates. It might not be necessary to give the complete story all at once, (particularly as you’ll unlikely be in possession of all the facts) but sharing what you know is important. A lot can be learnt from Norsk Hydro’s example.
Firstly, simply acknowledging the problem is vital to getting on the front foot for crisis communications. This helps maintain goodwill with customers and the public. It also takes pressure off the team to focus on handling the issue itself rather than fielding questions from all angles. Over time you can then provide more information. This might include details on which business units have been impacted; root cause of the incident; containment and the progression made on the restoration of IT systems; what work-arounds you have in place to remain operational; and expectations on when you can resume production. Critically, you should end each update with details of when the next updates can be expected.
Providing this level of detail strengthens your position and confirms that – despite suffering an attack – you are very much in control. Norsk Hydro demonstrated this perfectly, showing the confidence it has in its cyber incident response plan. The result will probably mean, once the dust settles, its actions are likely to reduce the risk of heavy fines from regulators, limit reputational damage and even increase the likelihood of a pay-out from its cyber insurer.
Clearly, Norsk Hydro learnt some valuable lessons from attacks on giants such as the NHS, DLA Piper, WPP and Maersk. As more information comes to light from the attack on Aebi Schmidt it will be interesting to see what lessons they have learnt from others too.
Peter Groucutt is managing director of Databarracks.