Published on the 25/06/2018 | Written by Heather Wright
Road Transport Forum fesses up to paying up after ransomware attack…
The Road Transport Forum has fessed up to paying ‘quite a sum of money’ to the baddies after being hit by crypto-ransomware. Their actions go against the recommended practice of not giving in to the ransom demands, but what’s a business to do when they lose their entire system to ransomware?
In RTF’s case the ransomware ‘completely knocked out our entire computer system – files, emails, everything’, according to CEO Ken Shirley, who wrote about the situation in Contractor magazine.
RTF, which represents freight operators across New Zealand, believes the ransomware came in through a remote access portal used to externally administer the system.
Shirley said the situation took several days to resolve. “Unfortunately, and somewhat against my better judgement, it also involved the fairly grubby business of actually paying the crooks off with the ransom. They say never negotiate with terrorists but in this instance we were left with little choice.”
“They say never negotiate with terrorists but in this instance we were left with little choice.”
RTF isn’t the only transport related organisation affected by ransomware in recent months.
Cert NZ, the cyber security arm of MBIE, notes in its 2018 Q1 that a transport operator was among the nine companies to log ransomware attacks with Cert in the first three months of this year.
In their case, the unnamed company was hit by David, one of two new variants, alongside Rapid, seen for the first time in New Zealand in Q1.
Cert says all files on the transport operator’s site were encrypted with the ransom demand shown as a simple text screen telling the company that to decrypt files they would need to buy ‘special software’.
In this case, however, it appears the company didn’t have to pay the ransom. Why? Because it ran daily backups which helped minimise the impact of the attack. So instead of paying out, the company replaced the computer, restored the data from backups – and made sure it changed all local administrator credentials and implemented additional security controls where remote access was required.
Cert NZ advises against paying ransoms, noting that even if you pay, there’s no guarantee the de-encryption keys will work or that you’ll get your data back.
Erica Anderson, Cert NZ senior incident manager, also points out that even if the files are returned, they may contain further types of malware that could infect your system.
“If a business has paid a ransom and received their files back, it’s important that they have the computer professionally inspected by an IT expert to determine if the attacker has planted any other malware on the computer, or if the attacker has created another way to access the computer and the business’ data,” Anderson said.
“They should also work with the professional to identify how the ransomware got onto the computer in the first place to prevent if from happening again,” she added.
It’s also not un-heard of for a repeat performance for those who pay the ransom – afterall, if you’ve paid once, you’ll pay again, right?
Like other cyber security issues, ransomware is easier dealt with by prevention, rather than cure.
“Protecting your business from ransomware is a matter of following simple steps, like having good backups and keeping software and operating systems patched and up-to-date,” Anderson said.
“Attackers don’t typically target specific sectors, instead they’re more likely to be financially motivated. An attacker who is trying to spread ransomware to make money is going to target computers that are easy to attack, for example computers that aren’t up-to-date,” she said.
For RTF, it’s been a hard learned lesson – and hopefully one that now has been learned.