After the firewall is breached…

The CTO of Devoteam M Cloud Denmark, Frank Mogensen, describes the risks and solutions for the wave of ransomware that is continuously attacking companies’ IT systems everywhere.

Enterprise IT is taken hostage by hackers

Today, a majority of companies are vulnerable to threats from a new wave of malware called ransomware. Unlike a traditional virus, ransomware does not primarily infect and destroy files. Instead it locks and encrypts IT-systems and takes the company’s data and operating systems hostage. The company is then forced to pay ransom to keep performing even the most basic tasks, such as serving their customers, shipping orders, or paying invoices. “The companies are frozen in place until they make a bitcoin payout to the hackers”, Frank Mogensen explains. He is Chief Technology Officer (CTO) for Devoteam M Cloud Denmark, who deliver Cloud solutions globally.

Ransomware is no new phenomenon – but the occurences have doubled since 2018, where attacks were on the rise with a 450% increase in one year. And the tendency continues. According to Frank, the increase is primarily due to two things: 1) The existence of malware toolkits online that even a 13-year-old is able to download and use to initiate their own attack – and earn a lot of money through. The hacker can sit behind a screen and an anonymous VPN circuit and pretend to be somebody else. 2) You can now pay someone to hack for you, through so called “Ransomware as a Service”. Frank adds: “As a hacker you can protect yourself better than ever before. It has become almost risk free to send e-mails with a ransomware attack. And it has the potential to make a very lucratice business…”

Intelligent phishing and a lightning fast infection

Frank explains that hackers access the enterprise systems via intelligent phishing. The hacker sends out an e-mail that looks fascinating or appears to have been sent from a trusted source. The e-mail includes a link, and when the employee on the receiving end clicks the link, it deploys code in the PC’s system – and lets the hacker into the machine. Then the attack intensifies with lightning speed: the hacker gains access to all the passwords cached in the PC and can immediately infect all machines on the network.

Ransomware spreads through all kinds of networks, open or encrypted. Even though your company has antivirus installed on all machines – maybe you have even updated the patches and closed holes in the system – you will not be protected against ransomware:

“Let’s just imagine that your system is completely updated. If I visit a random large-scale Danish company and use one of their laptops, I will most often be able to access all servers via the network – sometimes thousands of them. If I was an administrator in that company, had full access to the network, and was infected with ransomware, all servers would be infected in a timespan of 10 minutes. There is a 99% chance in the big ransomware attacks that the source of infection is a person with administrative rights. Even if the hackers use a cached login from a user PC. If you know that – why not protect yourself?” – Frank Mogensen, CTO

A hopelessly outdated security paradigm

An average Danish company most often uses perimeter safety, i.e. a firewall. That type of security is based on the idea that everything inside the firewall is safe, and that everything outside it is not. This has consequences when a hacker manages to scale the digital walls. Once inside, the hacker has free access to all servers and systems. A virus of this type can spread like a wildfire: ransomware can infect 5000 servers in less than 10 minutes. Frank warns companies not to rely on firewalls and traditional antivirus programs:

“Those security solutions are hopelessly outdated. Firewalls and antivirus programs must know the characteristics of specific ransomware attacks to properly combat them. It’s a bit like a biological virus and a vaccine – you need to know the RNA of the virus to make a vaccine. But because ransomware is built to mutate heavily, it becomes impossible to prepare the security model to recognize the attacker and avert the threat in time. In this way, the safety of your company’s IT platform is put on the discernment of the individual employee – and that is a huge risk to run!” Frank Mogensen, CTO

Ransomware hackers are not just hostage takers – they are also thieves

Even if your company pays the ransom after a ransomware attack, there is no guarantee that you regain access to your IT systems:

“Around 50% of ransomware is designed to steal the data they encrypt. They high-speed spool data out of the company through anonymous proxies and relays, which makes it impossible to track the process. It is not a question of just restoring the system from last week to make everything ‘good again’. Everything will not be good again. All of the company’s data are copied and can be sold to competitors. All passwords from every login ever made is in the hands of others.” – Frank Mogensen, CTO

It is possible to protect on-premise IT from ransomware attacts, but it is a complicated task because everything in the system from the starting point is open and connected. In Cloud, the structure is reversed – everything is closed and requires permission to connect internally. Frank elaborates: “Everything in Cloud is microsegmented and built on a Zero-Trust security paradigm. On-premise servers are all put on a network string where they can communicate unrestrained with one another. Nothing is able to communicate in Cloud, unless you specifically allow individual servers or servergroups to connect.”

This means that only the employees that need access to a specific application are allowed in. Similarly, it is possible to limit the administrative rights through PIM (Priviledged Identity Management), where the access to a specific server is only delivered to the employee on request. The hacker is consequently only given access to a small part of the IT system – and the Cloud solution is able to survive the ransomware attack unharmed.

What can a company do to ensure protection against ransomware?

According to Frank, the only thing to do if you have already been hit by ransomware and cannot afford downtime is to pay the hackers and hope for the best. Alternatively, you have to reinstall or restore all IT systems as you can never be sure of having found every infected point. This can take anywhere from 14 days to three months depending on the size of the business IT. As a company you then have the option to protect yourself better in the future. And if you are already at a point where you have to restore the entire system, you have the option to do it in the Cloud on closed, isolated networks, Frank suggests. With Zero-Trust protection in Cloud you also isolate possible threats that might linger in the system.

With Cloud solutions it is possible to run the business on SaaS (Software as a Service) or PaaS (Platform as a Service) and thereby avoid the risks tied to on-premise servers. Frank describes it as a future-proofing of the business and emphasizes that the savings on protection against hackers alone makes it valuable to transition to Cloud. Your company will also have the opportunity to make a Business Disaster Recovery in Cloud, if you want to keep your on-premise environment. The solution will preserve the system in a closed environment as it was immediately predating the attack.

Can you live with losing your data? What do you want to do about it?

Business Disaster Recovery works by having a piece of software synchronize the entire server with Cloud in a condition where it is not running and does not cost the company any money. When the system is fully synchronized, only changes – so-called delta data – are synchronized to the Cloud. The servers can then be restored with as little displacement as an hour. It is also possible to run back the synchronization and chose the exact time from which to restore the system.

A solution like that makes it less critical to uncover an attack in the later stages, but, as Frank says: “It is only a backup – not real protection. As a company you have to ask yourself the important questions: Can you live with the fact that you have lost your data? That others have them? And what do you want to do about it? With a full Cloud solution you protect your intellectual property from the get go. You also protect your passwords and your customer information against being taken hostage and stolen by ransomware hackers.”