‘If you’re hit, there’s only so much you can do to recover data’

13 May 2019361 Views

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Image: © kirill_makarov/Stock.adobe.com

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

How are hackers getting in? And what can people do about it? TechWatch editor Emily McDaid spoke to Simon Whittaker to find out more.

Belfast-based cybersecurity consultancy Vertical Structure is increasingly being approached by local SMEs to assist after their corporate data has been encrypted by hackers. The cybercriminals are looking to earn a ransom before they’ll unlock it – and it’s usually paid in cryptocurrency such as bitcoin, helping the hackers to remain anonymous.

It’s impossible to know how many local companies have been hit by ransomware, but evidence gathered by local cybersecurity professionals suggests that the incidences are not uncommon.

In one of the most high-profile ransomware attacks, WannaCry hit 80 NHS organisations, although it’s unclear if any of these were in Northern Ireland. In total, the financial hit to the NHS from WannaCry amounted to a reported £92m.

In that incident, the initial infection was likely through an exposed vulnerable internet-facing Server Message Block (SMB) port.

“Attacks aren’t only directed at large enterprises,” says Simon Whittaker, co-founder of Vertical Structure. “Oftentimes the hackers are only asking for a few thousand dollars in ransom, illustrating that they aren’t making a huge amount of money overall on these attacks, but the havoc, as well as monetary costs from cleaning up after an attack, can be devastating for a small company.”

Criminals will attack any open environment and there have been recent examples of attackers compromising virtualised servers, Whittaker says. Depending on strategies employed, even if a company has a data backup plan, the backups are impacted, too. “These ransomware infections can compromise a host/parent server, but this may compromise any child servers, too – in which case backups may also be lost,” says Whittaker.

Still, many organisations have woefully inadequate data backup strategies. “Sometimes companies only keep a backup for one day – and by the time the malware is discovered, the backup will already be written over with encrypted data, rendering it useless.”

“If you’re hit, there is only so much anyone (including law enforcement) can do to help recover data from a ransomware attack. The PSNI, especially, will help wherever possible and it is definitely best to contact them,” Whittaker says, noting that hackers are often located abroad.

close-up of man wearing thick-framed glasses and light blue shirt, standing outside against a stone wall.

Simon Whittaker. Image: TechWatch

So, how are these hackers getting in? It’s scarily easy in some cases, demonstrates Whittaker.

Most companies now, for good reason, desire employees to work remotely. Remote access is offered to employees, sometimes enabling them to get a desktop connection from anywhere. Using the common port for RDP (remote desktop protocol), a Shodan search brings up 61,650 in the UK and Ireland. The search – open and available to anyone on the internet – displays all the IP addresses, and in some cases even shows employees’ usernames.

“Without strict security protocol – including two-factor identification, very strong passwords or an extra level of protection – hackers can get into these accounts and take over the entirety of an organisation’s data,” says Whittaker. “Files, emails, documents – everything.”

Insecure RDP user accounts are easily found in the UK from organisations including a prominent charity, a well-known school, a medical trust, a travel website and many others.

The alarming thing is that, by knowing a username, that means employees could also be vulnerable. Brute-force methods of entry into a system can be deceptively simple using passwords available from previous breaches or simply ineffective password usage. Whittaker says: “This not only exposes the organisation to risk, it also exposes real people.

“We aren’t trying to spread scare stories,” he insists. “It’s about telling people what is here and what could happen, and how they can prevent it. We don’t want organisations to have to ring us up in desperate situations.”

Whittaker points to the National Cyber Security Centre for help. “Their user guides for small business are a great place to start.”

He goes on: “This is scary but it’s so preventable. Nobody is saying don’t allow users to work remotely – but if you’re going to have a remotely exposed machine, use a VPN, use two-factor authentication, make sure you have a suitable and updated antivirus protection. We also advise that organisations undergo a security and penetration test to understand their exposure.”

By Emily McDaid, editor, TechWatch

A version of this article originally appeared on TechWatch

TechWatch: The most significant tech developments in Northern Ireland brought to you by Catalyst. See wearecatalyst.org for more information.

editorial@siliconrepublic.com