When news that the HSE had been hit by a major ransomware attack broke, there would have been plenty of companies around the State that knew exactly what chaos was unfolding.
In recent weeks, a number of high-profile cyberattacks have occurred at Irish businesses, hitting everything from major engineering companies to third-level institutions.
In the wake of the HSE incident, it emerged that the Department of Health was also subject to a similar attack, and packaging company Ardagh revealed it had also been hit by an online attack that forced it to shut down its systems, although the exact nature of this last incident has not yet been confirmed.
At the very least, it causes major disruption to companies and employees; at the worst, companies are looking at the loss of data, the potential damage to their reputation, and the monetary cost of rebuilding systems as well as loss of revenue caused by the business interruption.
Ransomware is a type of malware that can attack systems and encrypt data, releasing it only when a ransom, typically in cryptocurrency, is paid. And these days there is an additional risk, with the potential theft and sale of data on the table, and the risk that it could be published online.
The HSE has refused to pay the ransom demand, and cybersecurity officials are said to be monitoring the dark web for evidence of data from the attack being dumped online.
Ransomware is nothing new. In 2017, the NHS in Britain was hit by the WannaCry ransomware, crippling computers throughout the trust and spreading to more than 150 countries.
But the problem seems to have exploded in recent months.
"In 25 years, I haven't seen anything like what we're seeing since January this year," said Steve MacNicholas, chief executive of Ecko Ireland, specialists in disaster recovery. "We're talking multiple attacks in Irish businesses on a weekly basis. We normally see a couple a year. But we've worked on five specific instances this year alone, and we're in the middle of May. It's definitely unprecedented."
There's no guarantee that when the ransom is paid or partially paid that they are going to be honourable and release the encryption keys to you
Part of the issue, he says, is the soaring value of cryptocurrency. Not only is the digital currency not easily traced, it is also growing in value, making it an attractive option for opportunistic crooks.
Blame the pandemic and its disruption, blame the soaring value of cryptocurrency; it all adds up to the same thing. We have a serious problem on our hands.
What to do?
To pay or not to pay? That’s the question facing victims. Paying the ransom is generally not advised and, in the case of the HSE, it is unlikely to happen. Not only are you not guaranteed to regain access to your files and data, but it also creates a market for criminals who now know you are willing to pay up.
“There’s no guarantee that when the ransom is paid or partially paid that they are going to be honourable and release the encryption keys to you. Therefore, the only resource for organisations is to rebuild their infrastructure. That’s where the pain really starts. Everything has to be cleaned, all devices, all servers.”
That’s a process that can take weeks. Back-ups need to be checked to make sure they are clean of the ransomware before systems are restored. Attackers could have been in systems for weeks, warned Conor Scolard, technical director of Ekco Ireland, and they may have infiltrated the back-ups too.
With such incidents coming more frequently, we may see a return to more traditional cybersecurity practices, including a failsafe for the back-ups that is on a separate system.
By the time we noticed, it was too late. They got into everything. It was hugely stressful
It’s not just big companies that are being targeted. The owner of one small business, who did not want to be named, found herself in an impossible position when its systems were crippled by a ransomware attack a couple of years ago.
Although the company had a back-up system for all its files, it had failed. The company had no access to its client list, ongoing business or plans for the coming months.
“By the time we noticed, it was too late,” the company’s founder said. “They got into everything. It was hugely stressful.”
With the ransom increasing as a deadline approached, the clock was ticking and a decision had to be made. “Nobody could help us. I paid it; it was a gamble. It was nine years of work gone otherwise,” she said. “It could have been the end of the company.”
The company got lucky; the data was released.
“Once I paid, their ‘customer service’ was amazing; they couldn’t have been more helpful. It was the most bizarre experience I’ve gone through,” she said, “hopefully never to be repeated, though.”
The company now has strict policies on the use of work equipment for personal use, and has beefed up its security. “We learned from it. It’s always on my mind. When we are working with a company, one of my first questions is: ‘Where’s your back-up? What’s the impact on my company if you’re hacked?”
In an increasingly digital world, there is no way to cut the ransomware risk to absolute zero. But there are ways to reduce the risk to your personal data and your business.
Keep your security up to date Stop ignoring those reminders that your software needs to be updated. Critical security updates need to be taken seriously, and failing to install them could leave your systems vulnerable. That chink in the armour may be the only way the hackers can get in and it can be devastating for a small company.
Make sure your systems are as protected as possible, with antivirus software and firewalls. And don’t forget to regularly update those too.
Educate staff – and yourself People are the weakest link in security. Although systems can be cracked with a bit of effort, the easiest way into a company's system is through social engineering, by fooling employees into clicking on an infected link or opening a site that installs some malware on machines.
Regular education sessions and reminders on cybersecurity could be of benefit, and may help you avert disaster.
Use strong passwords Prevention is better than cure. If you want to keep people out of your systems, strong passwords are one line of defence, along with two-factor authentication. It's not foolproof, but closing off potential points of entry can make your systems less attractive to hackers.
Don't give out personal information Along the same lines as the previous tip, try to limit the amount of personal information you give out online. If an attacker is trying to find a way into your system, personal details they can glean from your online activity could give them what they need to fool you into revealing confidential information. The less that's out there, the lower the chance of this happening.
Don't click on attachments without checking the source Suspicious attachments that come unsolicited are always to be avoided. But some are easier to spot than others. For example, an attachment from a complete stranger you have never interacted with will immediately raise suspicion. But what about an email from a known business or personal contact? That may not set off alarm bells, but it could easily be infected.
Scan attachments for malware, and if in doubt, contact the sender through legitimate channels. Yes, it’s tiresome. But if the choice is between your company’s security and a few extra minutes to check the legitimacy of a file, it’s worth it.
Test your plan You may feel confident in your bulletproof back-up system, but have you tested your disaster recovery and business continuity plan? Companies often don't. When you most need your recovery plan to kick in seamlessly, you might discover it's not quite as easy as you thought it might be. Worst-case scenario, you may discover that your back-ups are inadequate or not fit for purpose.
Keep auditing Every few months it's a good idea to check in on your security practices, and identify any potential weaknesses in your plans. Security is not a static thing. With the threat landscape constantly evolving, so too should your defences.
That means keeping an eye on what devices are connected to your accounts and systems, and removing access for old devices when they are no longer needed.