With the resurgence and increase of ransomware attacks organisations should stop to consider how a cyber-incident could impact their business, as most recently highlighted by the cyber-attack on Toll Group.
Having been on the front line and investigating several ransomware attacks for clients we have seen firsthand the issues it can cause, the permanent loss of information and the privacy implications from such an attack. It is important to understand the motivation behind these attacks and know what steps need to be taken once an incident has occurred.
Ransomware can be much more than an attempt to extort an organisation for money
The general assumption that ransomware has been executed for the sole purpose of obtaining a financial benefit is often incorrect. Based on our experience, hackers will often execute a ransomware attack following an extended compromise of a network, in an attempt to ‘cover their tracks’ or throw the organisation ‘off their scent’. Ex-filtration of sensitive information may have been the actual target and a ransom payment of Bitcoin could only be the cherry on top.
Once the attack has taken place, thorough investigation is critical in understanding what occurred during the compromise to ensure all obligations under the Notifiable Data Breach Scheme or the Privacy Act legislation’s are being met.
Preserving your organisations most valuable asset
Following a ransomware attack it can be tempting to start re-building endpoints and servers to try and get back to business operations as quickly as possible. However, consideration needs to be given to the preservation of systems and log files which may help in identifying the actions taken by an attacker during an incident.
Preservation of information will be key in identifying this behaviour and quantifying the extent of what information may have been exposed or taken during an event. Without these key pieces of information, it may not be possible to understand the true extent of an attack, until intellectual property, customer, or employee information potentially ends up for sale on the dark web.
Having a well-designed and rehearsed Incident Response Plan is crucial to effectively investigating these types of incidents and is often one of the first steps on a path to recovery.