A Canadian military and government contractor allegedly suffered a significant ransomware attack in December 2019. The unfortunate target was Bird Construction, a Toronto-based firm that secured 48 contracts worth $406 million with Canada’s Department of National Defence between 2006 and 2015, according to InfoSecurity Magazine.
The InfoSecurity report suggests the construction firm had 60GB of data stolen and encrypted by the hacking group MAZE, which then demanded a ransom for data restoration. A Bird Construction company spokesperson told the Canadian Broadcasting Corporation: “Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files.”
As that comment would suggest, Bird Construction was somewhat prepared to deal with the ransomware attack. They were able to respond to it, and they could call on cyber security experts to help them with data recovery. Unfortunately, not all businesses are so prepared. Many get hit and then fall into a state of panicked inertia, too concerned with the ‘how’ and ‘why,’ and too scared of making missteps in response.
When it comes to ransomware mitigation best practices, companies need to “be prepared, and go through the exercises,” according to Ben Demonte, managing director and North America leader for Kroll’s Cyber Risk Practice. Speaking at NetDiligence’s Cyber Risk Summit in Toronto, he said: “You’ve got to take it from beginning to end. OK, a ransomware attack has occurred, so what do we do as an organization? Who’s going to make the decision? What systems are we going to get back online? What are we willing to pay? Who is outside counsel? Who is the forensic company and how soon can they start?
“There’s enough data out there from all these events that have occurred, to really put together a good plan. Now, [a plan isn’t] going to cover everything. There are always going to be challenges. For example, data exfiltration often throws a little bit of a curveball, but you can prepare for it or, at least have a good idea of where to move forward. And you have to take it from the business interruption that occurs day one all the way to potential notification (depending on jurisdiction).”
Part of being prepared for a ransomware attack is having a complete incident response plan, according to fellow NetDiligence panellist Alex Holdtman, CTO & co-founder at Coveware. This sometimes involves tabletop exercises that pull in leaders from business units across the organization to make sure that communications and goals are understood.
“Going from beginning to end is very important,” he said. “For example, someone from HR reports a buggy machine. How do you handle that? What does that ticket flow look like? How quickly can IT make that a priority if it does turn out to be ransomware? Can you verify that it has not spread beyond HR? Can you contain it quickly? Because it’s an existential threat, [these tabletop exercises help] financial decision makers [understand the risk] and plan accordingly for if [ransomware] does become a threat that’s on the radar. These exercises can be expensive in that they involve leaders throughout the organization, but I think they’re worth significantly more than the costs.”
Some organizations fall into the trap of thinking they’re not important or not big enough to fall victim to a ransomware attack. In today’s high-severity cyber risk landscape, everybody is at risk, according to Francine Armel, focus group leader – international specialties, Beazley Canada Limited.
“I think historically, some organizations may have said: ‘I’m never going to be the target of a ransomware attack, so I’ll have a plan in place but I’m not so concerned.’ That’s not really the way it works,” said Armel. “Granted, some organizations may actually be targets, be it for political reasons or for other reasons, but some of them are not. It’s just a hacker sitting in a basement, running a program to hit on a bunch of computers. So, everyone’s vulnerable.
“I would approach it perhaps pessimistically from the view that your business will be the subject of someone trying to infiltrate it with some kind of ransomware. So, start with that proposition and then build up your plan around that. It’s not a question about: ‘We’re not going to be touched.’ Assume that you will be, and plan what you have in place to prevent it, and how ready are you to respond to that attack when it actually happens.”