Tuesday, 6 August 2019

What Can We Learn from the Eurofins Ransomware Case?

The largest private forensics provider in the UK has paid a ransom to hackers after a cyber-attack. Is this the new normal?

The largest private forensics provider in the UK has paid a ransom to hackers after its IT systems were compromised by a cyber-attack. Is this the new normal? And what can businesses learn from the Eurofins experience?

A ransomware attack on 2nd June bought the IT systems at Eurofins to a standstill.

Eurofins described the attack as “highly sophisticated and well resourced”. In an update on its blog, the company said: “one week after the attack, substantial progress has been made to put our systems back online and we continue to put all our efforts to get things back to normal as soon as possible.”

However, the BBC has subsequently reported that things were only getting “back to normal” because the company had paid a ransom fee to its hackers.

Why Would Eurofins Pay a Ransom?

Prior to the attack, the company was handling half of all the private forensic analysis in the UK, following the closure of the state-run Forensic Science Service in 2012. This amounted to around 70,000 criminal cases each year – including DNA analysis, toxicology, firearms analysis and computer forensics.

Eurofins has declined to comment on the BBC story and refused to confirm that a ransom has been paid. The National Crime Agency, which is investigating, also refused to comment further; saying it was a matter for the victim.

It’s true that paying a ransom fee in order to regain control of hacked computer systems is a tempting prospect for any organisation hit by this type of malicious attack. The alternative – to write off systems and report the data breach – is a costly and damaging one.

Eurofins maintains that its “internal and external IT forensics experts have not found evidence of any unauthorised theft or transfer of confidential client data.”

Nevertheless, since the hack the police have stopped all work with Eurofins.

Does Paying a Ransom Solve the Problem?

BBC reporter Danny Shaw stated on 5th July: “The ransom is likely to have been paid between 10th June, when Eurofins issued a lengthy statement about the attack, and 24th June when it published an optimistic update, saying it had ‘identified the variant of malware used’ in the attack and strengthened cyber-security.”

Should Eurofins have paid the ransom?

Jake Moore, cyber security specialist at ESET, told SC Media UK: “These attacks highlight the need for regular backups to be commonplace in all data-reliant businesses. In an ideal situation, Eurofins will have had a recent back-up to restore data which would have neutralised any negative effect on the company’s operations, beyond the inconvenience of having to restore their data from back-ups.”

However, without the necessary systems and processes in place, companies are left vulnerable.

Dr. Guy Bunker, CTO at Clearswift, told the magazine: “Hackers should not be trusted to honour a ransom agreement – they are criminals after all. Somewhere around 70 percent of companies who pay do not get their data back. Even if you do get it back, the malware is still in the network and can easily re-emerge at a later date to do it all again. The general advice is not to negotiate. However, we know some organisations do pay the ransom as they then find there is no way to recover their data.”

What Can You Do to Protect Your Business from Ransomware?

As the comments from Moore and Bunker point to, the best defence an organisation can have to protect itself from Ransomware is to have good backup solutions and procedures in place as well as other preventative measures that include staff training.

The ease and low cost at which businesses can now implement good backup solutions means that all organisations should put appropriate measures in place.

However, there are steps organisations can take to prevent ransomware becoming a problem in the first place.

The National Cyber Security Centre (NCSC) recommends that organisations be aware of the risk of falling victim to targeted ransomware attacks. It warns: “these can arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing).” It highlights unpatched vulnerabilities as another potential cause of the problem.

The NCSC’s recommendations for guarding against Ransomware include:

• Defend against phishing attacks with a combination of technological, processes and people-based defences.

• Manage and patch vulnerabilities.

• Control code execution to prevent unauthorised code running on compromised devices, e.g. by disabling all macros.

• Filter web-browsing traffic.

• Manage the use of removable media.

• Control user and permission management, including avoiding using system administrator logins for email or web browsing.

• Practice good access control; limit access to data and file systems to those who need it.

• Have a backup of your data.

• If you fall victim to fraud, contact www.actionfraud.police.uk

• Leverage the NCSC Cyber Incident Response scheme to gain access to crisis support from certified companies.

Significantly, the agency also warns about the long-term ramifications. It says: “If a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated?”

 

If you are worried about the security measures you have in place to guard against ransomware attacks, contact Grant McGregor today.

We can help you understand the risks and put a coherent plan in place to protect your assets.