PetitPotam is IT security’s newest grand malIt seems slightly ironic that the age of COVID-19 has cultivated an increase in another kind of Pandemic, ransomware. Over the last 18 months the growth of organisations targeted by ransom attacks has grown exponentially and many are grappling with how to defend or protect against this onslaught.
The truth is, planning and preparing for recovery is as best as we can hope for at the moment, with the number of new variants of ransomware surfacing monthly making it exceptionally difficult to prevent attacks.
PetitPotam is the latest exploit to be revealed, a ransomware that is gaining ground. Known as the LockFile ransomware, it was first discovered in July, but has shown attacks as recently as last week. This new ransomware “variant” appears to target networks through Microsoft Exchange servers with some suggesting it exploits ProxyShell for this access. While the Exchange exploit has been patched, it appears that this has not completely solved the problem. Security powerhouse Symantec details this exploit in its Threat Intelligence blog.
With zero-day attacks like these on the rise – South Africa is in the top 5 targeted countries for attacks like these – it seems likely that IT Security teams will be working around the clock locally to try and prevent LockFile from infiltrating their own networks.
But to beat the same drum as we have for some time now; it seems only a matter of time before a local company is infected with either LockFile or some other new ransomware variant.
Companies need to plan for the “when” rather than consider the “if” of being attacked.
Like COVID-19, inoculation against these variant threats will only provide a certain amount of protection, but it does help to prevent the worst-case scenario from becoming a reality.
No company wants to consider what it will mean if they lose their data to a ransomware attack, but the consideration must be made – what will happen to your deliveries, your ability to serve customers when you face an attack? What is the cost of recovering that data, from ransom being paid through to time of skills or production and service losses to customers? Recent Sophos research showed that the average cost globally for a company hit by ransomware in 2020 was US$1.85 million or close to R27 million.
The trouble is, ransomware attacks are getting increasingly hard to stop, their sophistication, number of variants and stealth are consistently growing. In many instances, the ransomware hides dormant within networks for weeks, sometimes months, ensuring that they are well and truly solidified in organisations’ backups. This makes a clean recovery impossible, leaving businesses with the choice of paying ransom or losing everything.
What the exploit in PetitPotam has shown, is that the ransomware pandemic is here to stay; yet another new exploit in a string of exploits with no known cure as yet. Just in the last week, threat analysts have put warnings out for Hive and Karma, and in July there was Babuk, Haron, Teslarvng – all viral ransomware variants that have been active.
Inoculation, in the sense of a cyber resilience plan, an extension of disaster recovery, if you will, is now an organisation’s best option for a total recovery in the event of being infected. Within a resilience plan, organisations can prepare for a cyber-attack by holding an air-gapped, immutable “golden copy” of critical data, that is free from interference. Ideally this copy should be analysed by overarching AI or machine learning technologies that can detect anomalies and changes and prevent them from infecting data.
It’s technologies like these that will assist companies in their data resilience and recovery efforts after they have been attacked.
Planning both for prevention and recovery is essential and requires that the right skills be brought together in the same room. From IT Security and Data Managers through to Risk, Compliance and even the Board; everyone needs to come together to decide how best to plan for a cyber-attack, and what to do “when” it happens.
Global security players are researching the LockFile ransomware with haste, but it will likely not be long before a new variant begins to spread. The question is, will your business be ready?
By Mike Styer, GlassHouse South Africa Country Manager