We look at the lessons to be learned from our investigation into a South West based construction company who lost years of financial data from a ransomware attack.
“Think about how much you rely on your business-critical data, such as customer details, quotes, orders, and payment details. Now imagine how long you would be able to operate without them.”
This advice from the National Cyber Security Centre’s Small Business Guide emphasises just how vital backing up your data is, and unfortunately the rising number of successful ransomware attacks is exposing how few companies have suitable processes in place.
We’re currently investigating a small family run construction business in the South West who suffered a ransomware attack on their server. Unfortunately, this attack was particularly damaging, as it resulted in the encryption of their SAGE financial records, meaning approximately 6 years’ worth of financial and operational data was lost. This meant they were unable to pay invoices, unsure what invoices had been paid, and in the dark as to what the current funding was for future projects.
At the back end of last year the company’s online credentials were compromised via a Remote Desktop Protocol (RDP) brute force attack, allowing the perpetrator to access their network and upload ransomware. Their files were then encrypted, and as they had no backups to restore their data from, they lost a significant amount of valuable information. What’s frustrating is that there are a number of steps that could have been taken to prevent this from happening.
#1 - RDP (Know the Risks)
RDP is a protocol that allows access to another computer over a network (LAN or WAN), and is commonly used for remote working and/or providing IT support to other users in a network. However, there can be significant associated risks, particularly as unguarded remote desktops are quickly becoming the favored point of entry amongst hackers.
Here are some points to consider if you are using RDP:
- Reallocating ports, so that they can't be as easily guessed by a potential attacker
- Opening the ports only between certain times e.g. only between work hours, and close them out of office hours
- Use a Virtual Private Network (VPN) connection to more securely access your network
- Do you need RDP? If your business has no use for it, then you can block the RDP ports altogether
#2 - Stronger passwords
Attackers need login credentials to gain access to networks, which is why they often employ brute force attacks to crack user information. Brute force attacks effectively work through trial and error on a mass scale (imagine a burglar with a few hundred thousand keys, using them one after the other in an attempt to unlock your front door). This is why it’s crucial to use stronger, more complex passwords with RDP. In this case an easy password was used to access the network – one that only took a few hours to crack. There are plenty resources on good password habits - here are a few pieces of advice to start with:
- Make passwords unique - the NCSC and Cyber Aware campaign recommend using three random words (e.g. coffeetrainfish), or misspelling words (e.g. choklutt)
- Ensure password regulations are in place - reset after a number of days / “Password” can’t be used / password can’t be blank
- Consider using a password manager
#3 Back it up
Realistically, you can employ all of the above measures to prevent an attack, but you can’t be 100% safe. This is why one of the most important things you can do is to make backups of your data. In the case of this organisation, there was a failure to back up their part of the server. The company employed an external IT professional, and never themselves carried out a network audit to identify and understand what devices (internal or external) they were responsible for, or what data they held and needed to back up.
Remember, a backup is not permanently connected to the network, so only back up what you need to continue running the business. Don't forget to always test your back up by using it to restore a standalone server or computer.
A quick word on GDPR
The General Data Protection Regulation (GDPR) comes into effect May of this year, and will heavily penalise organisations who fail to securely manage personal data. When the law comes into effect, the cost for losing your customers’ data will likely be much higher than the ransom you pay to get it back. For more information, visit https://www.eugdpr.org/key-changes.html
The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, follow us here, on LinkedIn and on Twitter (@swrccu).
We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.