Not if, but when. Ransomware on the rise.

Protecting your organisation starts with protecting your data.

Ransomware. It wasn’t that long ago that it was a thing that happened to other people, often the big corporates, the blue chips in America. But not us in little old New Zealand/Aotearoa. We would occasionally hear it mentioned on the news in passing, or on page 10 of the paper. Leap forward to 2021, the year of COVID-19, of lockdowns and the now ubiquitous phrase ‘you are on mute’. The number of attacks made public on local organisations has increased. The biggest single target being the Waikato DHB. They estimate it taking another 2 years before they are back to where they were. 

And at the start of July international software company Kaseya had their remote management tools hijacked to deliver ransomware to unsuspecting victims. This new development is concerning, because the end users did not do anything wrong, nor did the support organisations. 

So what can we learn from these high-profile attacks, and what steps can we take to reduce the risk you are next? The number one thing to do if you haven’t already is to turn on multi-factor authentication (MFA) for all system administrators at a minimum, and preferably all staff. If you have a software platform that doesn’t support MFA you need to be asking questions of the vendor. If you have the choice of methods, using an app on your phone is top of the list, followed by a third party rotating key token (banks often use these). The worst options are receiving an email or text message – neither of these two options are secure. 

Ensure you are backing up your data. This includes Office365 and Google Workplace content. Not all backups are created equal though. Your backups should be going to an offsite location, retained for at least 60 days, and tested. It is no good making a copy of everything to a local hard drive if there is a fire! And no good backing things up if you cannot restore it. In the ideal world backup systems would be air-gapped from the source, and write permissions only allowed to the backup solution. These backups should be monitored and any anomalies investigated. Its common for attackers to quietly infect a system, then wait a month or more for all backups to also be infected before attacking. Look for larger than usual backup sizes, and odd looking content. Artificial Intelligence (AI) bots exist that can do this for you. For those with on-premise servers, ensure your DNS and Active Directory are included in the backups, and ideally locked away separately in a vault (software or physical) so you can quickly recover your infrastructure. 

Review who has access to what. You shouldn’t have more than three super-admins/global admins in any system, and these should be protected with MFA. Also review who has remote access into your systems, either using a VPN or some other method. Separate out the different administrative roles so breaching one account will not open the floodgates. 

Microsoft have a global threat activity website that shows cyber-threat activity for the last 30 days. Disturbingly education makes up of 60% of all recent encounters. 

Cyberthreats, viruses, and malware – Microsoft Security Intelligence