Ever wondered what it’s like to experience a cyber-attack? Want to know what the warning signs are? This article recreates a typical ransomware attack scenario of what a business may go through in the first 24 hours when experiencing a data breach.
The Scenario
Fictional high street shoe retailer Shoes-4-U, with branches in every town nationwide, has recently received an email from a supplier. Thinking it’s legitimate, a member of staff at Head Office clicks on the attachment. It looks like some regular mail about a change to a website so the staff member just deletes the email and carries on. However, a couple of weeks later, funny things start happening to their IT systems…
Friday, 8:20am
Will Jackson, Branch Manager at Smallton High Street, has just got into work and is routinely checking his diary for the day. After seeing he has a 9am appointment with a customer for a new pair of personalised trainers, he goes to the online database to view their details. For some reason, the files cannot be accessed. He decides to call the IT Manager at Head Office, Harry Carroll, to investigate the problem.
After hearing from Will, Harry checks his emails to see if any other branches are experiencing the same issue. Whilst looking through, one email stands out. The description reads, ‘Pay up, or else…’. He clicks on the email, reading that the sender is claiming to have hacked their database and is threatening to release the details of all their customers onto the dark web.
As Harry reads on, he learns the ransom demanded to release the systems and reclaim access to the company data is 10 Bitcoins. In the absence of payment by midnight that night, all data will be shared on the dark web and subsequently deleted from the company’s system.
“This is not good”, says Harry to himself. He hopes it’s fake, but what if it’s real? He hasn’t updated the company’s security solutions since last year, but they’ve never been breached before. How did this happen? He goes to talk to his boss to report the issue before remembering something; a staff member mentioned an email 2 weeks ago that they said included an attachment that had no content. Of course, they only realised this after they had clicked on the attachment, but nothing happened at the time so he thought it was okay. Harry now starts to realise he probably should have looked into this more closely.
Friday, 9:30am
“Sophia, I think we might have an issue…,” says a concerned Harry on the phone to his Chief Information Security Officer Sophia Pilling. He explains that he thinks they have been subject to a ransomware attack.
“Right, this sounds serious. We’d better tell legal to see what the consequences are if this guy is telling the truth. Get Mik into the meeting too, we need to know what to tell the press if more branches and customers start finding out.”
With all 4 concerned employees in the meeting room, they start discussing the best course of action.
“If this threat is real, we’re obligated to report it to the authorities,” opens Josie Paver, In-House Lawyer for Shoes-4-U, “If it contains personally identifiable information then we could be violating the GDPR”.
“As soon as this gets out, it’s going to ruin our sales. No one will want to buy from us again, whether online or in-store. We need to approach this situation very carefully,” explains Mik Patel, Head of Communications and PR.
“So, what can we do?” asks a scared Harry.
“Well, we will have to pay the fine. But this breach could ruin our reputation and the company would lose a lot more money. Not to mention the compromised data, that could have serious ramifications for the customers,” said Sophia.
Friday, 1:00pm
The calls and emails have been coming in all morning from different branches reporting a system failure. Frustrated employees keep asking questions, like, “When will it be fixed?” and “Has something bad happened?” Harry is unsure what to reply.
The customer accounts on the website have been compromised, yet Mik advises not drawing attention to themselves just yet, so leaves the website up. She has drafted a statement on what to say to the media should they need to but doesn’t want to release it yet so as not to get any bad press.
Josie knows the legal consequences of a data breach, she’s heard all about it in the news, but understands how bad this is for the business so she is not going to take any action yet. With more time they can get more information to fully assess what happened, and if they regain the data then at least there will be some positive news. But is it better to report it now and put the company’s reputation on the line, or later be accused of non-compliance with GDPR?
Friday, 4:30pm
Despite Shoes-4-U’s early Friday finish policy, the group is called together again, where Harry shares the email.
“So, in today’s exchange rate, 10 Bitcoins are equivalent to just over 48 and a half grand,” sighs Sophia, “and even if we do pay it we’d lose thousands in revenue and reputation damage.”
“What security measures are currently in place? If we don’t have decent security I’m pretty hesitant to report it,” Mik explained.
“We have got measures in place, but we haven’t looked at it much recently,” admitted Harry, “we’re pretty understaffed right now so it wasn’t top priority…”
“And I am not sure our cyber-insurance will cover us if we don’t have adequate security in place.”
Sophia receives a phone call and shortly after hangs up with a worried look on her face.
“Right, we’ve got a problem. My security team has found some of our customer data online and it’s genuine. This is more serious than I initially thought.”
Josie asks, “That probably includes some people’s credit card details, right? I think its time to face the reality of paying the fine.”
“But wouldn’t that just make things worse?” Sophia asks, “My team is working their hardest to regain control and the data is already leaked, what’s it going to achieve? Harry, don’t we have back-ups of our customer data somewhere?”
“I’m not too sure,” admits Harry.
“Well whatever happens, we’ve got to sort this soon, people are going to start asking questions…” Mik adds.
So, what would you do? How should Shoes-4-U have behaved in this scenario, were they right or wrong? Should they pay the ransom?
Clearly, the outcome was never going to be good for Shoes-4-U. The situation they were in, unsure about their current solutions, security as a low priority; it’s no surprise they weren’t able to mitigate a breach effectively.
What they should have done:
On The Day?
– Reacted to and investigated earlier the emails, identifying the source of the requests
– Notified any necessary third parties, including their cyber-security provider who could provide advice
– Make a statement to customers – they have a right to know what is happening to their data under the GDPR
– Take all systems offline, just in case of any further breaches during the attack
– Record what action was taken after they were aware of the breach
In Order To Prevent Future Attacks?
– Have a step-by-step action plan for employees to follow
– IT and security staff should be trained and up-to-date on what mitigation is needed
– Data should be backed up to a safe storage location to reduce the risk of losing all customer files
– Each necessary staff member should be trained and rehearse what to do in the event of a breach
What Should Shoes-4-U Have Had In Place?
– Better email content control, to stop phishing emails from getting into their system.
– Better DNS security that could have prevented bad links/attachments in dodgy emails from having a negative impact on the business.
– Better staff training in identifying phishing emails, and who to report this to when they find them
With regards to the ransom, it is generally considered to be safer and more effective not to pay the ransom. In a 2018 report by CyberEdge Group, they found that only 19% of people who pay manage to recover lost files. This is compared to the 86% of those who don’t pay, that do recover files from their own regular backups.
The moral of the story; Be Prepared!
activereach provides a bespoke DNS security & ransomware prevention service, with our dedicated professionals able to help at any time. Please visit our page on DNS security, or call us on 0845 625 9025 to find out more.