Deloitte Roundtable: Extinction level events: how ransomware has changed disaster preparedness

If you were to ask any cybersecurity professional about the most alarming malware trends today, chances are ‘ransomware’ would be one of the first things they would be keen to talk about. This type of malware can aptly be described less as a bug or virus and more as a plague, with a potential to infect massive enterprise IT systems, encrypt everything in sight and subsequently extort its unsuspecting victims. We recently caught up with James Nunn-Price, Asia Pacific Cyber leader at Deloitte, to discuss ransomware trends and how to get prepared for extinction-level events.

Ransomware campaigns have caused some serious damage over the last few years and have targeted a range of organisations from large enterprises and public sector institutions to smaller, family-owned businesses. However, when it comes to the sheer scale of ransomware attacks – and even malware in general – it really doesn’t get much more damaging than the NotPetya ransomware scourge of 2017.

One organisation that famously felt the brunt of the NotPetya ransomware was Maersk, a shipping and logistics firm, which holds the crown as the world’s largest container ship and supply vessel operator in the world. The multi-billion dollar company’s considerably large IT infrastructure footprint was blitzed by NotPetya, completely disrupting its core business processes for days and resulting in hundreds of millions in lost revenue.

Thousands of organisations around the world have been sorely impacted by a wide variety of ransomware strains and perpetrators. The WannaCry ransomware strain hit more than 230,000 computers around the world causing massive disruptions to Spanish mobile operator Telefónica as well as the UK’s National Health service. Looking more recently, a ransomware attack on Danish facilities management firm ISS World left hundreds of thousands of employees unable to access company systems, while causing an estimated $75 million to $112.4 million in total damages.

It is no secret that ransomware attacks are becoming more common, as adversaries and tools become more advanced. Cybersecurity researchers have found a huge increase in the number of ransomware attacks during 2020, suggesting a seven-fold rise in campaigns compared with 2019. Additionally, the severity of attacks is also on the rise, with both requested ransoms and cost of disruption expanding considerably.

Importantly, these attacks don’t just have the capacity to rob organisations, they can also create extinction-level events which become extremely messy and hard to recover from. Thus, organisations need to have the right tools and processes in place if they wish to be adequately prepared for such events.

NotPetya: a malware in disguise

NotPetya is considered by many as the worst business-breaking cyber event to date. The malware was released into the wild as part of a coordinated cyberwarfare campaign carried out by what was likely a nation-state hacking organisation, against the Ukraine. As a means to accomplish unrest in the country, the perpetrators of NotPetya attacked a small organisation called M.E.Doc, which develops tax software for the Ukrainian government.

M.E.Doc was the perfect target for a novel strain of extremely virulent malware, as its software is used by just about everyone to pay taxes in the Ukraine, providing a massive victim base for any payload. Using a pair of severe Windows zero-day exploits, the hacking group proceeded to install backdoors in M.E.Doc’s June tax code. This allowed it to upload a new kind of ‘ransomware’ – NotPetya – to anyone who updated their M.E.Doc tax applications.

No one could have ever foreseen the kind of widespread damage this was going to cause, not even the perpetrators themselves. The malware was designed to spread automatically and indiscriminately through large-scale networks, gaining privileged access before rapidly moving laterally to encrypt every device or server it touched. It took out swathes of digital-based services and core business processes for a massive number of Ukrainian businesses, causing a substantial amount of unrest in the country.

While it appeared, in the immediate term, that this was just a wide-scale extortion attempt, it was later found that so little effort had been put into the actual ransom part of the ransomware (with a measly $10,000 being collected in total) that this was clearly not the objective of NotPetya. After security researchers chipped away at the strain and reverse engineered it, it was clear that encrypted files could never be recovered. The malware was purely created to disrupt life and business in the Ukraine and nothing else.

However, the attack caused havoc to a wide variety of businesses, even beyond Ukrainian shores. As it spread without intervention, multiple international organisations that used M.E.Doc got caught up as collateral damage, including multiple hospitals in the US state of Pennsylvania, FedEx’s European subsidiary TNT Express, and even a chocolate factory in the Australian state of Tasmania.

It just goes to show that no matter what industry businesses operate in and regardless of what your perceived threat level may be, you are really never safe from a potential extinction-level cyber event. Additionally, and in the case of NotPetya, cyber events can decimate IT systems to the point where the loss of IT really means the loss of the entire business.

Why are attacks so effective?

 It may not be completely accurate to characterise NotPetya as ransomware, although it does carry most of the same DNA, at least in terms of its impact on business functions. Just as in the case of NotPetya, ransomware can be utterly devastating for businesses, pulling core business-critical IT infrastructure offline and encrypting highly sensitive company or customer information.

James Nunn-Price says there are a range of factors – applicable at enterprises around the world – that can lead to ransomware attacks being so potent. Some of these are:

• Cost cutting within IT – no one wants to raise IT budgets, with many organisations preferring to see it as a cost centre.
• Rapid digitisation – putting IT at the depths of our processes while at the same time cutting all of the cost out of it. This is really a recipe for disaster and potential crisis.
• Large standardised and open network architecture – large-scale open networks that often traverse borders and departments may make certain things easier, but it also creates one big blast zone where attackers can more easily attack everything at once.
• Privileged access management – allowing too many people access to “the keys to the castle” without having the appropriate privileged access management systems in place.

“In every circumstance where we see big ransomware distributed, there is some sort of mechanism that gets an attacker in from the outside,” Nunn-Price explains.

“There are some themes around what those are, but eventually what they’re trying to accomplish is to get into the Active Directory (AD) backbone and weaponise it.”

“Generally it is very easy to move laterally into the AD environment, find some sort of nested group, and then travel up that nested group in order to get to higher level privileges in the AD. It’s always the same result.”

Why is recovery so hard?

There is a distinct lack of preparedness amongst many organisations when it comes to what they should actually do in the event of a crisis. Disaster recovery is one thing, but what exactly can organisations do when there is no IT, or when the vast majority of their IT systems have been taken out?

That is why an effective approach to crisis recovery planning – as opposed to disaster recovery planning – is so important and this tends to be a sore spot for many enterprise organisations. It is less about bringing computer servers back online and more to do with developing a plan that brings services back, especially in an environment where an attack brings your entire business operations to its knees.

This is an important distinction, according to Nunn-Price, as no number of servers necessarily means the business will be able to function.

“That’s what the business provides. They don’t provide servers, they provide services,” he continues,

“What are all the pieces of technology that impact core business processes? How do you recover those clusters so you can have those business processes back? That’s something that very few organisations have spent the time to do, but it’s really not that difficult.”

The recovery effort also needs to occur with the whole business backing it and supporting it. That partnership between the wider business and IT is so crucial, as the business needs to provide guidance and approval regarding which critical services need to be brought back, and in what order.

Where to focus investment

When it comes to extinction-level attacks, it might sound like a logical solution to invest heavily in preventative measures to avoid any incidents ever occurring in the first place. Although this can be a tall order, as it is difficult to keep pace with the sheer volume and sophistication of threats today, especially if you do not operate a business directly associated with IT (in terms of core business function).

This is why Nunn-Price recommends focusing investment on recovery itself, in order to facilitate a much faster remediation rate, while ensuring that core business processes can get back up and running more quickly. That does not mean completely ignoring important preventative measures such as streamlining the AD in order to prevent privileged access abuse, or installing endpoint detection and response (EDR)/privileged access management tools.

These steps are certainly still important, as is having a robust approach to security posture. However, keeping pace with nation-state/organised crime attacks is hugely difficult and requires huge amounts of attention and ongoing investment to bring your environments up to military-grade.

“You will never keep pace with the adversaries that you’re dealing with as an average enterprise operating in a standard industry, and you shouldn’t. If you spend that much money you’re going to lose revenue to other companies because you won’t be as competitive anymore and you’re going to stop yourself from operating effectively,” Nunn-Price concludes.

Of course, getting this balance right is always going to depend on your specific business and there is nuance to developing a comprehensive cybersecurity plan. Although, regardless, there is certainly a lot of value in ensuring that when everything goes belly up, you are extensively prepared.