Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Security

How Should a Company Handle a Ransomware Attack? (itwire.com) 68

ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th: The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."

What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.

ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."
This discussion has been archived. No new comments can be posted.

How Should a Company Handle a Ransomware Attack?

Comments Filter:
  • What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him.

    They should have posted Putin's telephone number and email address, so folks could go directly to the root cause of the ransomware.

  • by EvilSS ( 557649 ) on Sunday May 16, 2021 @10:52AM (#61390406)
    Let's see

    1. Publicly execute the board members, CEO, CIO, CTO, and CISO
    2. Take the payment money for the ransom and distribute to the IT staff
    3. Shut the company down.
  • Yes and no (Score:4, Insightful)

    by thegarbz ( 1787294 ) on Sunday May 16, 2021 @10:53AM (#61390408)

    Transparency is good and all, but giving the CEO's phone number out is just stupid. Sitting and talking PR to newspapers is not what executives are supposed to focus on during a crisis. This isn't some fly by night company. There are 600 employees, and I'm willing to bet you that at least one of them is a PR person.

    This may sound like an ideal response from the public's point of view, but much like bp admitting partial fault and saying it will fund the cleanup in the gulf things like this will likely end up in textbooks as what not to do.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Sunday May 16, 2021 @11:03AM (#61390430)
      Comment removed based on user account deletion
      • The CEO is not supposed to be sitting in the room as the tech guys trying to fix the problem.

        I didn't say it was, there's a shitton more to handling a company wide crisis than a bunch of IT people sitting in a basement.
        Likewise the CEO's job is not to sit around and answer the phone to every person who has a question about what was posted on the website. That absolutely is a bad use of their time. Their job is to give direction, and precisely during a crisis that direction changes *very* rapidly.

        From your response I gather you've not seen what the C-level executives do in a high profile emergency,

        • Where did the GP say the CEO should "sit around and answer the phone to every person who has a question about what was posted on the website?" Are you unable to understand moderation? Why take it to such an extreme?
          • The summary makes the claim that giving out the direct line to a high ranking Exec is the "right" way to handle such an event. It's not. What is important is that people have a good line of communication they can use to get answers. If a thousand people are trying to call that number every 15 minutes it's useless, that's why call centers and customer service centers exist. The Exec should be focused on ensuring the IT department has the resources they need, and that the call centers and frontline support ar
          • Where did the GP say the CEO should "sit around and answer the phone to every person who has a question about what was posted on the website?" Are you unable to understand moderation? Why take it to such an extreme?

            So in that respect, fielding the calls isn't a bad use of the CEO's time.

            The reality is someone has to answer a phone in order to find out if its worth talking to someone so there's nothing extreme about the CEO's phone line being permanently lit up even if all it does is burn out his executive assistant.

            In any case a bad use of their time. Nothing extreme about it.

        • by AK Marc ( 707885 )

          I didn't say it was.

          Technically correct. You didn't say anything. You simply complained. So no critique of your comment would be valid.

          Their job is to give direction,

          The job of the CEO is not to micro-manage. In a crisis, if they need to personally "give direction", then the company is either 5 person, or the CEO is incompetent.

          From your response I gather you've not seen what the C-level executives do in a high profile emergency, and it doesn't get more high profile than your entire IT infrastructure collapsing.

          I've been there for that. The CIO was in every meeting, and asked few questions, and gave exactly zero direction. The CEO drove in after hours, and literally hid in his office, waiting for the CIO to update him, and I only knew

      • A CEO's job is to appoint the right people to do the work,

        In my opinion, the absolute number 1 step in security is having the "right people" and giving them the resources they need to do their job and to do it right.

        All of the technical implementation details should then sort of trickle down from there. This often means having people onsite in-house that knows the systems inside and out.

        Unfortunately, is is still too often the trend that CEOs or other higher-ups don't see IT as "profitable" so they give it

  • Now we need to put companies on notice not to pay ransom and notify the appropriate authorities so they can take measures - by force of law, if necessary.

  • Be prepared? (Score:5, Insightful)

    by jacks smirking reven ( 909048 ) on Sunday May 16, 2021 @10:55AM (#61390414)

    I feel like this is fairly straightforward. Expect to be attacked, know in advance what files and systems you expect would end up under encryption during a ransomware attack and have a plan to restore those to a safe point. It seems like with most things if you don't simulate, prepare and have an emergency plan before you get attacked than you are already screwed when you do.

    Can talk about MS vs Linux, pay vs don't pay all you want but ransomware kind of should be treated like a natural disaster and either you are prepared ahead of time for it or you're not. Make that plan of the assumption of a successful attack first and after that start to work through the ways you stop the attack knowing they can never be 100% effective.

    • Re:Be prepared? (Score:5, Informative)

      by aaarrrgggh ( 9205 ) on Sunday May 16, 2021 @12:12PM (#61390574)

      The question of “restore to what” and “what about our sensitive information leaking out” go beyond a good backup plan— ransomware response is very much in the “Disaster Recovery” realm rather than a more simple backup/restore routine.

      I used to work with a bank that did actual disaster recovery drills once every three years, turning a warehouse into a datacenter with rental mainframe equipment. I don’t know of many organizations that go to those lengths today— everybody thinks they are hardened by design or some similar BS.

      • Re:Be prepared? (Score:4, Insightful)

        by wwphx ( 225607 ) on Sunday May 16, 2021 @12:19PM (#61390592) Homepage
        A friend of mine works for a certain insurance company in Omaha. They do disaster recovery drills twice a year, and they learn from them every time because they never go exactly to plan. But that is the purpose of such drills. I spent three decades in IT with various organizations, never in a role with any real power, and never once did my org attempt a recovery drill. Only once did I see a pen test attempted, and all of my database servers withstood their attacks, reportedly mine were the only ones that did not fall. I was proud of that.

        Another friend used to work for Big Blue doing disaster recovery proof testing for what used to be the AS/400 series and whatever it was called afterwards. They would build duplicates of whatever your equipment was, then you would come over with your tapes and attempt a restore and test. So some people do take this seriously.
    • The question is not how to be prepared or ready...The question is how it should be handled when your organization get attacked. One thing to keep in mind...these hackers breaking into your infrastructure is as proof they cannot be trusted. Don't pay the ransom. Paying ransom "incentivizes" the crime. At worst, they double-cross you and get your payment without giving your data/control back. Instead of using the money to pay the ransom, use it to pay an expert (or a group of experts) to fix things for you.
  • Nuking any Windows 7 pcs still in use from orbit as well.
    • Quite frankly, ANY Windows box should be treated as if it were running Windows 98. (zero security, and software that loves to suck untrusted crap from everywhere).

      Updates are part of the security equation, but they should NEVER be relied upon blindly. Too often, updates can actually introduce security issues or wreck system stability. Modern software is so insanely complicated and bloated, it should ALWAYS be assumed to have bugs and vulnerabilities.

      If the bad guy can't get (directly or indirectly) to your

  • Step 1, tested backups going back sufficiently far to be useful.

    Step 2, don't negotiate. You're going to be targeted by the next guy as well if they know you are a cash machine.

    Step 3, if you are in charge of critical infrastructure, fundamentally separate your business network from your operational network. Do not store passwords for your op net online, period. Use one-way links for monitoring, such that it should be irrelevant even if they have your passwords.

    • Step 2, don't negotiate. You're going to be targeted by the next guy as well if they know you are a cash machine.

      On the contrary, other actors will reasonably conclude that after you've been attacked, regardless of whether you paid out or not, your security and backups will be receive far more attention and so they should move along and simply find the next shop that views IT as a cost center.

    • Step 1, "be too big to fail."
      Step 2, politicians are cheap, buy some
      There is no Step 3
    • Step 3, if you are in charge of critical infrastructure, fundamentally separate your business network from your operational network. Do not store passwords for your op net online, period. Use one-way links for monitoring, such that it should be irrelevant even if they have your passwords.

      They have to be entirely separate networks, or we always have to assume if the front office is being held hostage it might not be for the ransom, it's cover to rob the back office systems. Anytime our work is disrupted by an attack or compromise on one part of the network we have to assume it's possibly cover for a deeper breach. I don't think most business can operate like that with airgapped networks so there's always going to be a point where if a breach is significant enough, like IT is denied access

    • by tlhIngan ( 30335 )

      Step 3, if you are in charge of critical infrastructure, fundamentally separate your business network from your operational network.

      But do not act like the operational network is impervious. Air gaps can be breached way too easy, so ensure that if the main network is breached, the operational network is breached as well and shut it down. It only takes one mistake and you can accidentally compromise the secure network, so ensure the first thing done is to shut it all down.

      And don't assume - assume the secure

  • Especially bitcon, since it's mostly used to make these attacks possible (without cryptocurrencies, they'd be far easier to find the culprit, but also wouldn't be as profitable to the criminals in the first place).
  • capable of thwarting any social engineering con, plus be fully capable of using a hardened Linux and BSD, and have complete backups of the entire system in more than one operating system (a Linux backup and BSD backup) so just in case the system gets compromised the system can be taken off line and harddrives replaced with another set of bootable harddrives of another flavor of BSD or hardened Linux (no-systemd allowed - rota jakiro rings a bell)

    1 capable IT that is aware of social engineering 2, redunda
  • by TheNameOfNick ( 7286618 ) on Sunday May 16, 2021 @11:45AM (#61390516)

    Apologize profusely for the downtime.
    Don't post CxO phone numbers.
    Do. Not. Pay.

  • I'm still ticked off that some Target C-Suite exec clicked on a PDF and got his entire system infested with malware that stole my credit card numbers some years ago... what kind of rinky dink network security does a company have that phishing attacks are even possible? Any admin-level account held by an executive should be a special account... no e-mail, and only accessed in rare cases. They do not need any special access beyond getting e-mails and shuffling presentations around. That doesn't require the s
    • Re: (Score:3, Insightful)

      by EmagGeek ( 574360 )

      As a founder/CEO I don't dictate much to my IT people, but what I do dictate is that nobody, and I mean nobody (not even the IT staff) are allowed to operate from an account with admin permissions. People who need admin rights have the ability to elevate when they need to, but I'll be damned if people are walking around logged in as an admin user all the time.

  • Separate networks/servers for email and file storage. Block email attachments. Distribute files through a shared drive. Block usb drives. This will probably resolve 90% of the issues.

  • "data not restored!" (Score:5, Interesting)

    by aRTeeNLCH ( 6256058 ) on Sunday May 16, 2021 @11:54AM (#61390540)
    Whatever happens, they should always claim they paid the money in full, but never got their data back. Without actually paying the money, naturally.

    1) Other companies will be less inclined to actually pay, "since the data won't come back anyway".
    2) The criminals now think their fellows made off with the prize. Possibly/hopefully hilarity ensues.
    In the least, they may need more inclined to rat each other out.

    This requires it not be illegal to pay ransom.

    • by PPH ( 736903 ) on Sunday May 16, 2021 @12:40PM (#61390634)

      they should always claim they paid the money in full

      What happens when one attempts to spend the same Bitcoin twice? Theoretically, the block chain should prevent that. So the ransom victim opens an anonymous Bitcoin address and pays the ransom into their own wallet. Then sends it to the attackers. Attackers detect that 'someone' has received payment first. "Sorry guys. One of your people sent us that other address first. So we paid." Attacker demands another payment. Rinse and repeat. Eventually you, the victim, demand that they conduct a purge of their organization first. So payments don't get side tracked.

      Now you break out the popcorn and lawn chair.

      • And that's how you get all your stupid backupless data overwritten by /dev/random. Or worse: Unencrypted while a backdoor is kept to *really* fuck you up for good. (Example: CEO caught with child porn, business secrets leaked, employees in a SJW battle, board caught financing terrorist for the last 3 years. All things I could easily do with full access to a business network and the darknet. Ane judges really fall in love with nice old logs and messages going back years. As if it was to hard to create them.

        • by PPH ( 736903 )

          And that's how you get all your stupid backupless data overwritten by /dev/random.

          By whom? The survivors of the purge? By the time the bodies start piling up, local police can trace back through known associates and round up the living.

          At any rate, we were not going to pay anyway. Systems are down, so we just unplugged the network feed. Good luck sending an erase command or CP to a pile of hard drives sitting in a forensic/data recovery firm.

  • 1) Keep backups of all data that needs to be preserved.

    2) If an incursion occurs, prepare a cleaned up system, and restore the data from the last backup.

  • Asking how a company should handle public relations after a ransomeware attack is silly. The more important question is: How do you prevent it? Or even, How do you recover from an attack? is more important than pondering how to handle public relations.
  • Using a product such as Panzura filer, your snapshots are Read-Only, so if a ransomware attack happens, you just show the attackers your middle finger and restore, once attack vector has been identified and remediated. Easy peasy, lemon squeezy.
  • It is always a temptation to an armed and agile nation
    To call upon a neighbour and to say:--
    "We invaded you last night â" we are quite prepared to fight,
    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
    And the people who ask it explain
    That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
    To puff and look important and to say: --
    "Though we know we should defeat you,
    we have not the time to meet you.
    We
  • by LenKagetsu ( 6196102 ) on Sunday May 16, 2021 @02:50PM (#61390924)

    Do not pay the ransom. There needs to be fines doled out for this, preferably twice that of the ransom itself.

    • by jabuzz ( 182671 )

      I would like to see actual jail time for being involved in paying a ransom. Then and only then will the payment of ransom's stop. When the payment of ransom's stops asking for ransom's will stop too. Ideally if all G7 and EU members implemented this it would have and even bigger impact.

      I would also like to see countries that refuse to extradite their citizens for being involved in ransomware attacks cut off from the western banking system.

  • By making periodic, frequent backups that is projected with a different set of keys.

  • 1. Contact your local or State agency handling Cyber attacks.
    2. Instead of paying up, offer a bounty for the demasking or neutralizing the hacker group along with the key at 15% of the ransom payable in bitcoin.

  • by DaveV1.0 ( 203135 ) on Monday May 17, 2021 @05:19AM (#61392382) Journal
    See the move "Ransom":

    The whole world now knows... my son, Sean Mullen, was kidnapped, for ransom, three days ago. This is a recent photograph of him. Sean, if you're watching, we love you. And this... well, this is what waits for the man that took him. This is your ransom. Two million dollars in unmarked bills, just like you wanted. But this is as close as you'll ever get to it. You'll never see one dollar of this money, because no ransom will ever be paid for my son. Not one dime, not one penny. Instead, I'm offering this money as a reward on your head. Dead or alive, it doesn't matter. So congratulations, you've just become a two million dollar lottery ticket... except the odds are much, much better. Do you know anyone that wouldn't turn you in for two million dollars? I don't think you do. I doubt it. So wherever you go and whatever you do, this money will be tracking you down for all time. And to ensure that it does, to keep interest alive, I'm running a full-page ad in every major newspaper every Sunday... for as long as it takes. But... and this is your last chance... you return my son, alive, uninjured, I'll withdraw the bounty. With any luck you can simply disappear. Understand... you will never see this money. Not one dollar. So you still have a chance to do the right thing. If you don't, well, then, God be with you, because nobody else on this Earth will be.

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...