Cyber Scotland Week - Response To Ransomware

Today we will look at some of the things that are likely to happen during a successful attack.

• All normal communication routes have been affected by the cyber-attack. 
• Our website is unavailable as one of the editors was connected to it at the time of the attack and its status is uncertain.
• Our email systems are unavailable and our software based telephone system has been shut down until it can be determined whether the malware has affected it. 
• All computers across the council have been shut down including laptops, desktops and servers.

At this point nobody understands the extent of the damage, how long it will take to restore systems and data, and if data can be restored at all.  In the 2020 SEPA attack, some systems were unavailable for months, some over a year, and some could not be recovered at all.  This is the harsh reality of an extensive cyber-attack on an organisation.

• Service managers will now be looking at their business continuity plans to allow basic essential services to be carried out without the support of IT systems.
• Police Scotland will become involved as this is a criminal action. 
• Scottish Government, The Scottish Cyber Co-ordination Centre, and the National Cyber Security Centre will become involved and will be supplying specialist support.
• An incident management team has already been formed and has met several times. 
• Local media will be notified, and emergency contact information for the council will be given out.
• IT have started to analyse the incident as far as they can.  They will need to engage specialists to assist with diagnosis and to determine the source and extent of the attack, and provide advice and assistance with the elimination of the malware.

Before any kind of recovery can begin, every device will have to be examined and most likely rebuilt to eliminate any risk of malware remaining in any system.  Remember, this means every user machine and every server.  Recovery of services cannot properly begin until this is done. 

So how did this malware get past all of the security we have in place?  Why didn't the anti-malware software we have catch it and stop it? 

Cyber-attacks are no longer launched by individuals seeking some sort of recognition in the hacking community.  Cyber-attacks are now launched by organised crime groups, some of which are sponsored by hostile nation states.  Their objectives are to cause large scale disruption and to extort money from the attacked organisations where possible.  The criminals that launch these attacks employ highly skilled programmers that constantly adjust their malware to evade detection.  Even with all their skills, they would be unable to break through our external defences easily, and so they use another type of skill called social engineering to persuade someone on the inside of the organisation to effectively pick up their malware by clicking a link in their phishing email or opening an attachment. 

Once their malware has been picked up by the clicking of a link or opening an attachment, it automatically runs.  The malware isn't detected by the anti-malware on our systems because it’s a new version that hasn’t been included yet. 

Once one machine is infected the malware attacks and spreads to anything else that machine has access to.  Once the spreading has started, it can find other connections and infect anything connected to those as well.  In a fairly short space of time it can travel across an entire network with devastating consequences. 

The faster an inadvertent action is reported, the faster a potential incident can be contained and the damaged limited.  Remember there is no blame or consequence attached to any member of staff that makes an inadvertent action and reports it.

Thomas Aldred

Service Manager (ICT)