Sometimes we all get complacent when we hear about cyber attacks on businesses and organizations. We figure, too bad, it is unfortunate that someone got caught by this nefarious practice but it doesn't happen around here. Recent events have brought this right to our doors in the Hamilton, Burlington area.
Geography Matters
It appears that sometimes where you are located actually does matter in these cases. Perhaps it is a single Crypto thief who decides to hit a location or it is just the luck of the draw as a first instance occurs and then the email addresses from that contact start to be linked into other sites in a common geographic area. However it occurs the Burlington and Hamilton area of Ontario Canada seem to have become part of the ransomware or Crypto battleground in recent days and weeks. 
Size And Business Type Don't Matter
In cases which have become known in this area the size of organization and the type of activity does not seem to matter. Large institutions, legal firms, retirement homes, and service businesses have all been the target of attacks in recent weeks. Big and small all seem to have potential to be targets. Unfortunately in several cases it has led to loss of files and loss of productivity as restores have been deployed.
Luckily, or more correctly due to fairly good backup practices, most of the affected organizations have been able to restore back to a time prior to the infection and avoid having to pay the ransom requested to get back into business.
In one instance due to an attack on accounting records an affected organization ended up reentering up to a week's accounting transactions once the systems had been cleaned. In another instance the attack was noticed by an IT resource who was actively working on the site and the infection was able to be limited to the initial user who received the virus.
The costs were not minor however. In one instance over 60 users did not have access to their shared network drive (more about this in another followup article) while IT isolated the attack and restored from backup. In another instance the first restore from backup was re-infected, since the virus source had not been fully cleared, resulting in two days of downtime.
What Do You Do
There are a few things which can be done as a means to help avoid these kinds of attacks but in the end it takes diligence and some planning to both avoid and mitigate the impacts.
One thing to understand is that is costs money to be prepared, but it costs a lot more to fight off an attack and to clean up afterward.
There have been three basic components identified for a good protection plan:
- Educate all your users about what to click on in email. Re-educate on a regular basis and stress the need to be cautious. Basically if an email is not from a clearly safe source and that source is not visible in the header don't click on any attachments. If in doubt, don't click and refer the email to someone from IT who can isolate and investigate.
- Deploy, update constantly, and manage security software from one of the reputable security vendors on all devices connected to your network. Put in place proper protocols for outside hardware being connected on your network, ideally on an isolated guest connection which keeps your in house files safely quarantined.
- Use snapshot based real time backup software from a secure resource that will permit you to quickly recover back to a clean installation in the case an infection gets through the security above. Don't rely on a backup which is sent to a shared network drive or that is only internal to your system. It too could have a potential to get infected.
One final option some organizations have deployed and others are considering. Remove your key documents from mapped network file stores into properly structured document management systems as a way to isolate them from these kinds of attacks.
There seems to be a broader base of attacks through out Canada in the last week or soand this means more and more need to be aware of the challenge this kind of malware brings.
Consult And Pay Attention
For many leaders IT is something which is taken care of by technical resources who deal in this mysterious world. It is not seen as the critical tool that drives the organization until something goes wrong. Unfortunately, resources deployed after the problem exists are always more costly than those designed to prevent the problem, but often at budget time the real risk seems remote and far away.
These cases show (and I am sure there are many more) that local organizations can as easily be attacked as those we read about from far away.
Take action now and learn from these cases. Educate, deploy the right security tools, and ensure the right backup is in place. Do this constantly. At least if an inadvertent attack occurs the ability to recover can be fast, effective and far less costly.
By the way. If you think that because your systems are Mac based you are immune. Read this.
Lee K
