Tag Archives: Recovery from Ransomware

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.


  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743
Advertisements

User awareness training – the forgotten first line of defense in the fight against ransomware

2 April 2016

Ransomware attacks seem to increase dramatically at the moment. In particular hospitals all over the world suffer gravely from attacks. Last Thursday, the governments of the United States and the Canada published the joint Cyber Alert (TA16-091A):

‘The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.’

In section Solution advice is given for preventing infections and for risk mitigation. To be honest, this alert should be a mandatory reading for all administrators.

But user awareness training is shabbily treated, although it is the first line of defense and training material is available. The Stop.Think.Connect Toolkits offer target group specific training materials and tip cards. In the Industry Employee Tip Card eight simple tips are given, e.g.

  1. Don’t share any of your user names, passwords, or other computer or website access codes.
  2. Only open emails or attachments from people you know.

Let me add my favorite tip:

  1. Don’t use your company username, password and email address for private purposes.

Have a good weekend, and start with awareness training on next Monday.

Hollywood Presbyterian Medical Center Victim of Cyber Attack

20 February 2016

Hollywood Presbyterian Medical Center was hit by a ransomware attack around February 5th. At almost the same time some hospitals in Germany were hit by a similar attack.

In both cases the attack was initiated by emails with malicious attachments. In both cases the impact was nearly the same: Hospital operations came almost to halt. And in both cases the IT groups were able to prevent the worst by rapid and effective intervention.

IT operations, and thus medical operations, was massively hampered for some days because the malware rapidly changed its code. In such cases pattern based anti-malware systems have only a limited effect in recovery of IT operations.

From my point of view,  an effective ISMS is the best way to deal with ransomware. And the way the IT groups dealt with the attack shows, that they have an ISMS or something similar implemented and practiced.

Hospitals are becoming increasingly dependent on a fully operational IT infrastructure. Even a shutdown of some days is hardly possible. Therefore, we need an entirely new approach for providing services to hospital staff.

Spear phishing attacks, drive-by downloads, java script attacks, etc. are omnipresent today. Thus computers are potentially compromised because they are connected to the internet. This holds even if the computers are operated inside a company network only.

The ‘trusted computer in a trusted company network’ paradigm is no longer relevant. A shift to the ‘zero trust’ paradigm is imperative to prevent unacceptable outtakes.

The good news is that the technology for implementation of a ‘zero trust’ paradigm is ready today:

The hospital IT systems are isolated in a Core Data Services Network (CDSN). Access to the CDSN is provided via virtual desktops. The Virtual Desktop Infrastructure (VDI) is hosted in the CDSN.  Email- and internet access is blocked in the CDSN, as well as data exchange between the virtual desktops and the user workstations. Data exchange between the CDSN and the user workstations is controlled through secure gateways. Only the user workstations or smart devices have access to the internet and the company’s email system, which remains outside the CDSN.

This is just a blue print. With Software Defined Networking it’s easier to implement today.

The big advantage is that, even if a user’s workstation is compromised, the likelihood of an impact on the hospital’s IT systems and data in the CDSN is dramatically reduced. And recovery from an attack with ransomware is very easy: Run a fresh installation of Windows on the compromised computer. Sound’s easy, doesn’t it?

Have a good weekend.