back to article Office supplies biz owned by UK council shrugs off ransomware demand for 102 Bitcoin

A Brit public sector-owned office supplies company shrugged off a ransomware demand for 102 Bitcoins after a staffer opened a phishing email. Kent-based Commercial Services Group (CSG) was struck by ransomware deployed by a "foreign criminal organisation" in early April. A local blogger, publishing the Vox Medway site, claimed …

  1. Will Godfrey Silver badge
    Thumb Up

    Good!

    I just hope more organisations and companies start taking this approach

    1. big_D Silver badge

      Re: Good!

      Let's hope, but it means having good backup and disaster recovery plans in place. That is unfortunately where too many companies spare a couple of quid and aren't in a position to actually recover.

      1. sev.monster Silver badge
        Gimp

        Re: Good!

        What's a "backup"...?

        1. Tim99 Silver badge
          Unhappy

          Re: Good!

          "Backups" are useless - Its a successful restore that's required.

  2. Terry 6 Silver badge

    I know it's a naive question, but maybe that's what's needed. Why isn't there a system of successive read-only backups that can only be wiped and reused manually/offline - retained for a significant time period?

    1. Throatwarbler Mangrove Silver badge
      Headmaster

      There very well may be backups. Unfortunately, there are at least a few problems:

      1) How far has the malware infiltrated the company's systems? If they can't answer that, then undertaking the recovery process may be a vain effort, since the malware may just spread again to the recovered systems.

      2) How long was the malware in the network before it triggered? If the company does know that, recovery from backup may also restore the malware.

      3) How much control do the malware writers have over the infected machines? What access do the technical staff currently have?

      4) Depending on how deeply the malware has spread, the company may actually need to wipe and bare-metal recover a number of systems, possibly including the backup servers themselves. BMR is not usually a trivial process, unfortunately.

      If it's a really bad incursion, the company may still be diagnosing the problem, and backups are only a part of the recovery strategy.

      1. big_D Silver badge

        Then there is the 5th point, it all takes time to do the analysis, get replacement kit and drives in, if needed, and then actually provision those devices and recover from backups.

        @Terry6

        At one site I worked, we had a single ransomed PC, we removed the hard drive and put in a new one and played out a standard image, the user was back up and working in a couple of hours (company policy forbade the storage of documents locally, so any lost documents were the user's problem). Multiply that up by a few hundred PCs and it will be days before everybody is back online, assuming you don't have to recover any personal data on those PCs.

        Then you have the server infrastructure, where the data is. That will usually take several hours overnight to perform an automated backup. Recovering each machine from a last-known-good backup will take more time, multiplied by all the servers you have, possibly all on different backup tapes (some machines don't change often, so are backed up weekly or monthly, others change rapidly and will be backed up multiple times a day (E.g. email and ERP servers).

        Once you have the right backup media, you will probably spend a couple of days recovering the servers (and keeping them powered off or network isolated). Then you need to check the servers aren't infected, once you are sure they are clean, they can come back online and the users must perform integrity checks, to ensure the data is complete / to assess how much data has been lost since the last backup. That lost data will then need to be reconstructed from the paper trails, worst case or the data is lost completely (catastrophic case).

        So, even if you have a lot of IT staff and your latest backups are good and can be used, you will still need days or weeks to get the whole infrastructure back up and running.

        Once case I am aware of, the cyber security arm of the Federal Office for the Protection of the Constitution contacted a company and informed them, that their servers' IP address had turned up on a Chinese darknet forum. Given the known vulnerabilities and patch status of the server's firmware, their advice was to "shred" the servers and install new ones and recover from known-good backups.

        That is an extreme case, but where are you going to get a replacement server farm on short notice?

    2. John Brown (no body) Silver badge

      "read-only backups"

      The Guinness trial showed why that could be a bad idea for some companies :-)

  3. cbars Bronze badge

    Backups

    We're always talking about backups, but this raises an interesting thought for me. Wouldn't it be sensible to set up an entirely unrelated emergency domain (or Gmail account, yes) which you specify in your contracts as an authoritative secondary, from a business perspective...?

    I'm sure its not simple to recover a business without usable backups for all systems, but if you can continue to communicate and trade its got to be easier.

    1. Captain Scarlet Silver badge

      Re: Backups

      Yeah having a plan to get communication up quickly is always recommended, every company tends to have some spare domains so why not keep them handy for some email accounts.

      We don't host our own site so if we ever have issues we have the option of simply creating some shared email accounts with our hosting provider. Once back these can easily get these redirected.

  4. my farts clear the room
    FAIL

    Email continuity

    There are dozens of online email archiving/continuity services that give you access to a cached version of your mailbox and store copies of your outgoing mail until you have got your recovery organised.

    Currently their mx records point to mxtls.expurgate.net, a visit to www.expurgate.net redirects to cyren.com/en which has this apochryphal text:

    91% Of All Cyberattacks Start With A Phishing Email.

    If they are still down (and a visit to kcs.co.uk suggests that they might be) then it really is too little, too late.

  5. martinusher Silver badge

    Email plus HTML/scripting is a disaster wating to happen

    I'm a bit old school in that I think of email as primarily a text medium so I tend to preview and open mails in plain text, only switching to HTML if there's something of interest. There should never be anything executable in an email. No ifs, ands or buts. Nothing executable. Ever. Or to quote my late mother -- "Don't touch it -- you don't know where its been".

    1. Roger Greenwood

      Re: Email plus HTML/scripting is a disaster wating to happen

      Exactly. It also means the odd spam email which gets through cannot track you. I am really surprised more folks don't do this.

      1. Will Godfrey Silver badge

        Re: Email plus HTML/scripting is a disaster wating to happen

        My mail reader is configured to display html as plain text, and show anything else that isn't plain text as a closed attachment. It runs absolutely nothing, but I can save things like embedded images without once actually viewing them.

  6. Anonymous Coward
    Anonymous Coward

    This current and malicious 'malware' managed to avoid 3 levels of professional IT security.

    3 levels? Never mind the quality, feel the weight! Clearly the users were 'thicker'.

    1. Neoc
      Coat

      Re: This current and malicious 'malware' managed to avoid 3 levels of professional IT security.

      Pedant alert: Actually, the line is "never mind the quality, feel the width" and was a sarcastic rejoinder about some fabric stores trying to get you to ignore the fact that the roll of fabric was a ridiculously small width by hyping up the quality of the cloth ("never mind the width, feel the quality").

      My wife is a sewing addict.

      1. Anonymous Coward
        Anonymous Coward

        width vs. weight

        Thanks, I know. Was going to change it to height (qv '3 levels'), but didn't think most would get it. Chose 'weight' as analogue to bulk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like