Your money or your files? Should you pay the ransom?

A recent story has come to light that really interested me in that I, currently, have one foot in both camps as it were and this is the Ransomware Hack at that well-known games studio.

I’ve been working in and around Technology since the 90s and almost as long as that has been spent with at least one eye on security.

In the “good old days” security was a lot easier to manage both physically and in an electronic sense, but as we’ve shifted more and more to always online and cloud solutions the defence has had to be far more relevant.

Stepping fully onto the IT side of things I can speak from experience that providers have to really sell “additional” protection.

I still remember many years ago when I was looking at protection as a service and being told by one of my unofficial technology mentors (RIP John – you taught me plenty in between cups of sugar with a little coffee sprinkled on top!) that companies viewed (back then) virus protection as something that wasn’t absolutely necessary.

In another conversation with the founder of a very significant local company had him telling me how, in order to have protection taken seriously, a company would have to experience a failure before they’d act.

Well in this instance – and I don’t know the specifics here – but if inaction was indeed a part of the issue you have to think that the damage is pretty serious and far-reaching.

And this brings up one of my biggest bug bears with IT services.  The “it’s unnecessary” or the “it’s too expensive” a solution.

Nowadays it’s a far more awkward sell as it’s almost universally done on a per-user basis.  So if you’re a company with, say, 400 employees that’s not a small amount of expense.

Also with the agile nature of software solutions and protection there’s probably at least three or four products you can realistically suggest to purchase to make your users “safe”

Three or four applications at maybe 5 pounds per user per month x 400 staff is about 100 grand a year.

Now here’s the burning question?  Is that too expensive?

Insurance companies will tell you, if you have a certain level of protection/policy, that you should pay the ransom.  For our little gamesdev startup our Cyber Security insurance quote alone started at £10,000.  The temptation to do neither would be high.

You’d have to argue that the cost of insurance on top of the 10x cost of security software to protect you is still cheaper than the alternative.

At this point I don’t know exactly what will happen with all of that data that leaked.  But I do know some personal stuff got out and, even though it’s low volume, it’s likely to lead to problems if not the sort of fines and auditing you might expect after a breach of much greater volume.

Reputational damage can be a company killer, but leaking NDA’d stuff around new game releases?  I’d think, maybe, unless the source code is part of the leak it’s possible that it’s not a world-ending event, but, as I say, not been in one of these before!

So looking at it, you could argue you can either insure, or protect, or both.  But why pay?

Personal experience has shown that victims of ransomware that pay up often get got again a few months later.

One client was phished and got caught in the old “we’ve changed bank accounts” scam.  The emails didn’t look right, the staffer didn’t think to question, or pick up the phone, just made the payments for there were more than one, weeks apart (60k in total lost) because at the time they didn’t think anything was amiss.

The ABSOLUTE LEAST that should be happening right now is some serious forensic level scanning of systems and topping up of protection.

But we ALWAYS advise not only protection, but also documentation and procedure.  In the instance above I’m not convinced even the best security protection would have picked that email up, I’d like to think it’d have been tagged as obvious impersonation attempt but sometimes these things slip through.

And then we have good old human error.

The story over at cyberdaily.eu said the following;

So there’s your stater for 10.  Gamesdev companies – you have a target on your backs.

One of the natural roles of Senior IT professional, or really ANY IT professional, is to look at the company infrastructure and advise where there are gaps in the protection.

At a previous job I was told I couldn’t have any extra cash for antivirus, antimalware, email antispam, etc, any of it because that years budget was finalised.

So I found myself at a point I mentioned above, it had not been thought about but the whole stupid process was so locked in you couldn’t even purchase protection if you wanted to.

I did genuinely think about handing over my keys and walking right out, ironic given what happened later, but in the end I found another way to get around it (DM if you’re an eager sysadmin and would like the intel on that!) and so protection was added.

It did help that there were at least two incidents of successful phishing that happened to two very senior members of staff, who really should have been far more aware of those sorts of risks.

Back in the good old days we could do things in a far more simple manner.  Pull a plug, disable a modem, disconnect a disk.

I’m not anti-cloud, but these days the more we lean on personal equipment, working from home, giving staff far more rights to systems, the more we open ourselves up to the risk.

And, of course, we have to know that the watchers or the systems admins are up to it.  I’d take a punt and say that here, possibly not so much, this line from the article speaks volumes.

Some really interesting info here.  The network was hacked, and the hack gained access to the domain administrator [account].  Traditionally access to domain-level admin access is restricted to a very small number of people.

But I have seen networks that, even to this day, hand out admin rights to ALL users.

Any company I work with starts playing that sort of game and well, either one stops or one walks!

No brag, but I once stopped a ransomware attack by pulling the power on the network router – it was a bit of a gamble as if the software had infected the inside of the network that would have made no difference but it stopped – the attack had come from outside, a website possibly.

The PCs were protected, but not the server.  I was sat in front of the server as printers printed out junk (another sign of a hack) and files on the screen in front of me were being encrypted in realtime.

In that, and pretty much every other instance of this I’ve been involved with, we did what we always do.

Wipe the lot and start again.  No ransom.  No cooperation.  Close the blast doors and purge it all.  Restore from backup.  Worst case you’re back online again in a day or two and you owe your sysadmins some overtime.

Build your networks to be resilient/safe/secure/and able to restore fully from an air-gapped backup if you know what’s good for you!

As for what where when.  Of course I can make some recommendations, you knew I’d be able to.  Reach out and I’m happy to offer any help I can!