Insurance Edge caught up with Tom Bennett from CFC Underwriting recently, who had some useful tips and advice regarding the Sodinokibi ransomware attacks on companies of all types. The key takeaway as they say in the USA? Get close to your Managed Service Providers and make sure they are following best practice when it comes to online security.
IE: We know there are lots of ransomware bugs out in cyberspace, what makes this Sodinokibi one particularly nasty?
TB: Smaller businesses don’t often have an in-house IT department, so if you’re using a Managed Service Provider (MSP) then you’re effectively outsourcing all kinds of everyday functions on your infrastructure. This latest ransomware virus looks for weak spots within those third party suppliers, not your own business. So, let’s say your MSP had several admins, each with very guessable passwords or with passwords exposed in a previous breach. Those passwords can be leveraged to log in remotely, and that’s often how Sodinokibi gets in.
IE: Does this virus simply stop your computers from working, or do they work, but you lose control of them?
Once in – and this usually happens out of office hours when nobody is watching – then your crucial documents and files can be locked, plus you may find that other IT systems such as e-mail are not working. When you arrive next morning, you typically find a text file on screen asking you to get in touch and arrange payment to restore your files.
IE: We were hoping for a laughing V-for-Vendetta mask on screen, but still pretty scary for anyone suffering such an attack. How much is the typical ransom?
TB: It can vary, often depending on the company. We’ve seen cases where ransomware threat actors have been performing reconnaissance on the network to estimate the size of the company and the number of computers or servers infected. They can then price accordingly along a large range, but up to some very large demands indeed.
IE: OK, let’s say we are looking to defend ourselves from these chancers – what are the best tactics?
TB: The thing to remember is that this isn’t always an email phishing attack leading to someone opening a dodgy attachment. The incidents we’ve seen have been directly attacking networks through admin passwords. So, the key steps are first to make sure your local admin passwords are very difficult to guess. You don’t have to change them every 90 days. In fact research suggests that doing so tends to make them weaker as people struggle to recall complex passwords. Limit the admin user count too – always a good idea.
Next, get in touch with your MSP because they also need to have a very intricate password set up for the system when they connect remotely. It’s a good idea to suggest that they use a two-step verification method for admins, with a code texted to a phone or supplied through a mobile app, so that just guessing a password doesn’t give attackers the keys to the kingdom.
IE: Is there a particular country of origin on this one, or is it a global problem?
TB: It’s potentially going to affect any MSP, no matter where they are based. We’ve seen attacks in North America as well as across Europe.
One other thing that we have noticed is that a small number of Sodinokibi cases in Germany are being spread via an emailed Word document, which appears to originate from the BSI email address. The BSI are the official German cyber security organisation, so it has fooled some companies over there as the email being used looks genuine. To defend against this, strong spam filters, updated antivirus and employee phishing training are all key.
IE: Tom, good advice, thanks for your time.