After two days of suspending services, business support service provider ISS conceded that it faced a cyber-attack.
“On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident,” said a message displayed on the company website.
“The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised,” it added.
The websites of the company that employs half a million employees worldwide has been down since 17 February. 43,000 of the group's employees including 4,000 in the UK currently had no access to their emails, ThisWeekinFM reported on 20 February.
ISS is yet to confirm the origin or perpetrators of the attack, but a BBC report has attributed ransomware. The attack on ISS comes weeks after ransomware brought down Travelex and Gedia Automotive Group.
"When Travelex suffered the breach, the leadership was widely criticised for a slow response. That criticism was coming from pundits without specific knowledge of the incident,” commented Sam Curry, chief security officer at Cybereason.
“Organisations today need to take a much more proactive approach to cyber-hygiene by actively hunting for anomalies in their networks. Preventing, detecting and responding to incidents has to be highest on the list of steps being taken to minimise and reduce high impact breaches."
While the victim organisations and regulatory authorities are usually left to do the firefighting after an attack, security researchers often manage to decipher the workings of ransomware.
The security team at Dutch telecommunications player KPN recently managed to intercept the communications between REvil-infected computers and the REvil ransomware's command-and-control (C&C) servers. The operators of REvil (Sodinokibi) ransomware run a ransomware-as-a-service (RaaS) campaign, where they rent the malware strain to other criminal groups.
“Ransomware attacks are becoming more sophisticated, organised and thus incredibly dangerous in terms of financial losses. Usage of cryptocurrencies make criminals virtually untraceable, spurring a rapid proliferation of ransomware ecosystem,” noted Ekaterina Khrustaleva, COO of web security company ImmuniWeb.
The best defence against ransomware is a robust business continuity plan, which includes regular backups, version control and thorough testing of disaster recovery procedures, noted Stuart Sharp, VP of solution engineering at OneLogin.
“Companies that leverage cloud-based storage and automatic syncing from end point devices will be well-placed to recover from such attacks, but they should practice the recovery procedure to minimise downtime if an attack does occur.”
“Holistic visibility and inventory of digital assets is a wise starting point, as you cannot protect what you cannot see. Human factor is also pivotal, capable of undermining the integrity of technical efforts, so organisations need to consider investing into continuous cyber-security training," suggested Khrustaleva.
Companies can protect themselves better following some basic, standard tactics such as good and regular backups, good endpoint protection, user awareness of phishing attacks and maximum visibility of their infrastructure and users behaviour to allow issues to be identified, said Peter Draper, technical director EMEA at Gurucul.