The weak link in a rusty chain

A company’s business stalls because of a cryptor. The head of IT dept is to solve the problem. But “solving” this time doesn’t mean just “restoring the data”.

A company’s business stalls because of a cryptor. The affected documents are customer agreements, accounting records, and, most troubling, the annual financial report. Essentially, most data can be restored, but it’s going to take time and resources. The head of the IT department is charged with assessing the situation, solving the problem, and reporting results to the board. By and large, her report will define the measures to be taken and identify those responsible for the incident.

Strictly speaking, there was no need for an in-depth investigation. The scheme was simple: Almost all of the company’s employees with publicly accessible addresses received an e-mail with the subject line “Urgent! Relay to the accounting department!” The body of the message contained threats of large fines to be imposed for failing to submit certain tax papers on time, and the attachment ostensibly incorporated a list of those documents. Naturally, several compassionate souls forwarded the letter to the head of accounting, who opened the attachment.

Company profile
Name: CJSC “Neutrino”
Staff: 290 employees
Business: Electronic components supply
The company was founded about 15 years ago as a local branch of a major international manufacturer, but 6 years later it became an integrated supplier of electronic components. Over time, the company has grown into a permanent partner of many organizations, both commercial and government. The company also works with representatives of the military-industrial complex.

The chief accountant’s computer had a security solution installed, although some of its functions were apparently disabled. The company’s CEO directly granted local administrator privileges to the chief accountant, and he was free to disable subsystems that he considered unnecessary.

The criminals are now demanding ransom. The sum is not exactly formidable, and the company won’t go broke if it pays. But there’s no guarantee that paying will help — and anyway, no one is really fond of being manipulated by criminals. Moreover, the IT director reasonably supposes that if the company pays, the sum of the ransom money will be deducted from her department’s budget.

Which question is more important to answer: “Who is guilty?” or “What must be done?”

Actually the IT director faces a few choices. The incident may be explained by the shortcomings of the existing security system (antivirus was installed, but it failed to prevent the encryption), by acknowledging one’s own mistakes (as the director of IT, she is responsible for the security of the company’s information), or by blaming other people.

In short, the IT director’s options are one or more of the following:

  • report that the infection happened because the chief accountant disabled subsystems of the security solution;
  • blame the general lack of attention and awareness of employees who forwarded and opened the infected letter;
  • admit her own blunder and suggest reorganizing security policies;
  • use the situation as an argument for increasing the IT budget to implement advanced security solutions.

The company has to solve the most urgent problem first: deciding whether to pay the ransom. Then, it’s time to look at what happened, and how to prevent it from happening again.

At first sight

You don’t need to be an expert to see that regardless of who is at fault, the company’s employees overall do not have sufficient skills to counter — or even avoid — modern threats. Actually the scenario we presented is not unrealistic or even unusual. Observing modern companies unrelated to the cybersecurity market, we have found that about 30% of their employees are prone to falling for such tricks, even if their IT department regularly reminds them about dangers and threats.

Therefore, what the staff actually needs is not another informational lecture, but practical training classes. Such training can reduce the number of successful infiltrations by 90% to 95%, with the share of users who can be tricked typically falling to less than 2%. Moreover, acquiring the necessary skills doesn’t take much time, provided that the trainers know how to organize the classes.

In addition, in our example, the malware was sent to all employees. As a rule, spammers use e-mail address databases for mass mailings. It is unlikely that addresses of multiple employees accidentally got on the same list. This is either a database leak or evidence that the addresses were carefully picked by someone. So it is worth considering whether the ransomware might have been a diversion, in which case a large-scale attack might be on the horizon.

Experts’ comments:

Greg Dabney, analyst
Of course, the company’s employees who forwarded that message were careless. Tax agencies don’t send e-mail blasts to staff about accounting department paperwork. But actually, people should be aware that such letters might come. Every employee needs to know about current threats, and the company’s IT department has to ensure that everybody understands the danger. So I think the correct option is suggesting reorganization. Someone should commit to giving regular lectures on information security and telling everyone about the latest threats.

I’m not sure about the ransom, because you need to carefully analyze the situation for any potential losses. If the data can be restored and the damage is mild then there is no need to pay. But if the lost documents prevent the company from meeting its obligations by failing partners or customers, you should take possible reputation loss into account. Then paying the ransom may be the only way.

Yuri Mironov, system administrator
You can’t blame IT specialists alone. If one person is responsible for every information security incident, that person must also have the appropriate authority. If some employees can simply change the settings of security products without letting IT people know, then no one should blame administrators. If there is a real business demand for giving such privileges, either that employee should have to sign a statement accepting all responsibility for his or her actions, or you need to consider the risks of such error. As for my experience, there’s generally no need for this.

And I am convinced about not paying the ransom. First, hackers aren’t bound to give the key even after getting their money. Second, data can be restored. Yes, at some expense, but repairing mistakes is rarely free. And third, if we pay money to extortionists, we sponsor further campaigns of encrypting malware. I don’t recommend it.

Slava Borilin, security education program manager, Kaspersky Lab.
There’s no use talking about fault. In this situation, none of the actors of the drama bears all of the responsibility — neither the ones who forwarded the letter nor the CEO. These days, information security concerns everyone from IT staff to janitors.

However, an IT department isn’t always up to the task of informing colleagues about threats. IT staff have immediate duties to fulfill, and education requires special skills and expertise. It is unwise to assume that if you gather people in a room twice a year to tell them that cybersecurity is terribly important, they will learn to be careful. Moreover, you can’t speak at the same level with all people.

We believe that professionals should do it — trained professionals who have honed approaches for different groups of employees and the ability not just to talk but to teach. Pros who have their own programs for each level of the company’s organizational structure.

Speaking about the ransom, you should first find out if there is any possibility of decryption. Some cryptors that claimed to possess strong, uncrackable keys have been deciphered anyway. And there are public free tools that may help. You can start by looking for them on this site. If you are not lucky enough to find a decryption tool, assess the situation calmly and thoroughly — but ultimately, our company doesn’t recommend paying.