This has not been a great summer so far, in terms of the impacts of ransomware and phishing attacks on companies. The most recent high-profile victims, Twitter, Blackbaud and Garmin present a stark reminder of the risk.
In the case of Twitter, you may have seen the news reports that the Twitter accounts of several well-known celebrities and politicians were used to send out spurious tweets. The breach of Twitter’s system was identified relatively quickly and control of the accounts was restored to their rightful owners. What was concerning about this particular attack is that the account owners were not hacked, Twitter itself was compromised.
The compromise was the result of a targeted phishing attack on a Twitter employee who provided administrative access credentials to the hacker that was emailing them. The hacker posed as a legitimate Twitter employee and tricked the targeted employee to provide them with elevated access. This access allowed them to take over the accounts and send tweets as those individuals. This is a pointed and stark reminder that we, the people who use computers, are the last line of defense. When even a highly trained technical employee can be tricked by a targeted phishing campaign, it should underscore for everyone how critical the threat is. You must verify who you are communicating with before you divulge any sensitive information, click on links or open attachments. A quick phone call to verify the request would have prevented a compromise like this.
In the case of Blackbaud and Garmin, both were hit by ransomware attacks that encrypted their systems and made them unusable. Both companies have reportedly paid the hackers ransom in order to regain control of their systems. These attacks are also likely the result of targeted phishing that tricked a user into clicking a link or opening a file that injected the ransomware onto the network to do its damage.
In the case of Blackbaud, the company admitted to paying the hacker the demanded ransom. What concerns me is the statement that Blackbaud released. In it, the company said “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.” There are two very worrisome parts to this statement. The first is that they admitted knowing that the hacker removed some data from their network. That’s not typical for a ransomware attack, so this implies something a bit more nefarious. Worse, the company paid the ransom after the hacker “promised” to destroy what they had taken. I don’t know about you, but would you trust a hackers “promise?” I wouldn’t.
In the Garmin case, the company’s customer facing services were taken down. This lasted for a few days and not only effected Garmin’s fitness services, it also impacted their flight planning tools for their aircraft systems. That could have had serious implications, but fortunately did not. While Garmin has not said that they directly paid the ransom demand, the company’s statement strongly implies that a payment may have been made on their behalf by a third party.
What I find most troubling in the Blackbaud and Garmin cases is that backup solutions exist that should have allowed the companies to recover their systems without paying the ransom. This implies that they did not have proper protections in place to secure their systems against this type of threat. In today’s world, companies need to make the right investments in the right technologies to protect themselves against threats like this.
If your business was hit by targeting phishing and/or ransomware, are you confident in your ability to quickly recover without having to pay a ransom? Be sure you are talking with your IT team or partner about this. You’ll be glad you did.
MJ Shoer is an IT consultant based in Portsmouth, NH. He provides coaching & content development, partner program & technology stack management, Office 365 optimization, realistic cybersecurity and virtual CTO services to his clients. He maintains a blog about IT at www.mjshoer.com/blog and may be reached at firstname.lastname@example.org.