Cybersecurity 101: Above all else, obfuscate the enemy
So far, one of the main solution to our files being held hostage by ransomware, is to have good, reliable backups of those files. But, what happens if even that backup data, is encrypted?
Apparently, this is what that has happened to a very huge, local conglomerate on September 8th, 2017.
According to sources close to the matter, the reason why this new Dharma ransomware variant; possibly Cezar; is proving to be disastrous, isn’t because it has encrypted a rumoured over 50 out of 60 servers; possibly the whole SAP supply chain environment of that company; but because even backups of the data, has been encrypted!
At first glance, there is absolutely no way of recovering data from this attack, other than to a) pay the ransom or b) pay the ransom.
It is also rumoured that the company, which shall remain unnamed, was asked to pay half a million ringgit in bitcoins, to have a very critical file for their SAP system, decrypted.
There are no updates, as to whether this was paid, or whether that critical file; or any other file; was decrypted.
What now? Possible scenarios
While the general reaction from the industry has been, “How can the backup data also be encrypted??” it is also empathising with this company’s plight, and a few have even tried to offer up helpful suggestions.
One experienced IT head, Alain Boey, opined, “If all documents in the system and machines are integrated to run automatically, when the system goes down, the whole supply chain will be impacted.”
He also observed, “The retail side of the business could still function with existing supply of stocks. But retail won’t be able to reorder, or perhaps receive the goods. It all depends… whether the retail side has its own backup copies.”
Yet another who wants to remain anonymous, theorised, “They could explore getting a hacker or other ways to decrypt.”
He added, “If the backup data is encrypted, they need to assemble a crisis team to look at (probably in parallel), how to stop the bleeding, prepare communications, and prepare workaround plans.”
At the same time, there should be a contingency budget to get a technical team and other resources to “reconstruct” or focus on restoring “critical functions” first, he also said.
He also raised the possibility of hardcopies or softcopies in somebody’s laptop, which could help a little.
“If this is not possible, and it is indeed ground zero, then that is where they need to work from.”
How does backup data get encrypted?
Two popular opinions to avoid the pain of supply chain data being unusable, are:
1) there should be offsite backups of the data. In other words, keep it away from production systems and production data.
2) Network segmentation can be explored to create further obfuscation for the enemy. Don’t make it easy for them, with a flat network architecture, for example.
3) Have disaster recovery plan in place, to revert to a manual process, or to use less automated tools like Microsoft Excel or Microsoft Word.
The dreaded Dharma
To date, there is no news about how the company is tackling the issue, but as far as this journalist can tell, they are continuing with business operations manually.
Dharma first came into the limelight last November, and when its decryption software was leaked, it seemed to be the end of the virus.
But variants of the virus (ie. Arena, .onion, Wallet, Zzzzz etc) were spotted soon after, and there are reports that this virus can be removed with tools like Reimage, although they do not specify yet, exactly which variants can be removed.
Using your computer while it is still infected with ransomware, could result in more files being encrypted, every time the system reboots.