How to detect and successfully avoid ransomware attacks
The number of cyberattacks is increasing, and so is the importance of countermeasures. Public institutions and companies from the machine and plant engineering industry in particular are most threatened by ransomware. Such malicious software encrypts important files or even blocks the whole system. The victims usually regain access only after they have paid a considerable ransom ‒ but this payment does not guarantee that the hackers provide the decryption key in exchange. A recent survey by Sophos a worldwide leader in next-generation cybersecurity, reveals that 46% of all organizations worldwide that had data encrypted in a ransomware attack paid the ransom in 2021 ‒ with an unknown outcome.
However, the ransom payment is not the only damage caused by ransomware attacks. Long downtimes ‒ we're talking about up to 6 weeks here ‒ cost the company a lot of money too. An estimated total of 223.5 billion euros of damage was caused in 2021 according to Bitkom.
Detect and avoid ransomware attacks
How can companies identify a ransomware attack?Analyses of ransomware attacks in the mechanical and plant engineering sector have shown that the companies are purposefully infiltrated with the malware. Typical phishing mails are hardly used in these cases. More commonly, hackers answer to mails sent by the employees themselves, so that the replies are not considered suspicious at first. Following the strategy of the Trojan horse, the attackers first target companies from the supply chain to spy on the manufacturing companies. They can steal data over weeks without anyone noticing. When the system is finally blocked by the attackers, most of the damage has already been done.
If you suspect a cyberattack, you should first check if it is a normal attack (virus, phishing mail) or an emergency in the sense of a ransomware attack. You can be sure that it's the latter when you can't access your data and systems anymore. But there are some clues before that happens. For example, there may be files on the desktop or file server that nobody from the company has stored there. Oftentimes, people find printed documents with the phrase "What happened?" on them before a system is encrypted.
How can you protect yourself?
For starters: you can't avoid ransomware attacks. Today, there are more than 20 professional groups that have formed with the sole aim to hurt companies. But everyone in the company can help reduce the damage caused by hackers.
Top three measures:
- Avoid or limit direct access to the company (like VPN, RDP, Citrix)
- Two-factor or multi-factor authentication for all accounts, like password and SMS
- Turn off all programs and functions that are not necessary and install patches on a regular basis
In case you fall victim to a ransomware attack: stay calm and react swiftly! Ideally, companies should follow their emergency protocol, but quite often they don't have one. Interestingly, hackers are often enough just as unprepared as their victims. Since most ransomware attacks are controlled manually, the hackers are often still on the system and can be spied on, too.
The next three measures for companies:
- Block all external access
- Shut down network
- Protect important key systems
If there is enough time and staff, you should establish a task force with people from different departments.
- They can then set up alternative communication channels, for example through messengers.
- In addition, the most important phone numbers, at least those from the IT department, should be available outside the system.
- The next step is to inform all employees. This can be a real challenge if they work from home, because they probably won't be able to access their e-mail without a VPN connection.
- Companies that have fallen victim to a ransomware attack should not try to communicate with the attackers.
- They should rather involve a professional service provider who can give them advice and help retrieve the data and system.
The Federal Office for Information Security (BSI) has issued a number of IT baseline protection catalogs, compilations of various measures with the purpose to provide information to the victims. However, these recommendations are tailored to the various software products deployed by the companies.
Cybersecurity in the mechanical and plant engineering industry
The mechanical and plant engineering industry is an attractive target to hackers and therefore requires special protection, not only against ransomware. Small and big companies the like are endangered by this threat, even those with a security background. Without the appropriate security measures, cyberattacks don't just harm individual companies, but the whole industry.
Two challenges are at the center of interest here:
- The lifecycle of machines and plants is quite different from that of software.
While you can use machines up to 30 years, software is usually outdated after just a few months. You'll need regular patches and updates to be able to continue to use it. Companies should make sure that their digitalization and thus cybersecurity can keep pace with the plants and systems used.
- Supply chains are a common target for cyberattacks.
As manufacturing companies often supply material to critical infrastructure, they can be used as a vehicle to attack their operators. For instance, it's possible to harm systems unrelated to each other when they use the same assemblies.
The Industrial Security Competence Center of the VDMA (German Mechanical Engineering Industry Association) has analyzed the complex issue of ransomware and cybersecurity and derived 15 must dos for companies in the mechanical and plant engineering industry. The top four include:
- Offer cybersecurity training for employees and the management to continuously raise their awareness.
- Develop concepts for administrator accounts or accounts with higher privileges as these are often targeted.
- Segment your networks, for example by setting up firewalls and isolating individual areas also on a digital level so that attacks can't reach the whole company.
- Check if your system can be recovered from the backup.
In a nutshell, companies and institutions have to actively work on their cybersecurity, but above all it's up to the individuals to prevent ransomware attacks.