This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.
It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.
This incident immediately raises a number of questions:
- How did the organisation allow all machines to get infected?
- Did they have an incident response plan and did it include this scenario?
- Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
- Does the organisation have a standard build, and were the build states of all 500 devices known?
- If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
- What scanning of incoming attachments was carried out?
- What training have staff had in respect of phishing emails and incident response procedures?
From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.