What is ransomware?

For the blissfully unaware, ransomware is a type of cyberattack whereby the attacker encrypts the files on a victim’s machine or across the network and then demands a ransom before they will be decrypted and access is restored, or so they hope. Sometimes the hacker will even threaten to sell or disclose the stolen data unless a ransom is paid.

But regardless of any ransom being paid or not, when an organization falls victim to a successful ransomware attack, the simple fact that the incident occurred in the first place constitutes a major security breach.

Ransomware hackers are not limiting themselves to targeting smaller companies. They’re also successfully attacking established businesses and going after major brands like Travelex and Garmin. The recent attacks on these companies have exposed dangerous gaps in security practices, which with the right processes in place, could have been prevented.

What happened during the Travelex and Garmin ransomware attacks?

Travelex, a well-known foreign exchange company headquartered in London, was targeted by a sophisticated attack in December 2019 and lasted until the end of January 2020, shutting down their operations completely.

The company has explained that the attack came from the “REvil” ransomware gang who used “Sodinokibi” ransomware to encrypt the data. The cybercriminals then threatened to auction off the sensitive stolen data on the Dark Web. The public was notified of the data breach a week after the attack happened.

It has been suggested that the attack was able to happen because of repeated failures to patch its Pulse Secure VPN servers.

The damage to the company was huge. The attackers demanded $6 million to restore access and data, and to stop the sale of the data. It has been reported that Travelex paid the hackers a ransom of $2.3 million to regain access to their data, with other reports claiming as much as $6 million. This month, the company went into administration.

On July 23rd, Garmin, one of the most well known wearable fitness product companies in the world, fell victim to a similar ransomware attack, thought to have been initiated by ‘Evil Corp’, a Russian cybercrime gang.

The successful ransomware attack took down their call centres, products, apps, and websites for 5 days. On July 27th, Garmin confirmed that the disruption of their services was due to a ransomware attack known as “WastedLocker”.  Whilst it has been reported that the fitness brand paid millions in dollars to restore their data, Garmin has yet to confirm that the ransom payment has been made.

The most unfortunate factor of these security breaches is that these attacks could have been easily prevented, and there are lessons to be learned for every company.

Lessons to learn from the Travelex and Garmin ransomware attacks

1. Create a Business Continuity Plan

Business Continuity Plans (BCP) need to be built into every organization and it falls to every major stakeholder of an organization to drive a campaign to create an effective business continuity plan and keep it updated.

In the event of an attack, it’s too late to start assembling a response team and formulating a plan of action. Every company needs to identify their key systems and resources and outline a plan to sustain critical business activities throughout a crisis like this.

And the approach to BCP needs to be even broader. Many companies approach their BCP on a system by system basis. In the case of the Garmin ransomware attack, almost everything that was used to communicate to the public and to staff was gone, including their website, customer support, applications, and company communications. At Travelex, staff took to pen and paper, exposing highly sensitive personal data to enormous risk.

How will your company respond if the same occurs? How will you communicate? It’s time to stop putting BCP on the long finger, or it could literally cost the company everything.

2. Data-First approach to cybersecurity

Data loss can lead to disastrous, and often irreparable, consequences for a company, its stakeholders, and its customers.

In a statement, Garmin has claimed that there has been no indication that customer data was accessed, lost or stolen and there are no reports to indicate that customer data has been leaked from the Travelex attack.

Cybercrime organizations know the value of this data, particularly customer data, and they are targeting it. The number of these attacks is increasing and are targeting companies of every size and industry.

The need for data security is more apparent now than it ever has been. Every company and organization needs to adopt a data-first approach to implementing cybersecurity policies to ensure they are specifically designed to secure their data. Rather than starting with technology and deploying new protection tools, assess every data workflow in the most granular detail, monitor its use and vulnerability, and then act accordingly with a prudent mix of technology and process. This way, you are fixing the problems that truly exist, and not working on the basis of assumption.

3. Educating users

Ransomware is nothing new, and neither is phishing or social engineering. All were used in the attack on Garmin. But the best IT security systems in the world can only provide so much protection from attacks like these – the rest is down to your users.

Employees need to be educated on how to identify and handle these attacks. Cyber gangs are continuously adapting and advancing their strategies, techniques and technologies and your employee education needs to follow suit in order to defend against them.

Lessons from cases like these need to be imparted, not just to IT staff and senior team members, but to all staff across the organization.

4. Apply updates and patches immediately

Failure in applying recommended security patches is what exposed Travelex to their hackers. They didn’t install a security patch for their VPN for over nine months and hadn’t updated a Windows machine for over two years. It was the solitary open door the hackers needed.

Every company needs to ensure that updates and patches are regularly installed, and that security patches are installed without delay.  

Who keeps all of your software up to date and ensures patches are applied correctly? How often is this done?

5. Communicate clearly and transparently

All organizations have a responsibility to keep customers informed in the event of a successful cyber attack. These situations can be fluid, and of course, there is a need to strike a balance between speed and accuracy of communication.

However, it’s imperative to provide your customers with a level of transparency and assurance that the incident is being dealt with. Anything else can and will damage your brand reputation far beyond the attack itself.

A trend is emerging

Garmin and Travelex are not standalone stories. Ransomware is impacting businesses of all sizes, plus governments and even hospitals – anyone whose data is precious to them. And the attacks are increasing in sophistication, and in the aggression of the subsequent blackmailing.

And they will continue to attack with impunity as long as organizations fail to act proactively, promptly and data-first.