Aebi Schmidt ransomware attack: what can be learnt?
A clear Cyber Incident Response Plan and maintaining frequent communication is critical, says Databarracks
In the wake of a reported ransomware attack on global manufacturing firm Aebi Schmidt, Peter Groucutt, managing director of Databarracks, outlines the steps a company should take not only when recovering from an incident, but also the importance of maintaining clear communication throughout it:
“The details of the attack on Aebi Schmidt remain light at this stage, but early reports suggest it was severe, with systems for manufacturing operations left inaccessible. The manufacturing sector has recently seen a number of targeted ransomware attacks using a new breed of ransomware known as LockerGoga. Norwegian aluminium producer Norsk Hydro and French engineering firm Altran have been hit in Europe. In the US, chemicals company Hexion was also attacked. The reasoning for these targets is clear – paralysing the IT systems for these businesses has an immediate effect on their production output. That means significant losses, potentially millions of dollars per day. Unlike mass ransomware attacks that might net the attacker a few hundred pounds, the ransom is correspondingly higher.
“For organisations suffering an attack, having an effective Cyber Incident Response Plan in place is critical to your recovery.”
Groucutt explains, “Firstly, if you are hit by a ransomware attack, you have two options. You can either recover the information from a previous backup or pay the ransom. However, even if you pay the ransom, there is no guarantee you will actually get your data back, so the only way to be fully protected is to have historic backup copies of your data. When recovering from ransomware, your aims are to minimise both data loss and IT downtime. Defensive and preventative strategies are essential but outright prevention of ransomware is impossible. It is therefore vital to plan for how the organisation will act when compromised to reduce the impact of attacks.
“The Incident Response Team or Crisis Management Team must have the authority to make large-scale, operational decisions to take systems offline in order to limit the spread of infection. And they must be able to make that decision very quickly. Once the ransomware has been isolated and contained, in order to begin eradication and recovery you must find when the ransomware installation occurred in order to be able to restore clean data from before the infection took hold. Once the most recent clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.”
Groucutt continues, “Communication is critical during this process. Looking at the recent Norsk Hydro ransomware attack, the level of communication provided was outstanding. They were honest and transparent with frequent updates. It might not be necessary to give the complete story all at once, (particularly as you’ll unlikely be in possession of all the facts) but sharing what you know is important. A lot can be learnt from Norsk Hydro’s example.
“Firstly, simply acknowledging the problem is vital to getting on the front foot for crisis communications. This helps maintain goodwill with customers and the public. It also takes pressure off the team to focus on handling the issue itself rather than fielding questions from all angles. Over time you can then provide more information. This might include:
- Details on which business units have been impacted
- Root cause of the incident
- Containment and the progression made on the restoration of IT systems
- What work-arounds you have in place to remain operational
- Expectations on when you can resume production
Critically, you should end of each update with details of when the next updates can be expected.
“Providing this level of detail strengthens your position and confirms that – despite suffering an attack – you are very much in control. Norsk Hydro demonstrated this perfectly, showing the confidence it has in its Cyber Incident Response Plan. The result will likely mean, once the dust settles, its actions are likely to reduce the risk of heavy fines from regulators, limit reputational damage and even increases the likelihood of a pay-out from its cyber insurer.
Groucutt concludes, “Clearly, Norsk Hydro learnt some valuable lessons from attacks on giants such as the NHS, DLA Piper, WPP and Maersk. As more information comes to light from the attack on Aebi Schmidt it will be interesting to see what lessons they have learnt from others too.”
Databarracks is the UK's specialist business continuity and IT disaster recovery provider. From the launch of the UK's first managed online backup services over 15 years ago, to our leading Disaster Recovery as a Service, we've been making enterprise-class continuity, security and resilience accessible for organisations of all sizes.
For more information, please visit: www.databarracks.com
Nick Bird /Sean Hand, Spreckley Partners Ltd
Tel: +44 (0) 207 388 9988