Ransomware Comprehensive Checklist for Singaporean Organizations
Ransomware attacks have become a pervasive threat, posing significant risks to both individuals and organisations. These malicious incidents have the potential to disrupt operations, compromise sensitive data, and inflict severe financial and reputational damage.
As the sophistication and frequency of ransomware attacks continue to escalate, it has become imperative for individuals and businesses to proactively prepare for such incidents and develop effective recovery strategies.
Amidst this growing threat landscape, real-world examples such as the Cognita Asia Holdings‘ and Audio House‘s ransomware breaches serve as stark reminders of the importance of robust cybersecurity measures.
In June 2021, Cognita Asia Holdings, an international independent schools group in Singapore, fell victim to a ransomware attack that impacted the servers of three of its schools. The breach resulted in the encryption of personal data belonging to over 1,200 individuals, comprising students and employees. Cognita promptly reported the incident to the Personal Data Protection Commission (PDPC), leading to internal investigations.
The investigation revealed that the threat actor gained entry through a compromised VPN session. Alarming vulnerabilities in Cognita’s security practices were exposed, as their VPN configuration only required a username and password for authentication, lacking reasonable password policies. Additionally, the organization failed to ensure proper data protection training for its staff, exacerbating the potential risks associated with the attack. As a consequence of breaching the Data Protection Obligation, Cognita faced a financial penalty of $26,000.
Similarly, on June 1, 2021, Audio House, an offline-to-online retail platform, reported a ransomware attack on its customer database, affecting approximately 98,000 individuals’ personal data, including names, addresses, email addresses, and telephone numbers. Investigations unveiled a vulnerability in the PHP files used to develop a web application on the website, exploited through an SQL injection attack. Interestingly, Audio House’s website was developed by a company engaged by their main IT vendor, but unfortunately, no contract or clear data protection requirements were stipulated with this company.
Furthermore, Audio House revealed that the vulnerabilities in the PHP files had existed since the website’s initial launch, despite conducting pre-launch tests. The failure to detect these vulnerabilities, coupled with the absence of vulnerability scanning and assessment, provided an opportunity for malicious actors to exploit the flaws. Consequently, the PDPC imposed a financial penalty of S$10,000 on Audio House for breaching the Protection Obligation under the PDPA.
These real-life scenarios underscore the urgent need for organisations to prioritise cybersecurity preparedness and compliance with data protection regulations. A robust cybersecurity posture, including multi factor authentication, regular vulnerability assessments, data protection training, and clear contractual agreements with third-party vendors, can significantly reduce the risk of falling victim to ransomware attacks.
The prevalence of ransomware attacks remains a critical concern for individuals and organisations alike. The real-world examples of Cognita Asia Holdings and Audio House highlight the grave consequences that can arise from insufficient cybersecurity measures, especially if your organisation does not have a Data Protection Officer.
These incidents emphasise the urgent need for proactive steps, strict adherence to data protection regulations, and the implementation of effective recovery strategies to safeguard sensitive data and protect digital assets. It is clear that a comprehensive cybersecurity framework is not just a necessity but a crucial defence mechanism in the face of the relentless tide of ransomware threats.
To aid organisations in Singapore in their efforts to combat ransomware attacks, here is a comprehensive checklist on ransomware preparation and recovery that should be carefully considered and implemented:
STEP 1: Initial Investigation
a. Verify if the incident is a genuine ransomware attack.
b. Determine if multiple devices have been compromised.
If affirmative, proceed to:
STEP 2: Declare Ransomware Event and Initiate Incident Response
a. Officially acknowledge the occurrence of a ransomware event.
b. Begin using predetermined alternative communication channels.
c. Inform team members, senior management, and legal representatives.
STEP 3: Disconnect Network
a. Disable network connectivity, if feasible, from network devices.
b. Power off devices suspected of containing wiperware.
STEP 4: Assess the Extent of Compromise
Examine the Following for Indicators:
a. Mapped or shared drives.
b. Cloud-based storage services like Dropbox, Google Drive, OneDrive, etc.
c. Any network storage devices.
d. External hard drives.
e. USB storage devices, such as USB sticks, memory sticks, or connected phones/cameras.
f. Mapped or shared folders from other computers.
Determine if data or credentials have been compromised.
a. Analyse logs and Data Loss Prevention (DLP) software for signs of data leaks.
b. Look for unexpectedly large archival files (e.g., zip, arc) containing sensitive data that may have been used as staging files.
c. Identify malware, tools, or scripts that could have been utilised for data reconnaissance and exfiltration.
d. Consider ransomware gangs notifying you directly about data or credential theft.
RESOURCES
Identify Ransomware Strain
a. Ascertain the specific strain or type of ransomware, such as Ryuk, Dharma, SamSam, etc.
STEP 5: Contain Initial Damage
a. Initial investigators should attempt to halt or minimise any identified damage, if feasible.
STEP 6: Convene Team for Information Sharing
a. Ensure the team comprehensively understands all available information, including the extent and impact of the incident.
STEP 7: Determine Response Strategy
a. Assess the decision of paying the ransom.
b. Evaluate the options of repairing or rebuilding affected systems.
c. Consider engaging external parties for assistance.
d. Determine the necessity to report the incident to regulatory bodies, law enforcement agencies, CISA, FBI, etc.
STEP 8: Restore Environment
a. Decide whether to repair or rebuild affected systems.
b. Evaluate the need for preserving evidence.
c. Utilise business impact analysis to prioritise and schedule the recovery of devices and systems.
d. Begin by restoring critical infrastructure first.
STEP 9: Next Steps
Prevent Future Cyber Attacks:
a. Mitigate social engineering risks.
b. Regularly patch software vulnerabilities.
c. Implement multi factor authentication (MFA) where feasible.
d. Utilise strong and unique passwords.
e. Deploy antivirus or endpoint detection and response software.
f. Employ anti-spam/anti-phishing software.
g. Implement data leak prevention (DLP) software.
h. Maintain robust backup strategies and regularly test their effectiveness.
How a DPO can help
Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant. This includes promptly responding to the PDPC with their queries to expedite the investigations and prevent a harsher penalty from the Commission.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organisations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organisation’s cybersecurity.
DPOs complement organisations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.
Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.
0 Comments