A Covert Operation?
On November 7, 2020, the managing director of a medium-sized Bremen company, active in the buying and selling of merchandise in Germany and France, noticed some irregularities in the company’s internal network. Most of the server data was subject to impenetrable encryption. Overnight, a group of hackers known in IT circles under the name REvil launched this ransomware attack, which paralyzed many of the company’s processes for several weeks. The hackers encrypted about 90 percent of the data and demanded a high monetary ransom of around 300,000 euros for the release of the master key, which enables the release of all files – a frightening scenario that affects many other small and medium-sized enterprises (SMEs) in Germany and worldwide. In recent years, there has been an increasingly worrying rise in cybercrime. While the number of cases in Germany in 2016 was still around 82,000, the Federal Criminal Police Office recorded over 108,000 attacks for the year 2020.
A Covert Operation?
Even though this attack seemingly came out of nowhere – as could be traced back afterwards – between one and two o’clock at night, it was not a spontaneous action by the cybercriminals. Rather, the managing director suspects that they were able to infiltrate the system several weeks earlier. After all, the attack also affected an employee who had been working from home for a month, from the company with offices in Bremen, Hamburg, and France, who simultaneously noticed the encryption of his data on his work laptop and could not access any important files. Thus, the attack had wider implications than initially assumed and affected virtually every employee. Only by entering a six-digit hexadecimal code could this problem be solved without losing important data in the course of the attack. For several weeks, the employees had to continue working with major restrictions, which was managed as best as possible since essential processes could also be carried out manually and thus could largely continue. To keep the economic damage as low as possible, those responsible had to act as quickly as possible – easier said than done in the face of the acute pressure situation.
Good guy, bad guy
But what to do when the worst case scenario has occurred? Many IT outsiders and those inexperienced in this field have probably asked themselves this question several times after increased reports of emerging cybercrime. Unlike in many movies, where the extortionists demand the ransom in a threatening tone with distorted voices, such a deal in reality is far less spectacular. In this attack case by the REvil group, a countdown only started after attempting to access the desired file, which was limited to five days and contained a demand for payment, which for the affected company totaled 300,000 US dollars. Sums that represent an insurmountable burden for SMEs. After receiving the demand, those responsible could enter into chat communication with the criminals and negotiate the ransom. It became clear that in the tough negotiations lasting several days, they were dealing with multiple perpetrators on the other side. On one hand, an unyielding, tough negotiator, and on the other hand, a communicative, friendly person with whom a compromise could be reached. They finally reached an agreement in the negotiations for a much lower sum. Since no alternative solution presented itself to recover the valuable data collection of over 20 years of successful entrepreneurship, the management paid the amount with the untraceable cryptocurrency Monero.
Control beats trust
Nach dem Zero-Trust-Prinzip hinterfragte die Führungsetage anschließend jegliche Strukturen
und Prozesse, um Sicherheitslücken des Netzwerks möglichst präzise ermitteln zu können.
Zur Unterstützung engagierte der Geschäftsführer eine nahe gelegene Bremer IT-
Sicherheitsfirma, welche die Situation mit ihrer langjährigen Erfahrung und angesammeltem
Know-how in diesem Bereich einschätzen sollte. Dem Rat der Sicherheitsexperten zum totalen
Austausch der gesamten Hardware konnte die Geschäftsführung keine Folge leisten, da es
die wirtschaftlichen Rahmenbedingungen nicht zuließen. Vonseiten der zuständigen
Versicherung kam ebenfalls kein positives Signal zur finanziellen Unterstützung, woraufhin
sich das Unternehmen dazu entschied, eine neue IT-Infrastruktur aufzubauen. Auf einer
vertrauensvollen Basis engagierte der Betrieb schließlich den Rechenzentrums-Dienstleister
firstcolo, der hauseigene Datacenters betreibt und für unterschiedliche Kunden Colocation-, sowie Managed Services-Dienstleistungen zur Verfügung stellt. Mitte Dezember 2020 kam es
zur ersten Kontaktaufnahme zwischen beiden Parteien. In der weiteren Zusammenarbeit
verlagerte der Betrieb seine Datensätze auf das externe Datacenter von firstcolo und verwaltet
sie heute aus der Cloud heraus.
Rise to the Cloud
Gerade für mittlere und kleine Unternehmen bietet die Auslagerung von Servern und Daten
vielerlei Vorteile. Aus Gründen der Sicherheit ergibt ein Wechsel von der standortbezogenen
internen Datenspeicherung zu externen Rechenzentren absolut Sinn, da Dienstleister wie
firstcolo die oftmals angemieteten Server rund um die Uhr kontrollieren und somit für eine
Rundumüberwachung der Systeme sorgen kann. Verwaltungsaufgaben und
Wartungsarbeiten fallen damit nicht mehr in den eigenen Aufgabenbereich, was im
Umkehrschluss effektivere Prozesse und finanzielle Einsparungen bewirkt. Denn Hardware,
die bei intensiv genutzten Servern gut alle drei bis fünf Jahre ausgetauscht werden muss, stellt
für das mietende Unternehmen keinen Kostenfaktor mehr dar. Gerade durch die Corona-
Pandemie nehmen flexible Arbeitsmodelle eine immer größere Rolle ein. Egal ob in einem der
an verschiedenen Standorten niedergelassenen Büros oder im Homeoffice, die Cloud-
Anwendung lässt sich von jedem Standort aus flexibel nutzen. Zudem greifen Angestellte vor
allem sicher auf Informationen zu oder nehmen Änderungen am System vor.
Ignorance is No Excuse
To avoid a future cyber attack as much as possible, the company took additional measures besides
establishing the new IT structure, primarily to sensitize
employees – the core users of the system. Usually,
cybercriminals, as presumably in this case, gain access to an
existing system through a single user. The responsible parties addressed this point immediately after
the attack to minimize one of the biggest entry points in an otherwise secure network to
minimize. For this purpose, they designed a security training for their employees, that can be
completed independently via a specially developed security platform. It contains
comprehensive training materials and a final test, after which
each user receives a certificate upon successful completion. A major topic remains
often underestimated phishing emails, which still lead many
users to fall for criminals’ traps through pretexts, thus exposing the
ongoing operation to great risk. Through the security training
coupled with data storage in the cloud by firstcolo, an IT infrastructure emerges that offers cybercriminals almost no access opportunities in the future. Further
attacks can thus be proactively prevented, resulting in risk-free operation
of business-critical IT.
