Interview with IT security and data protection expert Olav Seyfarth

iTernity: Mr. Seyfarth, we keep hearing in the media about ransomware attacks which bring whole concerns to a standstill. How does ransomware actually work?

Olav Seyfarth: Ransomware usually only works in conjunction with social engineering. This means that ransomware will only ever work if I get my victim to do something which they would never have done otherwise. Nowadays we also talk here about phishing. A typical ransomware encrypts data on a target system and demands a ransom for the decryption. Simply put, it is blackmail with your own data.

What can “infection paths“ of ransomware look like?

Seyfarth: Very different, there are no limits to the imagination of the attackers. The most common ransomware is the one where certain data is encrypted on the victim’s system. But there are always new variants appearing.

I assume that in the future, in addition to encryption, more and more data will be taken out of companies. Once the attacker is in possession of the data, the guarantee certainly decreases that the haunting has an end when a ransom is paid.

Cybercriminals are always breaking new ground in blackmailing. How is ransomware developing technically?

Seyfarth:Every form of malware evolves - this is a normal arms race. Companies are using increasingly sophisticated security components, for example in firewalls or media gateways. As a result, ransomware developers are thinking about how they can outsmart these components. How can I embed malicious code in a pdf or excel in such a way that the virus scanner doesn‘t become active? Many different technologies are now in use and the field of malware is extremely diverse.

The ransomware business is very promising for cybercriminals. What exactly makes it so attractive?

Seyfarth: Writing “good“ malware is expensive and requires expertise, expertise not to be caught. We are talking about highly specialized software development. The “business” of ransomware is focusing on classic economic considerations: Where do many potential victims hang out? Where are critical infrastructures? Where do I find a lot of money?

Accordingly, the design of the malware varies. I can either target a large, solvent company and get 5 million euros out of it in one stroke, or I can develop completely dull software designed for the masses and spread it to 5 million victims. So we have both, the dull attacks, which are easier to prevent, and we have the highly specialized attacks.

These highly specialized attacks are conceptualized and planned for the long term in such a way that they can be barely fended off. The attackers analyze exactly how a company is set up – technically, organizationally, who likes whom… I almost have to do a psychological analysis of the key persons, so that I can attack at all. Then I think about a strategy when I want to reach my goal and through which person in the company.

The common phishing mails, for example, masquerading as mail from a colleague, are often not well done or trustworthy. Why are these e-mail attacks successful nevertheless?

Seyfarth: The success of these measures is simply a game of large numbers. Due to the many data protection incidents, billions of valid e-mail addresses are in circulation and easily accessible. I can simply buy a few million addresses for a few euros. A few thousand of them fall into the trap and the attacker can hustle 50 euros from each of them.

Many ransomware attacks are more subtle than the skull and crossbones blackmail message on the desktop. Is there a way to detect at an early stage that my system is infected?

Seyfarth: It often starts with individual files which are unreadable. Users then often say to themselves "something is wrong, but maybe I made a mistake" - and keep living with that. There is often an inhibition to call the IT department and bother them with such trivialities. When it comes to ransomware, we have to make sure that the IT department sees itself as a service, helps with learning, and removes uncertainties. This takes time but pays off in the long run.

For example, you can set up a mailbox or an internal hotline to which all anomalies can be reported. The response time must be correspondingly short so that the daily work routine doesn’t come to a standstill. In my experience, it takes about two months to get that up and running. After that, not much more will come into this mailbox and the questions which come in are usually the tough ones. We have to motivate our employees to pick up the phone to ask questions rather than opening a dubious attachment. We have to listen to our gut feeling and create a working environment where employees have the chance to learn from their mistakes.

What are the first steps a company should take after an attack?

Seyfarth: It’s important to find out what the actual entry point was. Timely, complete, and factual documentation is suitable for this. This can’t be done in passing and should be prepared!

From the moment the alarm bell rings, a dedicated team must meticulously trace, secure, and record the event. Findings should be recorded separately from conclusions. The dual control principle has proven its worth here: one person carries out the work, the other documents it. This preserved evidence can be used by the police and in court.

Why is recording a log so important?

Seyfarth: If out of 200 ransomware attacks, my company is the only one with a record, which case do you think the police will handle? I don’t want to say that clean documentation a guarantee for the success of the police is, but a good log makes the processing of the case possible.

Moreover, important conclusions can be drawn from these observations. If I don't have an expert on-site, but record everything during this time, then the expert has the opportunity to familiarize him- or herself quickly with the facts later on.

The ransom demand is the core of ransomware. What further consequences are companies struggling with after an attack?

Seyfarth: Companies often only realize how vulnerable their own IT infrastructure is after an attack. Whether this realization also leads to an actual change in the behavior of employees or the management varies strongly. I understand change here in the sense of “we invest, set up our systems properly, or ensure that employees have enough time and expertise“. In the end, what is needed is a “caretaker“ for IT security in the company.

In addition to the ransom demands, there are further challenges: business shutdown, damage to reputation, police investigations,… Many organizations do not recover after a ransomware attack and this is usually not only due to the high ransom demands.

Ideally, a company can prepare for an attack so that it does not happen at all. How can you effectively protect yourself against ransomware attacks?

Seyfarth: First of all, a security concept must be developed which makes sense as a whole. It needs understandable guidelines which are lived in the daily work. The gut feeling of the employees must be strengthened and trained again and again. Prevention is the best measure, but of course this isn’t a one hundred percent guarantee.

When we talk about technology, network separation, and a clean data backup concept are important. With this, I mean cascaded data storage when the company’s data is critical. A media break can slow down or stop the spread of ransomware. We have to ensure that ransomware can’t access the backup of our data. This way the encryption of live data hits us less hard.

Of course, data backup only helps to a limited extent if the attacker was able to copy unencrypted business data. Unfortunately, this is increasingly the case today.

After a ransomware attack, many companies are faced with the decision “pay or not“? What’s your advice?

Seyfarth: The Federal Office for Information Security clearly advises against this. The FBI strongly advises against it. Yet even public administrations and courts have paid a ransom. Why? Quite simple: If I haven’t taken any measures for protection in advance, the consequences for me are so serious that I have to bite the bullet.

You have to be aware that even after the ransom has been paid there is no guarantee of normal operation. The danger of being blackmailed again and again exists as long as the weak points have not been closed, or if company data has been copied.

You expect from large concerns strict security measures to protect data and systems from such attacks. How is it possible that they still fall victim to ransomware attacks?

Seyfarth: I wouldn’t say that these companies do nothing. Often measures haven been taken, but in reality, they don’t work as intended. There is a backup, but it hasn’t been tested for an emergency, isn’t complete, or has been encrypted by the ransomware. This means for the IT department: testing, questioning, documenting – this costs time, which is often not given to the department. Such a test must be wanted by the management and actively demanded.

It becomes critical in many areas where IT budget, time, and expertise are lacking. I often see this in the public sector, in the social sector but also in the healthcare sector. There is often no sufficient backup, no effective virus protection, no sensible encryption, and hardly any preventive measures. It is unbelievable that savings are made here in the wrong places.

In the public sector often people who lack IT expertise have to make decisions. They would rather build a playground than buy a server or work out a security concept. This is completely understandable from a human and political point of view, but the consequences are unacceptable. Fact is: Without an appropriate budget, without time and without expertise, a responsible person today has no chance of protecting IT infrastructure in a meaningful way.

What do you wish for the IT security sector in the future?

Seyfarth: I’d like users and companies to demand a reasonable level of IT security and not live with the fact that certain things don’t work. By this I mean standards of data protection and IT security for all products and services which we buy or use free of charge.

We wouldn’t accept that our car’s brakes sometimes work and sometimes not - That’s unthinkable. But in the IT sector, we got to used to things which are actually completely untenable. In this respect, I would especially like to see the courage of users and decision-makers to open their mouths and say clearly “this is not the way to do it“.