Cybercrime , Endpoint Security , Fraud Management & Cybercrime
The Ransomware Files, Episode 2: Bridging Backup GapsAttackers Tried to Double Extort Matthews, an Australian Company
Organizations struck by ransomware sometimes face what's known as double extortion.
Before encrypting the data, ransomware attackers steal it. Then the attackers have two points of leverage over victims: pay to get the decryption key, and if an organization doesn't need that, pay to prevent the public release of stolen data.
It's a development that adds another painful dynamic to ransomware. An Australian company called Matthews, which specializes in identification, labeling and inspection systems for manufacturers, is believed to be one of the first companies in the country to be subjected to double extortion when it was infected with the PYSA ransomware last year.
Matthews is just one of dozens of businesses, hospitals, school districts and other organizations in Australia that have been infected with ransomware. Like many other nations, Australia has been on the receiving end of what has been a devastating evolution in crime.
In this episode of "The Ransomware Files," Matthews executives tell how they fought back, recovered their data and restored their business. Matthews' battle against its ransomware infection is a tale of resilience and strength.
"The Ransomware Files" is an intermittent podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.
If you enjoy this episode of "The Ransomware Files," please share it on your social media platform of choice. If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch at firstname.lastname@example.org or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.
"The Ransomware Files" theme song by Chris Gilbert/© Ordinary Weirdos Music.
Music by Uppbeat (Tracks and license codes here.)
- CERT Report: Attacks Involving the Pysa Ransomware
- Threat Analysis Report: Inside the Destructive PYSA Ransomware
- IC3 Report: Increase in PYSA Ransomware Targeting Education Institutions
- Ransomware-as-a-service: The Pandemic within A Pandemic
- Agencies ‘hunting every night’ with offensive cyber capabilities
- Fisher & Paykel Appliances Struck by Nefilim Ransomware
- Labor Introduces Bill to Mandate Ransomware Payment Reporting
- PYSA, the ransomware attacking schools
- The DFIR Report: PYSA/Mespinoza Ransomware
- Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
Jeremy Kirk: From cereal to yoghurt to beer, anything that you consume has a bar code on it. And it probably has a sticky label that contains the nutrition information. It also has a use-by date or a best before date applied by something like a thermal inkjet printer. If a company is making a food product, they may weigh it. They might put it through a metal detector to make sure nothing harmful has ended up in it. And the pallets of those products, before they leave the warehouse, are also marked, perhaps with RFID tags, so they can be tracked to their destinations.
These coding and labelling systems underpin modern food safety and logistics. The benefits are enormous: it means higher quality and safer items to eat. There's a company called Matthews in Australia that specializes in intelligent identification and inspection systems for its manufacturing customers across Australia and New Zealand. At its core, it's a technology business. Its package code management platform is called iDSnet. The company's mascot is colorful chameleon named Albert, whom the company says is emblematic of the company's adaptability.
Mark Dingley is Matthews' CEO, and he's spent his entire career at the business. He started in customer service in the early 1990s after university and has done at least a half-dozen other roles before becoming its CEO. Mark has a saying that sums up the company's business - no code means no product.
Mark Dingley: In Australia, we're heavily involved in the food and beverage industry and manufacturing, so we keep the production line in some ways moving, and no code means no product.
Kirk: In February 2019, Mark received a call at 6:30 in the morning from a Matthews’ IT support person. It was a call that was to permanently change the company.
Dingley: It was our IT support person that called our network support person. He called to advise me that we had been breached and that a cyberattack - a ransomware attack - had taken place and was currently taking place. At that time, most of our servers that are on-prem had been encrypted with ransomware.
Kirk: Matthews is just one of dozens of businesses, hospitals, school districts and other organizations in Australia that have been infected with ransomware. Like many other nations, Australia has been on the receiving end of what has been a devastating evolution in crime. Organized cybercriminals have been able to profit from holes in IT security, infiltrating systems, encrypting files and then demanding a ransom. Australia has been strategizing with other nations to figure how to blunt the scale and damage. The cybercriminal underground around ransomware has been growing in strength and impunity. Australia has openly said that it is using its offensive cyber capabilities against ransomware gangs, the effects of which will be closely watched. But in the meantime companies like Matthews, which is a successful, medium-sized business, are bearing the brunt of this assault. However, Matthews' battle against its ransomware infection is a tale of resilience and strength, and the following is how it recovered and grew stronger.
This is The Ransomware Files. I'm Jeremy Kirk.
In this podcast mini-series, I'm going to talk with those who have navigated their way through a ransomware incident and learn how they fought back, what they learned and what tips they can pass on to others. No ransomware infection is ever welcomed, but there's invaluable knowledge gained. There should be no shame in getting infected. But it's important to share the lessons.
Ben Nichol is a Supply Chain Logistics Manager for Matthews. He's the son of Lester Nichol, who founded Matthews around 40 years ago. Ben's brother, Matt, also works for the company as its Southern Regional Sales Manager. Growing up, they knew their dad worked in product labelling, but Ben says there was no expectation at that time that they would become involved.
Ben Nichol: We never considered it a family business. That was just dad's work. It became more of a family business back in the late 90s when he took over the Australian subsidiary for the Matthews business. But he never thought it was a family business either, and nor did we, and we never thought there was any entitlement to start working in the business. But it just happened that way.
Kirk: Ben joined in the late '90s as an inventory controller and that evolved into an IT manager role.
Nichol: It gave me a good state and good background into how the IT systems work.
Kirk: The morning that the ransomware was deployed, an external IT consultant who works with Matthews alerted the company. The ransomware had tripped monitoring software but the monitoring software didn't signal the alarm until services started going offline.
Kirk: So Ben, when you heard the word ransomware, what went through your mind at that point?
Nichol: It was horrible. We've been through it once before. Not to the same extent, but it had a big impact on the business. It destroyed all our files on a file server.
Kirk: As Ben notes, this in fact, was the second time Matthews had been hit by ransomware. The first incident happened several years prior. In that incident, Matthews was able to recover from backups. This time around, however, was going to prove a lot more difficult.
Nichol: They encrypted all of our files on all of our servers. Every server was impacted. They didn't get into our workstations, it was just the servers. They then just wiped the backups, I think they formatted the disks or did something like that. They didn't encrypt the data. Day one was hectic for us. I got into the office because we were locked out of the system. I couldn't log in remotely, which I was always able to do. We could only login into the office in our own network. But we stopped the WiFi, we stopped everyone being able to log into the system in case there was still residual in that, which might affect the local PCs as well. So I was still able to RDP [Remote Desktop Protocol] into a couple of servers that aren't left up. And I just wanted to have a look at what the impact was. And once I got into the SQL databases and saw they were all encrypted, I knew we were going to get into a lot of trouble. So it wasn't looking good for us. It is a real moment of reality. You say, well, how can we recover from this? If we've lost everything and our backups, how can the business survive?
Kirk: The type of ransomware that infected Matthews is called PYSA. It is a variant of the Mespinoza strain of ransomware, which surfaced around October 2018. PYSA purportedly stands for Protect Your System Amigo. Files encrypted by it carry the P-Y-S-A extension. After being infected, some victims have reported seeing a ransom note that says: “What to tell my boss?” “Protect Your System, Amigo.” It also has cheekily referred to victims as so-called partners. Security company Palo Alto Networks says PYSA has asked for ransoms as high as $1.6 million and actually received one payment that amount to $470,000.
The group is known to first steal data from victims' systems, and it is picky about what it looks for. PYSA will carefully dig around a victim's network to figure out if there's enough valuable data that a victim might pay a ransom to retrieve. PYSA and its affiliates will do this by searching for files with specific keywords such as clandestine, fraud, SSN (Social Security Number).
It may then publish the confidential data to embarrass victims in order to get a victim to pay. It's known as the double extortion: not only have attackers encrypted the data, but they also threaten to publicly release it. This is what happened to Matthews. It's believed that Matthews was one of the first Australian organizations to be subjected to double extortion.
In March of this year, PYSA's activity was the subject of an FBI warning. The FBI said ransomware was increasingly being unleashed against higher education institutions, K-12 schools, and seminaries in the U.S. and the U.K. But it has also affected U.S. government and other government entities, private companies, and healthcare organizations.
The FBI says PYSA gets into organizations using methods such as compromising Remote Desktop Protocol credentials or sending phishing emails. Once inside an organization, PYSA will use tools such as the Advanced Port Scanner and the Advanced IP Scanner to scout out how a network is configured. Then, like other groups, it installs open source tools such as Powershell Empire, the still useful but aging post-exploitation toolkit, and other and penetration testing tools such as Kodiac and Mimikatz.
PYSA is a ransomware-as-a-service group, which means that it allows other cybercriminals known as affiliates to use its software for a slice of the ransoms paid. When the ransomware was launched against Matthews, PYSA didn't overtly asked for a sum in a virtual currency like Bitcoin. The group typically prefers to start negotiations over email, so it gave Matthews instructions for how to contact it.
So how did PYSA get in? A forensic investigation and audit later showed the attackers gained entry after an employee's device was infected with malware following a click within a malicious email. That attackers had been inside Matthews' systems for weeks prior to launching the ransomware. They were lurking, learning, and collecting administrator credentials. Eventually, Mark says the attackers were able to leapfrog into Matthews' data center and its backups.
Dingley: Somehow, they found admin passwords and they were able to monitor people, monitor passwords, and got access from that one entry. And once they had admin passwords, they were able to bounce around our servers and out into our own private data center, where our backups were stored. And literally wipe them out.
Kirk: After PYSA's presence was known, the senior leadership team of Matthews came together. One of the most important actions at this point was establishing a communication channel with internal and external stakeholders. Another pressing task was to figure out exactly what data the company still had that either wasn't encrypted or deleted. Fortunately, about a year before the latest attack, Matthews had purchased a cyber insurance policy. And as part of that policy, Ben says the insurer dispatched a law firm that coordinates incident response and recovery.
Nichol: Fortunately, our CFO recommended that we take out cybersecurity insurance. So that was one of our first calls. And that morning, we couldn't do anything. We made the call to our security insurance company. And they put us in touch with some lawyers who had a specialist in this area and they assigned a cyber incident response manager, who then began to roll out the process of what we need to do and in what order, and how we needed to do it. And then they put us in touch with cybersecurity specialists who actually got into your system.
Kirk: First and foremost: Ben says Matthews needed to make sure it wasn't still exposed to the attackers and that the ransomware wasn't going to cause further damage.
Nichol: Once we had an operational system, we had to make sure that the vulnerability wasn't there. And we're just sort of chasing our tails. And if we did recover anything, that wasn't going to be destroyed as well. So we had to engage these partners. The service incident response manager was great, because they had a phase process of what we needed to do for data recovery in their forensic investigation. So we set up meetings with them on the very first day, twice a day for a number of weeks. We had it all scheduled in advance, just to keep us abreast of where we are at, where recovery was at, where our communication was at, and what we were going to do next. Because at this point, we didn't know whether we needed to engage with a threat actor. We needed to understand where we were at as a business in this recovery process.
Kirk: The fact that Matthews had been infected with ransomware before did help the second time around. After that first incident occurred, the company sought to bolster its data backup and recovery systems. That included an offsite data center along with nightly and weekly backups. Still, the threat actors had been lurking around long enough to figure out how Matthews' backup regime worked.
Kirk: I remember you said you had a prior ransomware attack.
Nichol: We'd had one a few years back, and not to the extent of this one. We had a simpler system back then. And simpler software, but still it impacted our business. But we're able to recover from that with backups. This one was a lot more impactful because it destroyed not only our live systems, but they got into our backups, and they destroyed all the backups. Now we don't know how that happened, because the backups were connected to our network, but they weren't visible through the file share. Somehow, they have been able to navigate around and find them and delete them.
Kirk: Luckily, there was a last ditch backup, one that Mark calls the "in case of nuclear war" one. Every couple of weeks, Matthews made another backup copy on external drives and that were stored in a secure location that was completely unconnected to its network.
Dingley: We had completed that process two or three weeks prior to that event. At the time of the attack, all of our online backups were destroyed. Effectively, our ERP system, CRM systems, our service management systems that were all on-prem at the time, were all impacted. We were down for that Friday. And again, the IT team rolled into action. It was impressive. We lost Friday, but by Monday morning, we were operational. And every device was basically quarantined. We had gone through all the servers. We replaced old servers with new servers, and quarantined all the old servers. Even at our data center - that was a big job getting into that data center - but we were able to achieve that and quarantine all the infected end servers.
Kirk: The fact that the nuclear backup existed was fortuitous. And to understand why that is important, we have to go back to Matthews' business. Matthews processes about 1,000 transactions a day. Matthews counts several possible actions as a transaction. Examples are a service job requested by a customer, an invoice or something that moves through its ERP or CRM systems. The ransomware attack wiped out as many as 20,000 of those most recent transactions but it still had the older ones, and that was important to resume business continuity. As mentioned before, if a company can't properly label its products, it can't make any products until that is fixed. Ben says they have to have business continuity and keep their customers up and running.
Nichol: We were supplying them with products to keep production lines running for the food and beverage industry and other industries as well. We couldn't not dispatch to our customers. That was too essential to us. Once we had the initial backups that were two weeks old, up and running, I set up a staging test environment for our customer service team to manage our best for essential dispatches dialing. So that's part of the communication to our customer. We said we were going to be offline for a period of time, but it was absolutely urgent that we could transact something because we knew that once that that fresh backup was installed, we would have to migrate that data back across, and we wanted to minimize that workload to do that. For the essentials, we had our staging system that was operational for our customer service team and service center to do work.
Kirk: Mark says that Matthews did go back to pen and paper for a short time while it tried to figure out the missing service jobs.
Dingley: All through this process, my team, the whole staff were incredible. The resilience that they all showed to just work through - everyone working night and day to pull the data off; the service team mapping out all of the service jobs they thought they had; and we were just back to pen, paper and whiteboards, mapping out to try and join the dots with our service jobs that we had done making sure that we weren't missing any customers.
Kirk: There was still a two-three-week gap in its backups. Then, something good happened. Ben says that Matthews initially thought that cybercriminals affiliated with PYSA had wiped the backups, those drives were sent off to a data recovery firm. For some reason, the cybercriminals hadn't encrypted those drives with its ransomware but instead done some tampering with the boot sector.
Nichol: It was B drives, they were the drives that they'd wiped. They claimed the map format of the dig or whatever they did. We took those out of the USBs, popped them in some bags and sent them off to the recovery center. And then they do their forensics on those to try and establish what they can recover. And fortunately, they came back to recover one of the discs, which was absolutely fantastic. We didn't know how all the data was until we could then get those discs back and map them. So we did that and found that our ERP system was only four days old, which was great. I mean, from two weeks to four days, we recovered so much data and we're only looking at a three-day period. Given that all that financial information was just magic that we could even get that close. We weren't so lucky with our service system. And service system is a fallback system. And it was seven days old. We had a gap there but it wasn't a financial gap. It was more about the time and effort that the technicians have put into our customers and recouping that money, but having seven days from 14 days was great and the service department kept copies as we did with the purchasing and sales, when we send confirmations or order acknowledgments. We keep copies of those in our emails. We were headed our way with reconstructing this information as time consuming as that might be. That was good news.
Kirk: The black hole of transaction data had been significantly narrowed. One gap that remained were records of shipments of equipment that Matthews had recently sent it customers. All of Matthews’ sales orders are dispatched to a warehouse. The warehouse puts that into a separate system and the equipment goes out. That separate system was compromised. But Ben says that each night, Matthews sends a manifest to a third-party company that manages the consignments.
Nichol: They had backups of all that data so we could recover that data. We knew who we had sent products to, whether it was a transfer, a sales order, a project, and we knew the weights and dimensions of size and whether it was dangerous, good or not. We had a an idea of who we had sent the product to, and the sales order that we no longer had in our system, but we knew that was going to correspond to an invoice we had already sent the customer. They get sent the invoices as we dispatch. We were well on our way to reconstructing something that resembled a recovery data set that we could work with, with our finance team and do our best to our customers.
Kirk: Matthews' attack came at time when Australia was in the midst of quite a public ransomware wave. Fisher & Paykel, which is a white goods manufacturer in Australia and New Zealand, was infected with the Nefilim ransomware. That same strain also hit Toll Group, which is a major logistics and shipping company, in what was that company's second brush that year with ransomware. Others affected were Bluescope Steel and beverage maker Lion. Ben says that customers of businesses that are affected by ransomware are concerned whether their personal data or confidential information is affected. But they were also really sympathetic and ready to lend a hand.
Nichol: One of the things I reflect on it at the time is this happened 18 months ago. So it's bringing back some bad memories. But reflecting back at that time, there was a lot of ransomware incidents happening around the globe. And in Australia, I think Toll Logistics was one that had just been hit big time. And then they got hit after us again. It was very much top of mind for business. That communication to our customers, just the reassurance that none of their personal or protected data was compromised, was great. But also, though, for me with what ransomware is now, more sympathetic towards and tried to assist in helping us. When we had to go to our customers, and ask for copies of invoices so that we could reconstruct their own data, they were very forthcoming with that.
Kirk: By the time the attack had occurred, Ben had been getting a lot of unwanted practice reconstructing data. Earlier in the year, the company experienced data corruption problems due to an incompatibility in its VMware software and the SQL version if was using. Ben spent long hours and weekends on almost a weekly basis reconstructing data due to the corruption issues. While frustrating at the time, the experience proved handy when trying to reconstruct the missing data from its ERP product, which was Microsoft Dynamics AX 2012.
Nichol: I was well aware of what needed to be done to reconstruct once we got up and running with this ransomware. Alongside my company accountant, who's also very experienced in the AI in ERP product in particular, we were able to reconstruct the data based on some of the reports that I've already written and the data we are getting back from our customers. We had inventory issues. That was huge. We had to do a full recount of all of the inventory in all of our warehouses. We have got seven-nine vehicle warehouses plus another five physical warehouses and, lots of inventory in those warehouses. So lots of movements had happened in those four days. We had to virtualize the inventory that we had discrepancies of and then work back from there. So once we started recreating what purchase orders we received, what sales orders, we sent, what was invoiced, we then had to do the movements within the IEX journals to account for that, and then we had reconciliations to see how close we're getting to the variances.
Kirk: By this point, even just days after the infection was discovered, Matthews was somewhat operational. But it would be four to six weeks before the company was getting close to back to pre-attack activity and a good year before its full network rebuild and revamp was completed. Did Matthews give any consideration to paying the ransom?
Kirk: It sounds like you had no consideration of paying these criminals anything.
Dingley: No. Well, no.
Kirk: Or did you have a think about that?
Dingley: 6:30 on a Friday morning, when the sky was falling down, it was certainly a consideration. That was one of the things proposed to us at that time by the cybersecurity lawyers that was certainly discussed in terms of one of the options. But it was never really seriously looked at after the process, because we didn't really want to go down that path. We had the missing four weeks of data. As we got those discs with the data into the hands of data retrievers, we were starting to see that we could call back some of that missing data. We weren't in the situation that I know many companies were where they've lost all backups and everything.
Kirk: Still, Matthews thought it was ready for an attack. But once the full scope of the incident became clearer, it quickly realized it wasn't actually ready. That kicked off a comprehensive program to improve its IT security readiness and that has included a host of changes. For example, before the incident, external contractors had access Matthews' systems, but now that type of access is subject to a higher level of security. It also had externally facing websites that didn't require VPN access, which now the case. It also reset all passwords and put in place multifactor authentication, which Ben says has already stopped more problems. And another big one: no more remote access through Remote Desktop Protocol, or RDP, and if you remember earlier, that's the FBI said was one of the main routers for PYSA.
Nichol: We've got two factor authentication. And we know that saved us since our cyber incident. So constantly calling for two factor. We've also put endpoint protection that replaced our existing antivirus software. So this not only covers antivirus, but also these ransomware threats and other threats that come through that antivirus might not pick up. We don't have access through RDP anymore. It's got to go through VPN, as I said earlier, and we close all internet facing websites, external RDP and open ports - made sure all those were closed.
Kirk: Their antivirus platform was replaced with a more comprehensive antimalware and monitoring platform, more along the lines of an EDR or XDR endpoint software that is in vogue now. Marks says that antivirus software alone isn't enough.
Dingley: The reality is, AV just doesn't cut it. I think that was one of the biggest learnings. We have gone to those endpoint solutions and so forth. The AV’s integrated in that, but AV on its own, as we had, just doesn't cut it.
Kirk: Matthews' backup regime was also overhauled. Ben says that included replacing the USB-connected drives with NAS drives because they offer better reliability and security.
Nichol: We then revisited our IT disaster recovery and backup policy, and that separation of our backups from our network was really important. Where we thought we were protected by backing up to external drives, and they weren't sort of visible on the network, they were still connected to the network. We found that out the hard way. Now that's visits subnets separation there, we no longer have those backups connected to a network directly through the same subnet. And we've got more rigorous backups as well.
Kirk: It also learned a lesson: it's not just having the backups, but also knowing the right sequence in which that data should be restored to bring systems back online. If that data restoration sequence is wrong, the systems can't be fired up in the correct order. Knowing that correct order influenced how the company now backs up its data, including, including micro-backups that occur on a daily basis. Mark says that testing those backup restoration processes is key.
Dingley: Our testing of restorations is now part of our way of life. You think your restorations work until you come to the stage when you really need them, and they don't work. And you don't want to find out you've got corruptions when you really need that restoration to kick in. Testing your restoration procedure and testing that your restorations actually restore and restore in the sequence that you want is a critical process that people should be working on.
Kirk: All told, Mark estimates it took four to six weeks for Matthews to get up and running. But it was 12 months before the company felt it had completed an information security overhaul.
Dingley: The time and the stress that are put on the people to recover, that's the biggest hurt and you don't get that time back. It was 12 months on before I could really say, we are now at a new level, and super vigilant in all areas of cybersecurity. It was a long haul.
Kirk: Matthews also has a continuing focus on staff education about malicious emails. Phishing emails and even emails containing malicious links or malware are can be notoriously tricky to detect, but education can help employees avoid some of the most obvious traps. Matthews now runs monthly mock phishing exercises to keep a refreshed focus on security awareness.
Dingley: We run our own fake phishing email testing every month with our staff, we're very transparent with that. Because it is about education and awareness, it is about that level of paranoia that our weakest link is still someone potentially clicking on an email. When we started, we had some pretty high click-throughs. And for the last three or four months, we are at zero. The biggest learning, for any organization, is if you're not involving your staff, regularly, monthly, you are not cyber secure.
Kirk: It has been about 18 months on from when Matthews was infected by PYSA. How is Australia as a country now faring against ransomware? In short, like elsewhere in the world, it's been rough.
Reece Corbett-Wilkins is a partner with the law firm Clyde & Co. in Sydney. About a decade ago, Clyde & Co. set up dedicated incident response practice to help organizations through incidents. It works with insurance companies and victims to coordinate incident response, calling on vetted vendors to quickly do tasks such as forensic analysis, project management and rebuilding systems. Reece estimates that Clyde & Co. alone has worked on 300 ransomware-related incidents in Australia over the last two and a half years. That increasing volume of attacks has been elevating the concern about ransomware in Australia.
Reece Corbett-Wilkins: We've seen a number of high profile attacks, over the last two-and-a-half years, impact significant organizations, much like you've seen in the U.S. and around the world. Australia at the moment is going through an election early next year. And for the first time in years, cybersecurity has become a political issue. It's now elevated to the top of the list critically, because we can see the financial impact of these ransomware events are impacting our economy as a whole, particularly as we come out of COVID. The government is taking this up as a national security issue.
Kirk: And this year, the ransomware incidents seems to rise to new levels. Nine Entertainment, which is a major broadcaster, saw its Sunday programming disrupted by ransomware. Also, there was JBS Meats, the world's biggest meat supplier. Its ransomware incident affected slaughtering operations in four Australian states as well as in North America.
The Australian government is making moves, and in October, it proposed a Ransomware Action Plan. There are lots of interesting bits in the plan but one large standout is the reporting requirement. The plan would require businesses with more than $10 million in annual turnover to report a ransomware attack. The opposition Labor Party, however, is pushing for that to include if a company has paid a ransom. The government says the reporting requirement will help it better understand the threat and support victims. If it comes into effect, it would be a world first.
There are other initiatives as well. The Australian Federal Police, which is the equivalent of the FBI, is creating a multi-agency task force called Operation Orca specifically dedicated to fighting ransomware. The plan also calls for Australian law enforcement to be able to track and seize ransomware gangs' funds, which are usually in virtual currency such as Bitcoin or Monero. The Australian Signals Directorate, which is the equivalent of the NSA, will also be allowed to use its offshore offensive cyber capabilities to disrupt cybercriminals targeting Australia. The secretary for Home Affairs, Mike Pezzullo, said the ASD offensive cyber experts are hunting for ransomware gangs every night.
There's also another piece of legislation that is tangential to ransomware. Legislation is before Parliament that will require critical infrastructure providers to have minimum standards of security. Reece says that the government wants to ensure that critical infrastructure providers, which are the backbone of the Australian economy, can withstand attacks without lives and livelihoods at risk as a result of a cyber incident.
Corbett-Wilkins: What they're looking to do is introduce new legislation, which does two things. It significantly expands the definition of critical infrastructure providers to include a lot more industries that previously weren't covered by this effectively anyone, any organization that can be seen to support the national infrastructure of Australia, and food and security and water supply chains.
Kirk: There's also another prong that could prove somewhat controversial. It's called a "step-in" power and as Reece says would allow the government to take over defense of an organization during a cyber incident.
Corbett-Wilkins: But secondly, they're also looking to introduce step-in powers for the government to be able to actually step in and take over the active defense of an incident, if the government deems it appropriate to do so. And critical to whether or not the government will be able to exercise that power will be organizations demonstrating not only capability and competence, but also giving confidence to the government that they're taking appropriate steps. It's going to be a significant piece of legislation when it passes because it will effectively put organizations on notice that they need to be able to be better able to respond to these incidents, and also cooperate with the government during a time of incident, or else suffer the very distinct possibility that the government can take over defense operations.
Kirk: These days, Matthews is in a much different place than it was two-and-a-half years ago. And in some ways is Australia is too: it, like other countries, is getting fed up with ransomware. The launch of a plan to tackle ransomware is a start. And it follows similar moves in the United States. But as it has been pointed out there no one action will eliminate ransomware. But until governmental action, diplomacy and policing can catch up, businesses do need to put in place their best defenses. Mark says there is one step every organization should take.
Dingley: First and foremost, get an external audit, do the penetration tests, find a very good cybersecurity business that specializes in this area of the external audits, do a penetration test and see how robust or fragile you really are. External audit and penetration test: that is your first one because that will show the level of how really your business is exposed. And then you take it from there.
Kirk: If you enjoyed this episode of The Ransomware Files, please share it on your social media platform of choice. If you would like to participate in this project, please get in touch with me - my DMs are open on Twitter and I'm easy to find on LinkedIn. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.
Next up is a chat with our sponsor for this episode, Cofense.