Sophos Cloud Optix
This week host Anna Brading is joined by Sophos experts Mark Stockley, Greg “Fido” Iddon and Peter Mackenzie.
This week we discuss an attack on the city of Johannesburg that came with a ransom demand and ask “was it ransomware?”; we talk about what the breach at NordVPN means for VPN users; and we reminisce about the ancient floppy disks that, until recently, underpinned the USA’s nuclear deterrent.
Listen below, or wherever you get your podcasts – just search for Naked Security.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
In a case like the city of Johannesburg or any other ransomware, do they not have any antivirus, anti-malware or anti-ransomware software like Intercept X? Or they do have it and it just didn’t work?
The City of Jozi case isn’t ransomware in the traditional meaning of “implanted malware that attacks your system and locks up your files” – so we don’t know how (or even if) the crooks actually got in. The Jo’burg situation is that the crooks want to be paid *not* to do something (pay or we’ll leak the data we claim already to have stolen) rather than being paid to unlock scrambled data. Ironically, in attacks of this sort, which are much less common than file scrambling ransomware, but not a new thing either, if you pay up and nothing leaks you can never quite be sure whether the crooks kept their word, or whether they had nothing in the first place…
When it comes to file-scrambling attacks, it’s impossible to say how the crooks got in in every case. But in many of the cases I’m aware of where the post mortem revealed what probably happened, there was at least some, and often plenty, of advance warning from the security software on the victim’s network (whether Sophos’s or someone else’s, or both) that would have given away that crooks were preparing for something bad.
The problem is that if you don’t react in time, or you ignore warnings for too long, then the crooks are often able to promote themselves to system-widem admins – in other words, they have at least as much power as any sysadmin in your network – so it’s then very hard to stop them reconfiguring your network to make it attackable no matter how secure it was before…