ISS World “malware attack” leaves employees offline

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it:

ISS World replaced its website with a static information page.

On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.

The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:

The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.

ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”

Two things right

As bad as it sounds, it seems that the company has done at least two things right: it has issued a clear statement of what it’s willing to say right now, and it has stated that it will tell us all more when it is sure of its facts.

It’s easy to jump down the throat of a business that suffers a cyberattack, to demand answers right away, and to assume that “something is suspicious” if the company demands time to investigate for some time before making a full statement.

In this case, we’d urge ISS World customers to be as patient as possible, and to give the company time to find out as much as it can, with as much forensic precision as possible, before expecting it to reveal what it knows.

Incidents of this size in a business this large are definitely a matter for the regulators and for law enforcement – so if there’s any chance of finding out who was reponsible with the sort of evidence that would stand up in court…

…let’s hope ISS World can come up with it.

What to do?

Here’s our advice on how to keep crooks out of your network – not just for ransomware in particular, but for malware in general.

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Attacks such as WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted malware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.