On di.dk we use cookies for multiple purposes relating to functionality, web analyze, and marketing. If you continue, you accept cookies for these purposes. You can read more about cookies and change your cookie settings on this page.

The day cyber criminals locked all files at RTT

Companies are increasingly hit by cybercrime, and according to experts, the threat can no longer be dealt with simply by pouring more money into hardware. The question is: Is your company prepared to face the new threat picture?
Cybercrime is here to stay and has today become extremely organised. For the criminals at the other end, it has become big business.

Publiceret: 27.04.2017
Af Karen Witt Olsen mail

On 30 November, everything came to a standstill at Danish auto company RTT’s five branches around the country.

An employee at the main office had clicked on a file in an email. It looked a lot like the PDF files that come from scanners - for example, it said “Canon” in the file name - but in reality, it had been sent by cyber criminals.

The little click on the virus file locked all files on RTT’s common drives.
RTT, which, among other things, specialises in equipping and renovating delivery vans with new wrapping and interior, was hit by a kind of attack that is becoming more and more widespread - a so-called ransomware attack. In these kinds of attacks, cyber criminals succeed in encrypting an individual’s or company’s files and demand a ransom to unlock them.

According to the Centre for Cyber Security, both this type of attack and espionage attacks, in which companies are robbed of confidential information, are becoming increasingly common.

At RTT, however, it never became a question of paying the ransom, because the company was well prepared. Nevertheless, the attack has led to tightened procedures at RTT, which we will return to, and this is largely due to the worsening threat picture, explains IT Officer Birgitte Carlsen.

“The threat is only becoming larger, and we need be even better at protecting ourselves in order to keep servicing customers,” she says.

See also: Top nine cyber security tips

Two cyber threats dominate

The number of threats is growing, confirms Thomas Lund-Sørensen, director of the Centre for Cyber Security at the Danish Defence Intelligence Service.

“There are outbreaks of two main threats. One is cyber espionage, in which foreign states in particular go after strategic interests as well as data and secrets within the industry or other skilled high-tech companies. The other is cybercrime, in which criminal groupings in e.g. Eastern Europe attack companies to make money,” he says.

Both threats - and many more on the cyber security front – pose a huge challenge for Danish companies right now. According to accounting firm PwC’s “Cybercrime Survey 2016”, 69 per cent of companies in Denmark have been victims of cybercrime and 65 per cent have become more worried about the cyber threat than they were 12 months ago.

See also: Report cyber crime with the police

Like locking the front door

The increase in the number of threats and, not least, the increasingly refined and cunning nature of these threats, which play upon human mistakes, require that companies take action - and of a slightly different kind than we have been used to. This is the assessment of cyber security expert Morten Rosted Vang from the Danish ICT and Electronics Federation:

“It is necessary that Danish companies implement a cyber security culture and protect their data and IT systems as a matter of course, just as you lock your front door or choose to have video surveillance, alarms or security guards,” he says.

This is not always the case today. It is true that companies are investing more in cyber security. According to Statistics Denmark’s annual report on IT usage, more than every fourth company increased its investments in cyber security last year compared to the previous year.

But because of the nature of the threats - not least the fact that cyber criminals are constantly using new holes and creating more convincing scams - there is a need for something other than investments in new hardware.

“We can talk about a need for implementing a security culture in the digital field - a matter that leads back to the discussion of teaching digital behaviour already in primary school. When we are online, it is a similar situation to standing in a crowded bus in Copenhagen or walking down Strøget in the tourist season. We should not avoid these situations, but it is a good idea to have your wallet in your front pocket instead of your back pocket,” says Morten Rosted Vang.

This naturally does not mean that traditional security measures should be forgotten, and it does not necessarily need to be expensive.

The companies should for example carry out a completely ordinary risk assessment: Are we aware of the threats? Is our cyber security in order in relation to our type of business and products? Do we regularly update our systems and programs? Is access to confidential files under control? And have we made back-ups if systems crash or are hit by cyber criminals?

Læs også: Well-organised criminals trick companies out of millions

Even more back-ups at RTT

It was a new risk assessment that made RTT tighten its procedures after the latest attack. A calculation of how much the attack in November had cost, for example because the company lost data from the day’s work, has resulted in a new back-up procedure.

“Now it happens once an hour,” explains Birgitte Carlsen, IT officer at RTT. Previously it was once a day.

It is also a principle at RTT that employees should not constantly have to worry about whether their actions are right or wrong.

“So if something should happen, the damage is negligible,” she says.
Organised forces are responsible
Cybercrime is here to stay and has today become extremely organised. For the criminals at the other end, it has become big business.

If you look at cyber espionage, in which companies are robbed of confidential information about e.g. products, organised forces are responsible, according to the Centre for Cyber Security.

The hackers’ behaviour alone provides a hint of how organised the business is and suggests that in some places in the world, it constitutes the hackers’ livelihood.

“We see that hackers have normal working hours and work rhythm, and this tells us that it is a highly functional machine,” says Thomas Lund-Sørensen.

When it comes to cybercrime, it is also an area in which criminals increasingly experience success.

“There is a high degree of willingness to pay when they break in,” says Thomas Lund-Sørensen.

See also: EUR 500 popular among Danish criminals

Openness is important

RTT decided to come forward with with the company’s story, which is rather unique. Many companies that are attacked hush up the case and solve the issue with as much discretion as possible.

According to Morten Rosted Vang, companies often assess that coming forward will have negative consequences.

“But RTT’s story shows that this is not the case. It is important to bring the cases to the light so we can learn from each other and share experiences,” he says.

RTT has, in fact, received more customers since the company came forward publicly and talked about the cyber attack, says security officer Birgitte Carlsen.

“It is not dangerous to speak out loud about, because it also shows that we protect our customers’ information. People have seen us on TV, seen what we do - and contacted us anyway,” she says.

See also: Top economist wants to get rid of big banknotes

It cannot be silenced to death

Danish telecom company 3 also chose the open strategy when the company recently received a message from criminals who claimed to have gained access to customer data.

“We could have gone to the police without involving the public, but for us it was also about sending the criminals a strong signal to show that we will not negotiate with them,” says Sidsel Rosendal Olsen, director of customer management at 3.

This caused quite a stir in the media, but the company has not regretted the open response either.

“We won’t solve this kind of problem by silencing it to death. All companies ought to come forward and talk about it if they experience blackmailing. If everyone does this, the criminals’ threats will be diminished over time,” she says.

As a minimum, companies should direct their openness towards the Centre for Cyber Security, says Director Thomas Lund-Sørensen, who also notes that it is possible to use the centre’s special notification system. This has long been an option, but it is rarely used.

“Most often, we are the ones who contact the companies when we hear about harmful activity in our networks and inform that they have been attacked,” he says.

The threat is only becoming larger, and we need be even better at protecting ourselves in order to keep servicing customers.
IT OFFICER BIRGITTE CARLSEN, RTT
More info
Kontakt image
Direct: +45 3377 4707
Mobile: +45 2291 5081
E-mail: morvdi.dk
Your e-mail address will be used solely for this newsletter subscription. You can unsubscribe at any time here.
PUBLISHED: 4/27/2017 LAST MODIFIED: 4/27/2017