Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”
The company’s website currently shows a holding page, with no clickable links on it:
On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.
The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.
Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.
As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.
But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:
The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.
Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.
ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”
Two things right
As bad as it sounds, it seems that the company has done at least two things right: it has issued a clear statement of what it’s willing to say right now, and it has stated that it will tell us all more when it is sure of its facts.
It’s easy to jump down the throat of a business that suffers a cyberattack, to demand answers right away, and to assume that “something is suspicious” if the company demands time to investigate for some time before making a full statement.
In this case, we’d urge ISS World customers to be as patient as possible, and to give the company time to find out as much as it can, with as much forensic precision as possible, before expecting it to reveal what it knows.
Incidents of this size in a business this large are definitely a matter for the regulators and for law enforcement – so if there’s any chance of finding out who was reponsible with the sort of evidence that would stand up in court…
…let’s hope ISS World can come up with it.
What to do?
Here’s our advice on how to keep crooks out of your network – not just for ransomware in particular, but for malware in general.
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Attacks such as WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted malware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
Pierre T.
Terminology.
As many ransomwares use the drives mapped at the time when it encrypts whole files, it’s not that important that backups are off-site but rather permanent offline. Backup volumes are online only the time needed to make backups otherwise they must remain off network.
Paul Ducklin
Remember that you don’t make backups *just for ransomware*. You make them for disaster recovery in general, including things like fire, theft, flood…
…and getting shut out of your own premises, which can happen even if you don’t have a disaster of your own. This is more common than you might think. If a neighbouring property has a gas leak, chemical spill, police investigation, suspected disease outbreak, or something like that, then you may be evacuated and temporarily blocked from accessing your own workplace – unable to access any locally-stored offline backups that would otherwise save your day by allowing you to restore key data elsewhere.
Cloud storage is implicitly offsite but needs some care if it is to be considered “off-line” as well – its convenience leads many people to keep it accessible all the time, or make it easy to get at without any physical safeguards. (Crooks don’t just scramble all your mounted drive letters – they also take the time to find, connect to and delete any backups they can find and access, local or remote.)
Redacted
My name is [redacted]. I am a cleaner at [redacted]. I get paid every two weeks, what I want to know am I going to get my full wages on feb 27th as I need this money. let’s hope you sort it by then
Paul Ducklin
The main ISS web page seems to be working again, which suggests that the company isn’t totally offline. But it is _very_ slow to respond [2020-02-21T14:45Z], and there is no link on there offering any update on the malware attack.
I tried to visit the company’s “news” section, which seemed the most useful thing to try, but got a holding page saying:
“Our services aren’t available right now
We’re working to restore all services as soon as possible. Please check back soon.”
Redacted
Are we getting paid on the 27 February I work for iss in [redacted]
Paul Ducklin
See the comment above – it’s quarter to three p.m. on Friday 21 February 2020 here in the UK and ISS seems to be partly, but not fully, recovered. So we simply don’t know how long it will take for them to get back to normal (or normal enough). Sadly, we don’t have anything new to tell people yet…
Flo
Think it’s employees should of been told before it went all over Internet
Mahhn
When a company decides it’s time to pull the (network/power) plug, most likely it’s already to late to send out a communication.
Kinda like, when a car is crashing, you don’t have time to say; put your seatbelts on.