Security curve: How gambling firms should safeguard against ransomware attacks

The Maze ransomware was discovered on 29 May 2019 by Jerome Segura. Maze is a complex piece of malware that uses different techniques to gain entry to systems. It relies on exploit kits, remote desktop connections with weak passwords or via email impersonation. These emails came with a Word attachment that were using macros to run the malware in the system.

The mind-blowing thing here is that these methods are easy to prevent and we’re surprised businesses get caught by this, but then people have bad days and phishing emails can look very convincing,

When SBTech confirmed it had been the target of an attempted ransomware attack in April, the firm was listed by Maze as one of its victims, along with Curacao-licensed online sportsbook BetUS, cyber-security insurance firm Chubb, and the French firm Bouygues Construction.

Gaming companies are usually ahead of the curve in defending against these types of attack. It is perfectly possible that SBTech just has a bad day and clicked a link. For Maze to have been successful, they would have needed a foothold inside of SBTech, most probably from a phishing email.

Ransomware can be tricky to clean out, and often a firm will end up resorting to a restore from its last known good backup. SBTech is going to face a lot of uncertainty now as they wonder whether they have closed all the doors and eradicated all the malware.

As it comes to the end of a recovery phase, and restoration of all services is complete, its main concerns will be that all customer data was securely encrypted and there has been no breach.

Future prevention

The best defence against this form of malware and ransomware is good cyber-security hygiene — a real multi-layered defence-in-depth approach to securing the business.

As in other walks of life, you can only treat a problem by first admitting it exists. Consequently, management needs to begin by accepting that cyber criminals will establish a foothold and that they are likely ‘living’ in your digital networks right now.

That means creating and implementing a corporate cyber resilience strategy (rather than a cyber-security strategy) which focuses equally on protection, rapid detection and rapid response.

There is no real tangible information on how the SBTech attack happened, but from the dumps published by Maze, we can pull some valuable findings for similar firms.

The user

It all starts with the user implementing stronger passphrases and monitoring user account for signs of compromise, while also ensuring that the passphrases are changed every 90 days. The simplest way for a breach like this to occur is to guess a user password. With services like Have I Been Pwned, users can check where their passwords have been published. Attackers also use this tool in order to identify any password patterns used.

Staying safe

Segmentation of the internal filing is hugely important, and firms should keep all customer data stored logically, and ideally physically and separate from business data. This looks to be something SBTech did well as there is no player data within the dumps.

With good internal filing segmentation, should the worse happen and a company be hit with ransomware malware, it stands a good chance that not all its files will be rendered unreadable.

With backups firms really need three now. One as a local backup that is always cycling, probably on a weekly basis, and another that is stored remotely from its systems. This should be pushed to a remote store every time the backup runs, but never overwriting any previous backups. This is a saviour from Ransomware. The third backup should be stored on removable media and kept disconnected. If a full breach happens, this is the backup that might just save the system.

And remember to do test restores of each of the backup locations at least every four months.

Within their technology stacks companies must be regular patching all its systems, applications and services, also upgrading servers that are approaching the end of their life.

Performing patching around seven days from the release of security updates is essential. After day seven, the attackers have typically reversed the security patches and will have started to weaponise their code. By day nine, we usually see attack tools released to take advantage of the security vulnerabilities described in the patches.

Hedgehog is a penetration testing and cyber-security consulting firm based in Gibraltar with offices in the UK, Spain and Japan. Peter Bassill spent four and a half years as CIO at Gala Coral Group where he was responsible for prevention of digital attack from internal and external sources across the group’s UK, Europe and international businesses.