CARY – Corporate networks remain at risk from the recent hack of Microsoft Exchange servers, and the CEO of Cary-based Technology Associates is warning companies to take immediate steps to prevent being hacked as well as making sure a security breach has not already occurred.

WRAL TechWire talked with Eric Hobbs about the latest developments in the hack, which has been causedf most likely by a nation-state backed group, following up on an interview we conducted earlier this month.

  • The Microsoft Exchange server hack is not over yet, is it? What’s happening now?

That is correct, the Microsoft Exchange breach is certainly not over. In fact, for those who were impacted prior to taking steps for security, unfortunately the impacts are likely still looming, and may be for some time. Due to the initial vulnerability, hackers had an opportunity to install command and control software and/or a public key, allowing them access and time to work undetected, at their own pace and strike at their convenience even after machines had patch applied to remediate the original vulnerability.

Eric Hobbs (Technology Associates photo)

  • Are companies in general responding or still ignoring the chance they could be hit?

We are hopeful that companies in the impacted industries have already taken action. This type of attack could produce a hefty price tag if measures of protection are not taken immediately. Companies should have already updated their on-premises Exchange server with the patch Microsoft released for this specific vulnerability. However, this patch will not eliminate access for hackers who have already breached a company’s system.

Plus, the cost and risk associated with running on on-premises Exchange server needs to be carefully weighed against Office365 – in today’s environment there is little if any reason for companies of less than 100 staff to be paying to maintain an on-premises Exchange server and dealing with the security risks and disaster recovery costs.

  • We understand that ransomware is now being linked to this hack? Why and how?

Late Thursday evening, Microsoft tweeted that they detected new ransomware being deployed after the initial compromise of servers due to the Exchange vulnerability that was previously identified. Microsoft released a name for the newly recognized ransomware, “Ransom:Win32/DoejoCrypt.A,” with a more common name of “DearCry.” In the case of this specific ransomware, it seems hackers were able to embed a public key into files that install ransomware, allowing hackers to encrypt files and charge victimized companies to decrypt their data.

  • What are immediate steps companies should take if hit by ransomware demand?

It is important to immediately identify and isolate impacted systems if possible, followed by disconnecting and powering down devices connected to the network to avoid any further spread. Companies hit by a ransomware demand should immediately contact their technology provider and cybersecurity insurance provider and together, develop a plan. A critical part of that plan is forensics to ensure hackers aren’t still in control of your systems even after a recovery from ransomware.

  • What can be done to prevent a ransomware breach from happening? Do these steps differ from standard IT defensive measures?

Identifying best-practices and performing regular audits on patching, logging, user accounts, and password changes are key routine actions to take to protect against all breaches, including vulnerabilities that open you up to ransomware. Companies should also recognize that training their entire team on how to recognize malicious emails and attachments is an important line of defense. In the unfortunate event that your company is compromised, it is key to create a cyber-incident response plan with your IT team so that you are prepared with action items.

Cyber threats & your business: How you should react to latest big hack, prevent a future one