Unsupported browser

For a better experience please update your browser to its latest version.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We use cookies to personalise your experience; learn more in our Privacy and Cookie Policy. You can opt out of some cookies by adjusting your browser settings; see the cookie policy for details. By using this site, you agree to our use of cookies.

Cyber risk lessons from the ZHA ransomeware attack

Zha1 3
  • Comment

The ransomware attack on Zaha Hadid Architects emphasises the increased cyber risk posed by Covid-19, writes Andy Barratt

Over the past six weeks, we’ve seen the very best and worst of humanity as the UK has rallied to tackle the spread of coronavirus. It’s perhaps no surprise that, while much-celebrated army veteran (now Colonel) Tom Moore was completing the 100th lap of his garden fundraiser, London based Zaha Hadid Architects (ZHA) was being held to ransom by cybercriminals.

The sad truth is that cybercriminals, both as individuals and groups, will look to exploit the opportunities created by states of emergency. There has been a blitz of new scams targeting consumers and businesses alike since the outbreak of COVID-19, particularly as firms have been tasked with quickly mobilising remote working for the majority of employees. More than 2,000 new scams relating to the virus have been shut down by the National Cyber Security Centre since the UK went into lockdown.

Some sectors are naturally more attractive than others to cybercriminals, based on the data and goods they transact. Architecture is not naturally one of them but, as ZHA found out, it is not immune to the attention of malicious actors. Given the lower level of risk in the sector, it was heartening to see such a thoroughly well-organised response from ZHA after it went public last month on the ransomware attack concerning data on one of its servers.

Ransomware is a particularly nasty ‘cash out’ mechanism for an intruder because of the interruption to the business it creates. It’s essentially an old-school organised crime extortion method reimagined for the 21st century. Instead of a burly aggressor brandishing a baseball bat and demanding cash in exchange for safety, we have an invisible intruder claiming to have locked a business out of its files with money demanded in exchange for access being restored.

ZHA refused to pay the ransom note and benefited from the fact that its data was backed up.

There’s a high probability that ZHA was targeted directly as a well-known firm that receives regular media coverage in relation to its financial performance, including increased profitability and salary increases for its senior staff. Ultimately, it is a high-value target.

That being said, it would be unfair to rule out the possibility that the firm’s vulnerabilities weren’t discovered as part of a broad phishing campaign that targeted a large number of businesses. Prior to Covid-19, we conducted a study that indicated that people remain one of the most prevalent security risks to businesses across the economy. With the majority of the UK working from home and IT teams focused on supporting the introduction of new communication tools, the likelihood of employees unwittingly helping cybercriminals to access their systems will have only increased.

A well-motivated intruder will usually find a way in, even if it involves manipulating staff, so defence strategies should focus on detection and recovery, not just on protection. Typically, the faster a breach is detected, the less impact it has and the cheaper it is to fix.

The best recovery strategy in the case of a ransomware attack is a well-managed backup system

The best recovery strategy in the case of a ransomware attack is a well-managed backup system with a granular restoration process so that a point in time can be recovered prior to the attack being deployed. This is exactly how ZHA responded.

With a comprehensive history of backups and a recovery process that essentially de-valued the attackers’ target, the firm will have been able to focus on the initial point of attack, how the intruder gained access, and identify mitigations that could have been put in place to limit it (as well as any secondary attack that usually takes place after an initial compromise).

The architecture industry is not commonly considered a priority target for cybercriminals. But, wherever there is valuable data – whether financial, personal or project-related – there is always risk. In these increasingly chaotic times, it’s important that firms protect themselves against opportunism.

Andy Barratt is UK managing director of cyber security consultancy Coalfire

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.

Related Jobs

Discover architecture career opportunities. Search and apply online for your dream job.
Find out more