Insight

One month on is Log4Shell the calm before a Ransomware storm?

7 May 2024
Insight

One month on is Log4Shell the calm before a Ransomware storm?

What is it?

Log4Shell is a so-called zero-day vulnerability — named as such since affected organisations have zero days to patch their systems — that allows attackers to remotely run code on vulnerable servers running Log4j, which developers use to keep a record of what’s happening inside an application as it runs. The vulnerability is tracked as CVE-2021-44228 and was given the maximum 10.0 severity rating, meaning attackers can remotely take full control of a vulnerable system over the internet without any interaction from the victim — and it doesn’t require much skill to pull it off.

Who’s affected?

Since the news of Log4Shell first broke, the growing number of victims suggests thousands of big-name companies and services are likely affected by the flaw. Many of these companies have been quick to act. The Apache Software Foundation, which maintains the Log4j software, released an emergency security patch, as well as mitigation steps for those unable to update immediately. There are also a number of third-party mitigations available. However, given the wide-ranging nature of Log4Shell, and the likelihood that ransomware will follow, this is likely to be the calm before the storm. Patching or mitigating the vulnerability should be at the top of every security team’s priority list.

Insurance

Cyber Insurance remains a key part of any prudent business’s insurance protection. If you don’t have it, you should get cover in place. While cover can protect you from the worst of the financial impact, the specialist response services provided through most high-quality policies is even more important. You must however continue to act as if uninsured by making sure you have requested and installed security patches. Some policies may exclude cover if you fail to do this. Please speak with a member of our team if you want to know more. Please also refer to the information and guidance issued by the National Cyber Security Centre here