We invite you to the second part of our considerations on ransomware (part 1 available here). What are real cases of attacks, and what are good defense practices in cyberspace for your company? We welcome you to read on!
Cases from other companies
One of the most prominent cases in recent years was the attack on Norsk Hydro, a giant in the aluminum industry. The attackers managed to gain access by having an employee open an email attachment that came from a trusted source (the mailbox of a trusted individual was compromised and used in the attack). Within a few days, the attackers were able to establish continuous access to the infrastructure, which they subsequently encrypted. This case is significant not only due to the financial scale (the company lost over 40 million dollars) but also because they chose to be transparent about it. They kept the company informed in real-time about the ongoing situation and how the IT teams were combating the threat, working to restore the company's operations. If you'd like to read more about this topic, we recommend an article on Microsoft's website regarding this specific attack.
Another significant ransomware attack that affected hundreds of thousands of computers worldwide was the so-called WannaCry. In 2017, hackers known as the Shadow Brokers exploited an advanced vulnerability called EternalBlue in the Windows operating system. This vulnerability was said to have originated from the U.S. National Security Agency (NSA) and had reportedly been used by government hackers (APT groups). EternalBlue targeted a flaw in the Microsoft Server Message Block 1.0 (SMBv1) protocol, using it to gain remote execution access to the victim's computer with delivered code. Moreover, the virus had the capability to self-propagate across networks. Entities such as hospitals, universities, and automobile manufacturers were among those affected. The ransomware screen demanding payment even appeared on ATM screens
Figure 1 - Program window appearing after the execution of the WannaCry ransomware.
Figure 2 - Infected ATMs in China.
Best Practices
So, how can you protect yourself from ransomware attacks? There isn't a single answer to that question because each company's infrastructure is slightly different. However, you can adhere to generally accepted good security practices that will help minimize the threat and, in case of an attack, allow you to effectively recover your data.
Before we delve into tips specifically about ransomware, we encourage you to familiarize yourself with general security advice that Innokrea offers on our blog:
- https://www.innokrea.com/blog/10-for-online-security/
- https://www.innokrea.com/blog/increase-your-internet-security-with-innokrea-dont-let-yourself-be-robbed-part-2/
- https://www.innokrea.com/blog/enhance-your-online-safety-with-innokrea-dont-let-yourself-be-robbed-part-3/
In addition to the practices we recommend, here's what you should consider:
- Have a prepared threat response plan, ensuring your IT team is ready for such a scenario. This can help you act in a more rational and calculated manner during a stressful attack.
- Maintain isolated backups, either in a separate network environment or an entirely different infrastructure. Test the functionality of backup copies.
- Estimate how long it would take to restore your company's operations and what financial losses could arise from such an incident.
- Isolate guest networks in cases where your company has an office. There have been instances where guests logging into the office Wi-Fi gained access to production servers, which is unacceptable.
- Utilize Infrastructure as Code (IAC) tools like Terraform and version control systems like Git. Configuration should be consistent, well-thought-out, and any changes should be approved by at least two individuals knowledgeable in the respective technology.
- Regularly update all software you use and monitor for vulnerabilities in the software you rely on. Scanners, feeds, and even Twitter can be useful in this regard.
- Implement a form of two-factor authentication that is not susceptible to phishing.
- Adhere to good practices regarding permission management and a zero-trust policy.
- Invest in training for both IT staff and regular employees to ensure they can appropriately respond to attacks and even recognize phishing attempts.
- if you're technically inclined, make sure to explore the CISA Stop Ransomware Guide, which thoroughly discusses good practices for countering ransomware: https://www.cisa.gov/resources-tools/resources/stopransomware-guide
Summary
We hope this short series on ransomware has been useful and intriguing for you. Remember that we're never completely safe in the cyber realm, but by employing proper cybersecurity practices and hiring knowledgeable individuals, we can protect our businesses and, in the event of a successful attack, minimize the losses incurred by the company. See you next week!
Sources:
