Cyber attacks are taking on a disturbing and highly focused dimension, with attacks being crafted to individual organisations for maximum effect.
What is ransomware?
Ransomware is a particular type of malware which works by encrypting a victim’s files, then showing a “ransom” note asking the victim to pay money to get the decryption key from the cybercriminals who unleashed the attack. Historically, this has been automated, with victims accidentally downloading and installing the Ransomware; and is not specifically a targeted criminal activity. You can find out more about more generalised Ransomware on the National Cyber Security Centre’s website.
Human-operated Ransomware is a directed criminal activity where specific companies are targeted by cybercriminals. This is carried out by those who are aware of the latest bugs and common misconfigurations for the most popular security devices. As these campaigns are targeted, they tend to be a much longer campaign as the attackers are willing to invest their time for the greater potential rewards.
To ensure the attackers know how to best carry out these attacks, the target will normally have been identified, scouted and probed to see what technology their perimeter IT network contains. Once they have carried out the reconnaissance, they can determine the best method to gain entry. Commonly these are via vulnerabilities like Remote Desktop Sessions (RDP) that are open to the internet or using common attack techniques like trojans, fake updaters or phishing emails to targeted staff, containing a malicious link.
Once the attacker has a foot hold on the network they can start to move across the network gaining control of more important systems. This is usually combined with turning off the anti-virus via gaining admin access. To cover their tracks the event logs will also be cleared, making detection and remediation much more difficult.
What should your business do to prevent attacks?
There are several ways you or your IT Service Provider can improve your security to help avoid Ransomware attacks. These can include:
- Ensure Anti-Virus (AV) is enabled on all servers
- Any external facing remote access sessions are locked down to specific users or locations
- Ensure the firewall is secure and that the configuration is regularly reviewed
- Enable Multi Factor Authentication on externally accessible services wherever possible
- Ensure all local admin accounts use randomised username and passwords
- Monitor event logs for brute force attacks (ID 4624) and the clearing of the event log (ID 1102).
- Run external “Penetration Tests” to check for the same weaknesses that attackers are searching for
- Train staff to spot phishing e-mails and in general good IT security practices