In a recent advisory, the National Cyber Security Centre (NCSC) highlighted a significant trend towards more targeted ransomware attacks, where attackers invest time to stake out victims, identify business-critical files and systems and even wipe out back-ups so the high-stakes ransom demand must be paid.
The NCSC noted, attackers have previously concentrated on bulk attacks, relying on "economies of scale" to extract profits, extracting relatively small ransom payments from a high volume of vulnerable devices.
However, throughout 2018 there’s been a shift towards highly targeted ransomware attacks.
Targeted ransomware represents a major escalation
Previously, ransomware has been thought of as a mass market attack. While still a threat, the reality was that ransom demands were perceived as 'affordable' and therefore not a major threat to business continuity.
The shift towards more targeted attacks over the past 6 months represents a major escalation...
“The shift towards more targeted attacks over the past 6 months represents a major escalation", says Joe Bertnick, Chief Technical Officer at Comtact Ltd.
Joe continues, "Cyber criminals understand the high ‘value’ of the data held by many mid-sized businesses such as legal firms, financial institutions etc."
"These businesses are not household names. But often their cyber security defences are easier targets compared to larger enterprises."
We’ve seen ransomware attacks result in truly eye-watering payments - in the £ millions
"So by targeting these firms and denying access to business-critical files and systems, we’ve seen ransomware attacks result in truly eye-watering payments - in the £ millions.”
"With these targeted attacks, the cyber criminals really go out of their way to ensure their actions have the maximum impact on the victim organisation, leaving the business with no choice but to pay the ransom. They've really raised the stakes."
Exploiting vulnerable RDP sessions
In the issued advisory, The NCSC warned companies that attackers exploit native tools.
"Attack vectors include remote administration tools, such as Remote Desktop Protocol (RDP). Cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information.”
The success of targeted ransomware such as SamSam, BitPaymer and Dharma will inspire further copycat attacks in 2019.
The methods for infecting systems with ransomware are similar to those used with other types of malicious software, as are the steps organisations can take to protect themselves. Organisations are advised to urgently implement best practice advice to mitigate the heightened threat.
Read the NCSC advisory: ncsc.gov.uk/news/ongoing-threat-organisations-ransomware
Steps to protect against ransomware
- Keep all devices and networks up to date - use the latest supported versions and apply security patches when prompted. Antivirus and regular scans will guard against known malware and other threats.
- Prevent and detect lateral movement in your enterprise networks.
1. Protect credentials
2. Deploy good authentication practices
3. Protect high privilege accounts
4. Apply the principle of least privilege
5. Lock down devices
6. Segregate networks as sets
7. Monitor networks
8. Consider using honeypots
- Implement architectural controls for network segregation. This will mitigate issues i.e. the exposure of Server Message Block (SMB), often used to enable ransomware activity.
- Set up a security monitoring capability. This will allow you to collect data that’s needed to analyse network intrusions.
- Whitelist applications. If supported, consider whitelisting permitted applications.
- Use antivirus. Keep any antivirus software up to date and consider using a product which benefits from improved threat intelligence and advanced analysis.
- Cloud-based virtual machines. Follow the cloud provider’s best practices for remote access and familiarise yourself on your responsibilities when using laaS.
- Administration model. Have extensive understanding of how your administration model works and how you control it.
- Phishing emails. Phishing attacks are often the first stage of a ransomware attack. Ensure you train users on how to identify a phishing email and the potential impact on your organisation.
- Regulate and limit external to internal RDP connections. Use secure methods, such as VPNs when external access to internal resources is needed.
- Back-up. Maintain a good back-up strategy.
Real life cyber crime: "The ransomware heist"
Understand the real consequences of suffering a ransomware attack and the dire impact it can have on your organisation, no matter the industry, no matter the size...
- Is ransomware the biggest threat to your IT security?
- The latest best practice password policy recommendations
- On-demand webinar: The difference between endpoint protection and traditional antivirus
- 6 steps to a successful cyber security improvement programme
- Pros and cons of outsourcing your Cyber Security - In-house, or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is an award-winning specialist Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.