Ransomware Attacks Grow More Targeted & Dangerous

Ransomware attacks used to have a broad scale. Think of the massive WannaCry attack that infected 200,000 machines in 150 countries over a handful of days in 2017.

Today, ransomware is much more targeted – and losses from the attacks have risen sharply, according to an FBI alert published last week.

The alert emphasizes that, since early last year, ransomware has become more targeted and more damaging to victims – even as the volume of attacks has not changed much.

More about this latest rash of attacks below.

Industries Hit by Ransomware

Attacks on state and local government have attracted attention, but the criminals are also showing preference for other sectors, according to the alert.

State and local government

Ransomware hit more than 20 local governments in Texas in a well-coordinated attack in August.

Attacks in this sector are up from 55 in 2018 to more than 80 so far this year, according to Recorded Future.

Healthcare

Three hospitals in Alabama turned away patients earlier this month after ransomware seized their systems. Leaders of the response paid an undisclosed ransom.

An August ransomware attack at Wood Ranch Medical, a California-based provider, locked patient medical records and forced the practice to permanently close.

Industrial

A ransomware attack at a massive aluminum producer this year generated staggering losses, estimated at $58 to $70 million.

This was recently eclipsed by a September attack on a major manufacturer of hearing aids with estimated losses of $90 to $95 million.

Arizona Beverages, one of the largest beverage suppliers in the U.S., was also hit this year, with more than 200 servers and computers infected. Staff had to rebuild the network from scratch at a massive cost.

Transportation

Falcon Transport, an Ohio-based trucking company, said its permanent closure in April partly caused by a ransomware attack earlier this the year.

Duie Pyle, a large Pennsylvania-based trucking company, was also hit by ransomware in June.

Tactics Used in Attacks

The FBI is receiving reports of the following tactics being used in these attacks.

Email Phishing

Attackers previously spammed the masses with email, hoping to land a few fish. Today’s attacks are more targeted, using messages more closely tailored to the victim’s context – such as their job or industry.

Remote Desktop Protocol

Attackers use brute-force and purchased credentials to gain remote access to the victim’s system. Once breached, installing ransomware on the system is trivial.

Software Vulnerabilities

The FBI alert cites a recent attack exploiting flaws in the remote management tools used by managed service providers. The clients of at least three MSPs had ransomware installed on their systems once attackers controlled the RMM tools.

Reports surfaced this week of a ransomware strain that exploits an iTunes vulnerability (Windows version). The flaw allows attackers to evade detection by antivirus software, according to PC Magazine.

Ransomware Protection & Prevention

Recommended practices from the FBI and elsewhere to prevent a ransomware disaster.

Keep backups

“The most important defense for any organization against ransomware is a robust system of backups,” according to the FBI alert.

That said, backups can help only if they are configured correctly. Test them periodically, and always keep a set offline.

Plan for disaster

No company can guarantee they will remain clean of ransomware – so plan for disaster before it strikes. Make contingency and remediation plans. Test the plans periodically.

Train users

Email phishing is the most common means of malware infection. This is partly due to the reliable incompetence of users. Raise your uses’ competence. Train them on safe email practices.

Automate patching

Always patch operating systems, firmware, and software – especially antivirus software. Ensure end-points are patched as soon as vulnerabilities are exposed. Automate patching when possible.

Follow Least-Privilege

Follow the principle of least-privilege to limit access to privileged accounts. Users should be granted access to the only systems and resources they need to perform their duties. Administrator accounts should only be used to perform certain tasks. Standard user accounts should be used at all other times.

Protect RDP

Close unused RDP ports and use two-factor authentication where possible. Here are more RDP security tips.

Block Bad Websites & Email

Filter web traffic and email to prevent users from accessing or receiving malicious content.

Restrict App Directories

Use software restriction policies or other controls to prevent programs from executing in directories favored by ransomware, such as the AppData/LocalAppData folder.

Restrict Allowed Apps

Configure an application whitelisting solution to allow only approved software to run on workstations and servers. If ransomware reaches a machine, this can prevent it from running.

Separate Data

Categorize the data in your organization by value and use physical and logical separation to keep them apart. For example, customer data should not reside on the same server or network segment as a company’s email environment.

 

Email Phishing for IT Providers

Related Resources

Hacker Group Targeting IT Providers and Customers

BlueKeep: Severe Vulnerability in Windows RDP


Written by Calyptix

 - October 11, 2019

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
GET STARTED
MSPRESELLER
home
contact
call us
call
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram