Ransomware Attacks
Cybercriminals and nation state hackers have become sophisticated enough to use ransomware to penetrate and immobilising large enterprises, federal governments, global infrastructure and healthcare organisations.
Ransomware is a type of malicious software that threatens to blocks access to data, usually by encrypting it, until the victim pays a ransom fee to the attacker. In most of the cases, the attackers do a ransom demand that comes with a deadline. If the victim doesn’t pay in time, the data could be erased or ransom increases.
New market place has emerged now a days on dark web, offering malware strains for sale for those who want to become a cybercriminal, thereby generating extra money for the malware developers. We have seen that the most effected are critical infrastructure networks and we have seen rise in ransomware attacks on health care pharmaceutical sector who are producing products that have FDA approvals, here the attack is more focussed on intellectual property.
Few Actionable Points for SOC and NOC Admins: –
* Receive actionable intelligence on compromised credentials, personal information and data breaches to be monitored on dark web on a regular basis.
* Make informed security decisions based on evidence based knowledge (repositories) on threat actors and their capabilities and create an effective plan to dismantle threats before they attack.
* Plan mitigation approach for the weaknesses based on the priority and risk score based on the vulnerabilities of your infrastructure.
* Manage reputation risks with effective digital platforms. Companies with damaged reputations may also lose the support of customers, investors and other counter parties, causing a reduction in revenue.
* Have processes and methodologies to gauge the risk posed by 3rd parties vendors, as they could also be a possible potential threats tracks.
* Constantly have an eye fraud intelligence of illegitimate businesses that facilitate identity theft or other forms of cybercrime activities.
Approach on Ransomeware Attacks:-
* Prepare to Prevent – We must have a solution that enables us to have 360 degree visibility which allows you to quickly map critical assets, data and backups. Have software solution, that can create zero trust micro perimeters around critical applications, backups, file servers and databases. Alternatively create policies that restrict traffic between users, applications and devices.
* Detect to Remediate – Have a solution that alerts you to any attempts to gain access to applications and backups. You may plan to incorporate reputation-based detection that alerts to the presence of known malicious domains and processes. The moment the breach is identified, we can minimise dwell time and catch cyber criminals before they can make a next step. Create isolation rules that allow the rapid disconnection of affected areas of the network.
* Recover to Streamline – Finally you will need to have a complete visualisation capabilities that can do a big bang recovery or alternatively support phased recovery strategies in which connectivity is restored.
Cert-In Role as per Information Technology Act: –
Cert-In works towards the goal of enhancing cyber security in India. Cert-In is an official nodal agency as per IT Act and is empowered (When there is an attack) to interview key people in-charge, carry out vulnerability assessments & penetration testing, list the existing security policies and controls, and asses their IT assets.
* CERT-In collects, analyses, and shares information on cyber incidents taking place in India.
* Forecasts and alerts about cyber incidents.
* Issuing emergency measures to handle cyber security incidents.
* Issuing guidelines and advisories in relation to information security best practices and procedures, prevention, and reporting of cyber incidents.
Reference Sites:-
https://www.csk.gov.in/security-tools.html
https://www.nomoreransom.org/en/decryption-tools.html
https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware
https://www.cisa.gov/stopransomware
Conclusion:-
Ransomware in all its forms and variants poses a significant threat both to private users and companies. This makes it all the more important to keep an eye on the threat it poses and to be prepared for all eventualities. To summarise, some attackers never intend to give any data back, others give up at some cost and do not properly implement their data recovery functionality and there are some who do not test their ransomware well enough. In either case, if ransomware protection fails, both money and data are lost and the chances of this happening are not negligible.
