Significant Threat From Targeted Ransomware Attack, Warns NCSC

In a recent advisory, the National Cyber Security Centre (NCSC) highlighted a significant trend towards more targeted ransomware attacks. In these attacks, attackers invest time in identifying victims, identifying business-critical files and systems, and even wiping out backups to pay the high-stakes ransom demand.

The NCSC noted that attackers have previously concentrated on bulk attacks, relying on “economies of scale” to extract profits and relatively small ransom payments from a high volume of vulnerable devices.

However, throughout 2018, there has been a shift towards highly targeted ransomware attacks.

Targeted Ransomware Represents a Major Escalation

Previously, ransomware was thought of as a mass market attack. While still a threat, ransom demands were perceived as ‘affordable’ and not a major threat to business continuity.

The shift towards more targeted attacks over the past 6 months represents a major escalation...

“The shift towards more targeted attacks over the past 6 months represents a major escalation”, says Joe Bertnick, Chief Technical Officer at CyberOne.

Joe continues, “Cybercriminals understand the high ‘value’ of the data held by many mid-sized businesses, such as legal firms, financial institutions, etc.”

“These businesses are not household names. But their cyber security defences are often easier targets than larger enterprises.”

We’ve seen ransomware attacks result in truly eye-watering payments - in the £ millions

“So by targeting these firms and denying access to business-critical files and systems, we’ve seen ransomware attacks result in truly eye-watering payments - in the £ millions.”

“With these targeted attacks, the cyber criminals go out of their way to ensure their actions have the maximum impact on the victim organisation, leaving the business with no choice but to pay the ransom. They’ve raised the stakes.”

Exploiting Vulnerable RDP Sessions,

the NCSC warned companies in the issued advisory that attackers exploit native tools.

“Attack vectors include remote administration tools, such as Remote Desktop Protocol (RDP). Cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information.”

The success of targeted ransomware such as SamSam, BitPaymer and Dharma will inspire further copycat attacks in 2019.

The methods for infecting systems with ransomware are similar to those used with other types of malicious software, as are the steps organisations can take to protect themselves. Organisations are advised to implement best practice advice to mitigate the heightened threat urgently.

Read the NCSC Advisory

Steps to Protect Against Ransomware

• Keep all devices and networks current - Use the latest supported versions and apply security patches when prompted. Antivirus and regular scans will guard against known malware and other threats.
• Prevent and detect lateral movement in your enterprise networks.

1. Protect Credentials
2. Deploy Good Authentication Practices
3. Protect High Privilege Accounts
4. Apply the principle of least privilege
5. Lock Down Devices
6. Segregate Networks as Sets
7. Monitor Networks
8. Consider Using Honeypots

• Implement architectural controls for network segregation: This will mitigate issues, such as the exposure of Server Message Block (SMB), which is often used to enable ransomware activity.
• Set up a security monitoring capability: This will allow you to collect data to analyse network intrusions.
• Allowlist applications: If supported, consider allowing permitted applications.
• Use an antivirus: Keep any antivirus software up to date, and consider using a product that offers improved threat intelligence and advanced analysis.
• Cloud-based virtual machines: Follow the cloud provider’s best practices for remote access and familiarise yourself with your responsibilities when using laaS.
• Administration model: Have an extensive understanding of how your administration model works and how you control it.
• Phishing emails are often the first stage of a ransomware attack. Ensure you train users on identifying a phishing email and its potential impact on your organisation.
• Regulate and limit external to internal RDP connections: Use secure methods, such as VPNs, when external access to internal resources is needed.
• Backup: Backing up a good backup.

Real-Life Cyber Crime: “The Ransomware Heist”

Understand the real consequences of suffering a ransomware attack and its dire impact on your organisation, no matter the industry or size.