theDocumentId => 746811 Ransomware Attacks Target Public & Government Orgs ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

10/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware Attacks Target Public & Government Orgs With More Frequency, Ferocity

For a while, ransomware attacks, and the actors behind them, targeted businesses and private enterprises. Now, since the start of 2018, it's increasingly a public affair.

Anupam Sahai, the vice president of product management at Cavirin, which makes compliance and risk management tools for hybrid clouds, noted in an email that ports are one of 16 different critical infrastructures listed by the US Department of Homeland Security.

An attack against a port could be a test run of a bigger attack that is being planned.

"A compromised port facility may also provide easier entry for nuclear, biological, or chemical agents to be used in future physical attacks," Sahai wrote.

Better prepared
What complicates ransomware attacks on public institutions, besides the underlying motive, is the whole notion of money -- specifically, that government institutions lack the cash to pay ransoms or have strict rules prohibiting such action.

Many of these agencies and organization also lack the cybersecurity skills to fight off, or at least recover from, a ransomware attack.

Port of Barcelona\r\n(Source: iStock)\r\n\r\n\r\n\r\n\r\n
Port of Barcelona
\r\n(Source: iStock)\r\n\r\n\r\n\r\n\r\n

Ovum's Turner notes that the NHS knew it had systems that needed patching, but the IT and security staffs could not find the time or resources to conduct all the proper maintenance of its IT infrastructure. He noted:

Add to that the fact that some ransomware attacks such as WannaCry exploit common, well-known and well-documented vulnerabilities that should have been patched months beforehand, but which IT departments in places such as the UK's National Health Service were unable to patch across their entire infrastructure because they couldn't find the right moment to take down vital assets to perform the update. This makes for a perfect storm of "operationally justifiable vulnerability" that ransomware attacks can exploit at their leisure.

Still, state and local governments, along with other public agencies, need to take the security steps that they can, which includes developing a multi-layer program that can stop malware and other intrusion from coming onto the network to start, said Darius Goodall, pirector of product marketing at Barracuda Networks, who has worked with Miami, Oklahoma City and others on cybersecurity prevention.

While prevention is the key, Goodall concedes that ransomware can still get through. In that case, government agencies need specific backup plans to get systems restored and to ensure that services continue for the public.

"If data backup is not in place, there are a few steps one can take. First, find out what type of ransomware it is, e.g. encryption, screen-locking, etc., from there you can see if you're still able to access files, especially from another location like a mobile device. If so, then the ransomware is likely fake," Goodall wrote in an email.

"If it's encryption or screen-locking, disconnect from your network and use anti-malware or antivirus software to clean the ransomware and use a data recovery tool to help find those deleted files that are often trashed once ransomware encrypts new copies," he added.

Goodall adds that he never recommends any cyber attack victim negotiate with threat actors, but he understands the temptation of doing so. Instead, as the clich goes, the best offense is a good defense.

"The real challenge many organizations face is implementing the security measures necessary to prevent your organization from ever finding itself in the position in the first place," Goodall wrote.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.