Once again, we are reviewing the aftermath of a series of cyber attacks that have made it to the headlines:
- European oil facilities hit by cyber-attacks - BBC News
- KP Snacks hack prompts crisp and nut supplies warning - BBC News
- Full cost of 2020 cyber attack on Sepa still not known - BBC News
- Cyber-attack strikes German fuel supplies - BBC News
- UK warned to bolster defences against cyber attacks as Russia threatens Ukraine - BBC News
What do they have in common?
Except for the UK government's advice, what do these attacks have in common? Ransomware – the gift for the cybercriminal that keeps on giving.
All of the organisations in these articles have been subject to ransomware attacks that have crippled their infrastructure, resulting in operations grinding to a halt, financial loss, and in the case of SEPA, directly losing £2Million in fees.
Across these articles, two types of ransomware are mentioned:
- Conti Ransomware appears to be the cause of the disruption for KP snacks and SEPA
- Blackcat Ransomware and Conti Ransomware are associated with the disruption to the European oil & fuel suppliers
Details on the Conti Ransomware can be found here.
Details on the Blackcat Ransomware can be found here.
How this ransomware was triggered across these articles is currently not documented. However, the BBC have stated that the attack affecting SEPA was probably through a malicious email and involved human error.
How does ransomware work?
Ransomware typically enters a company network via two routes.
Phishing emails with a ransomware payload are sent to end-users to trick someone into opening an attachment that will trigger the attack.
Once active the ransomware will move through the network, encrypting files, folders, etc on as many devices as it can access. Depending on how advanced the ransomware is, it may move laterally across devices until it can go no further or until there are no more devices, files, folders or accessible data to encrypt.
The other method now being more widely adopted by cybercriminals is targeted hacking, as it has potentially bigger payouts. Criminal organisations (state-sponsored or not) actively target a business. During this attack, malicious agents will attempt to gain access to a company's network through phishing, exposed vulnerabilities in a company's infrastructure, human error.
Once inside, the goal will be to gather as much information about the network as possible, get as many administrative privileges as possible, switch off active countermeasures such as backup routines which would allow for the easy restoration of data and plant a ransomware payload.
The process may take days or weeks or months. They aim to do all of this undetected, so a slow, methodical approach works best, less likely to trigger alarms or alert sysadmins of their activity. When the time is right, the ransomware is triggered. Since they have already compromised the systems, damage can be catastrophic, and recovery could be impossible if they have done their job properly!
Should you be worried?
Well, the final article refers to the UK Government's cyber security section, the National Cyber Security Centre (NCSC), and says we should be bolstering our defences if the situation in Ukraine escalates. It already documented attacks against Ukraine from Russia that go back as far as 2015 and probably further spill out and are used against the UK.
While I would say that UK's defences should already be well-bolstered, any organisation can be the subject of a ransomware attack. A pray and spray automated attack could hit your business at any time. These are automated and not targeted. The cybercriminal takes a shotgun approach, so with enough ransomware out, they will get some return. If they affect your business, it could be severely disrupted, and that return could come from you.
A targeted attack is much more brutal and harder to defend against. When being actively targeted, cybercriminals are invested in attacking your business. However, the goal is the same - trigger the ransomware, collect the reward.
What can you do?
You will never be 100% cyber safe, but as I have already said in previous articles, you can take steps to mitigate any attacks and limit the damage. These include:
- Regular security testing: Invest in closing any gaps in your infrastructure before the cybercriminals find them.
- The right layers of security: From external content scanning to endpoint protection, ensure your infrastructure is protected at all levels.
- Educate your people: Ensure they can identify cyber-attacks and know what to avoid, learn best practices, and what to do if they think there is an issue.
- Have a plan: You need an incident response plan - how you will deal with the attack, limit any damage, and recover.
Please reach out if you want to talk about protecting your data from ransomware attacks. Book your free 30-minute security consultation with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >