Targeted Ransomware requires Identity upgrade

Targeted Ransomware requires Identity upgrade

This week we are experiencing the latest iteration of ransomware after last month's Wannacry attack. Key takeaways are: Patch your systems and lock down you Admin level password privileges.

It not clear yet whether this latest attack is a Petya variant they are calling "Goldeneye" or some new ransomware. But the attack is hitting critical infrastructure including, the Ukraine Central Bank, Danish shipping company Maersk, Dutch transport company TNT, Russian oil giant Roseneft and one of the top law firms globally, DLA Piper.

The days of ransomware affecting single hosts are gone and we are now presented with self replicating worms that include weaponized payloads that can spread quickly. Now, this latest strain does not just rely on the Eternalblue exploit. According to Binary Defense, in the Ukraine, an accounting software called MeDoc was compromised and led to the infection. During the attack, psexec v1.98 is dropped into the system to see passwords in clear text and then a tool is used to leverage lsadump to pull passwords from memory. Automation, lateral movements on the network and passwords with Admin rights, enabled this attack to propagate.

This latest attack hit European and Australian locations, and Merck and Heritage Valley Health System in PA were also hit. Companies hit by the ransomware told employees to shut down all computers. Business interruption is the main impact from ransomware and the reason why we are seeing an escalation in attacks and the amounts sought in payment. What is the cost of shutting down operations for a national telco or electric utility?

Last week, a South Korean web hosting company Nayana, paid a $1 million ransom after an Erebus attack encrypted data on 153 linux servers, potentially affecting 3400 customers. They negotiated down from $1.6 million (550 bitcoin) to 397.6 Bitcoin. Last year an American Bar Association article on ransom cited an average payment of $4.5 million for a human ransom. What's to keep data from reaching parity with humans, when the cyber insurance policies will cover losses?

The average amount sought in this latest attack is $395 and reports say they likely have no kill switch. It also appears that this attack is more targeted, enabling hackers to handle manual bitcoin payments that are handled through email. Victims must email proof of payment to an email address to get a decryption key. Posteo email provider has closed the hacker email account, frustrating payment. They will no doubt find a work around to the payment process.

Access to systems/networks and authorization to services must move beyond passwords and two factor authentication. We need multi factor authorization (MFA) that includes something you have, something you know and something you are. Mobile devices enable us to use fingerprints, facial recognition, voice and behavioral characteristics to authenticate and identity proof a user before giving access to services.

Thankfully, these technologies are available now, not too pricey and being implemented by our Federal Government under NIST guidelines for Level of Assurance (LOA). Pilot tests that link access to federal services under the NIST Trusted Identities Group, with commercial transactions in banking and ecommerce, indicate that a Federated Identity solution has traction in the USA, similar to the UK identity verification program.

The guidance to avoid these attacks is solid: PATCH and test your back ups. You also need to know WHAT is inside the traffic on your network: you must monitor network sessions! And...you must know WHO is on your network and accessing your services: Identity Proofing.

要查看或添加评论,请登录

Barnaby Page的更多文章

  • Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny

    Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny

    There is no shortage of victims when Ransomware appears. And last week, the White House announced sanctions for the…

  • Ransomware and the Perils of Paying

    Ransomware and the Perils of Paying

    Ransomware finds its victims by accident or intentionally and each week, the technology and business model adapt. Some…

    3 条评论
  • DEFEATING RANSOMWARE | OUTFLANKING ATTACKERS THROUGH PUBLIC-PRIVATE COOPERATION

    DEFEATING RANSOMWARE | OUTFLANKING ATTACKERS THROUGH PUBLIC-PRIVATE COOPERATION

    Technical experts, business leaders and state officials agree on one thing about ransomware: it’s a mess. But as we…

    1 条评论
  • M&A Issues have Cyber Front & Center

    M&A Issues have Cyber Front & Center

    Merger & Acquisitions (M&A) involve businesses of all sizes and span all industry sectors. It is currently booming…

  • Ransomware not Dead

    Ransomware not Dead

    “Let me be clear: the situation for Norsk Hydro through this is quite severe,” Chief Financial Officer Eivind Kallevik…

  • Bank Hack Tales: When What's Old is New Again

    Bank Hack Tales: When What's Old is New Again

    More and more, corporate boards are mandating cyber insurance to transfer risk, but watch out, because you might not…

  • DDoS business impact requires Focus

    DDoS business impact requires Focus

    A Distributed Denial of Service (DDoS) attack shuts down your business for hours or days at a time, disrupting supply…

    1 条评论
  • Credit Bureau Overhaul Past Due

    Credit Bureau Overhaul Past Due

    Don't be late on a payment, it can hurt your credit file. College student or 'thin file'? Not to worry, the big three…

  • Health Data Ransom Evolves

    Health Data Ransom Evolves

    The Deep.Dot.

  • Inoculate Against Ransomware

    Inoculate Against Ransomware

    Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March…

社区洞察

其他会员也浏览了