As they say in the Intelligence Community, ‘our dear friends’ have shared some rather important news and it’s a big deal because you the human can do a lot to prevent the losses that are being yielded to the profiting cyber criminal groups.

Ransomware is on the rise. This may come as a surprise to no one because this seems to match the headlines and murmurings that we in the business world hear all day. However this time your ears should perk up just a little more because the attacks are getting more sophisticated. They’re getting around the firewalls and SPAM filters and your multi-factor authentication doesn’t stop it because these attacks are still coming down to:

  1. Human error and social engineering, and then
  2. Data-backup and recovery systems also need to kick in

Please read the below excerpt from our friends at the FBI, knowing ahead of time that only your superb policies, processes, proactive measures and cyber hygiene will stop this attacks, which right now are targeting the healthcare sector more than other industries.

“I have noticed an uptick in ransomware incidents which have resulted in a significant impact to affected organizations.  Data I recently read and these incidents, while anecdotal, reflect a change in trends regarding the method of infection.  Previously ransomware infections came about primarily through phishing campaigns, whereas now they seem to originate through vulnerabilities in Remote Desktop Protocol (RDP).   The bad actors gain access to systems through these vulnerabilities, harvest credentials

[from users], and then go about systematically encrypting all available data before presenting the victim with a splash page with the ransom amount and method of payment.  The most recent variants I have seen are Crysis, DMA, and SAMAS.A aka SAMSAM.  Ransom amounts in these incidents tend to be high (I have seen up to $40,000) as the ransom amounts which are typically requested in bitcoins.

By far the biggest take-home message I can give is to ensure reliable, regular, secure, and off-network backups are available.  It should go without saying all RDP vulnerabilities should be addressed.  Without backups there are probably only two choices: a) rebuilding from scratch; or b) paying the ransom (which we don’t advocate).”

At Layer 8 Security we have also been contacted by several businesses that have suffered through this.  A training and awareness program that encourages good cyber hygiene can make a big difference in being a victim and recognizing a phishing email when it comes in. Additionally, proactive processes and policies, like having an incident response plan, a disaster recovery plan, and testing it will keep these attacks from making a dent in your bottom line.

A few related stories:

http://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/

http://www.securityweek.com/hackers-using-rdp-attacks-install-crysis-ransomware