22.05.2023 - In recent weeks, there have been more reports in the media about ransomware attacks against Swiss companies in which company data was stolen and encrypted. In the process, data from the affected companies was also published on the dark web. Implementing basic protection measures can do a lot to improve cybersecurity. Therefore, the NCSC is once again highlighting the best practices regarding cyberthreats from ransomware. These have been in place for many years and we urge companies to rigorously enforce them. This is because various ransomware gangs are very active and are attacking companies in Switzerland.
What has happened?
In recent weeks, various companies have gone public and confirmed that they have been successfully attacked and encrypted by cybercriminals using encryption Trojans (ransomware). The attacks were carried out by different ransomware gangs independently of each other. The companies did not comply with the ransom demands and the data stolen from the affected companies was published on the dark web. These very complex attacks could be prevented relatively easily with the right protective measures.
How do cybercriminals operate?
The attackers' motive is usually financial. Therefore, they try to achieve their goal with little effort. Unprotected systems or vulnerabilities are often the gateway for successful attacks. Cybercriminals often pursue a double extortion strategy: they first copy the company data and download it from the company network. The data is then encrypted on the affected company's data carriers. The cybercriminals demand a ransom for the data to be decrypted. If the company refuses to comply with the ransom demand, it is blackmailed with the threat of publishing the stolen data. It is not uncommon for ransom demands to be in the millions, based on the turnover figures of the affected company. However, the NCSC advises against making such ransom payments, as this feeds the cybercriminals' business model and finances the infrastructure they rely on.
How can a company protect itself against ransomware?
With the right protective measures, the risk of a successful cyberattack can be greatly minimised. For this reason, the NCSC regularly warns of the increased security risks posed by ransomware. Nevertheless, many Swiss companies do not implement them or only partially implement them. This leads not only to a very high level of risk exposure for companies, but also to the fact that Swiss companies repeatedly fall victim to ransomware and that their data, as well as that of employees and customers, is published on the internet.
The NCSC is therefore once again highlighting the recommendations regarding ransomware published back in 2020 and is calling on all Swiss companies to implement them promptly.
Remote access protection:
All remote access connections such as VPN, RDP, Citrix, etc. as well as all other ways of accessing internal resources (e.g. webmail, SharePoint) must be consistently secured with two-factor authentication (2FA). This also applies to access connections for suppliers, contracting partners and students, for example.
Patch and lifecycle management:
All systems must promptly and consistently receive security updates. Updates that fix critical security vulnerabilities in systems accessible via the internet must be applied within 24 hours. Software or systems that are no longer supported by the manufacturer (end of life, EOL) must be switched off or moved to a separate, isolated network zone.
Offline backups:
Make regular backups of your data. Use the generation principle (daily, weekly, monthly – at least 2 generations). Ensure that the medium on which you create the backup copy is physically separated from the computer or network after the backup process and stored securely. Alternatively, use WORM storage media.
Additional links
Last modification 22.05.2023