19.02.2020 - In recent weeks, MELANI / GovCERT has dealt with more than a dozen ransomware cases in which unknown perpetrators encrypted the systems of Swiss SMEs and large companies and rendered them unusable. The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions.
A technical analysis of the incidents revealed that the IT security of the companies affected was often incomplete and the usual best practices (Information security checklist for SMEs) were not fully observed. Furthermore, warnings from the authorities were not heeded.
During the analysis of the incidents in recent weeks, the following weaknesses in particular were identified as the gateway for cyberattacks (these can be eliminated by implementing the MELANI recommendations):
1. Virus protection and warning messages
Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers). In a small number of cases, some servers did not even have any antivirus software installed. This can contribute significantly to the spread of malware within corporate networks.
Recommendations:
• Antivirus software must be installed across the board on all clients and servers.
• Warning messages from antivirus software must be logged and checked regularly. If it is not possible to check all warning messages (e.g. due to the high number), at least those from servers (e.g. domain controllers, backup, etc.) should be checked on a daily basis.
2. Remote access protection
Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter). This meant that the systems were very easily accessible and the attackers could easily penetrate unnoticed into company networks and install malware.
Recommendation:
• All remote access points such as VPN and RDP (terminal server) must be secured using two-factor authentication. Additionally, whenever possible, they should not listen on standard ports (e.g. 3389 for RDP). The introduction and enforcement of a password policy to prevent simple passwords being used ("123456", "password", etc.) is essential.
3. Notifications from authorities
Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies. Infections were therefore eliminated only partially or not at all, which in many cases led to complete encryption of the company network.
Recommendation:
• Notifications from authorities and internet service providers (ISPs) regarding infections must be taken seriously. In case of doubt (e.g. authenticity of a notification), contact the authority that sent the notification or the ISP.
4. Offline backups and updates
Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted. In many cases, a company's activities could only be recovered with considerable effort, if at all.
Recommendations:
• Make a backup of your data regularly. The backup must be stored offline (e.g. on an external medium such as an external hard drive or a backup tape). Make sure that the medium where the backup is saved is physically disconnected from the computer or network after the back-up procedure is complete. In addition, define a process that establishes regular data backups and adhere to it without fail.
• Ensure consistent updates. Both operating systems and all software installed on computers and servers (e.g. Adobe Reader, Adobe Flash, Oracle Java, etc.) must be consistently updated. Where possible, this should preferably be done using the automatic update function.
5. Patch and lifecycle management
Companies often do not have a clean patch and life cycle management. As a result, operating systems or software were in use that were either outdated or no longer supported. Attackers exploited the security vulnerabilities and thus gained access to the company network and other internal systems.
If an attacker has gained access to the network, inadequate patch and life cycle management also facilitates the further spread of malware within the network.
Recommendations:
• Use patch and lifecycle management.
Disconnect outdated systems from the network when you no longer need them, or replace them as quickly as possible.
• Isolate poorly protected systems. If there are systems with an old operating system (e.g. Windows XP, Windows 2003 Server, Windows 2008 Server) that cannot be migrated, it is imperative to isolate them as far as possible. Only connections to and from the system that are essential for seamless operation should be allowed.
6. No segmentation
The networks were not divided (segmented), e.g. an infection on a computer in the HR department allowed the attacker a direct attack path to the production department.
Recommendation:
• Networks should be at least be segmented to a minimum extent so that critical environments are ring-fenced.
7. Excessive user rights
Users were often given excessive rights, e.g. a backup user who has domain admin rights or a system administrator who has the same rights when browsing the internet as when managing the systems.
Recommendation:
• In a role concept, define which rights are necessary for which types of users. In addition, make sure that the rights can be adjusted accordingly in case of staff changes (leaving the company, moving to another department).
Caution with ransom demands
If systems have been encrypted by ransomware, MELANI advises against making a ransom payment. As a general rule, MELANI does not recommend paying because the money will support the hacker's infrastructure. It should also be noted that even if a ransom is paid, there is no guarantee that the blackmailer will decrypt the data.
It is important that the companies concerned contact the cantonal police immediately, file a complaint and discuss the further procedure with them.
As long as there are still companies that make ransom payments, attackers will never stop blackmailing.
If a ransom payment is nevertheless being considered, it should be noted that although systems and data might be decrypted, the underlying infection from malware such as "Emotet" or "TrickBot" will remain active. As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware or steal sensitive data from it. MELANI is aware of cases in Switzerland and abroad where the same companies have been victims of ransomware several times within a very short period of time.
Taking personal responsibility
Last year, MELANI, together with partners within the scope of the private-public partnership (PPP), already adopted measures to reduce the threat posed by individual players and the spread of malware in Switzerland. In general, however, MELANI again appeals to all Swiss companies to assume responsibility for the secure operation of their IT infrastructure.