Update Ransomware: New Procedure

30.07.2019 – During the last few weeks, Swiss companies have been targeted by a new kind of cyber-attack where the attackers were able to infiltrate the company’s network and encrypt all data with a crypto Trojan. Several well-known Swiss companies have been affected by this kind of attack.

Since 2016, the Reporting and Analysis Centre for Information Assurance MELANI warns constantly against the danger of crypto Trojans (so called “ransomware”). On May 9th 2019, MELANI published a newsletter warning against ransomware attacks and giving concrete recommendations for counter-measures. These counter-measures are still valid and should urgently be implemented by every company. Since July 2019, there is a vast increase of announced ransomware attacks where the attackers seem to switch to a new procedure. They attack Swiss companies with targeted malicious e-mails (so called “spear phishing”).

So far, the following procedures are known:

  • Attackers send targeted malicious e-mails to Swiss companies with the purpose to infect their networks. Those e-mails usually contain a link to a malicious website or an infected attachment.
  • Accesses to infected computers of Swiss companies are then offered for sale in relevant internet forums. These computers are usually infected with "Emotet", "TrickBot" or - in a few cases - with "Qbot". Criminal groups "buy" these accesses with the purpose to infect a large scale of the victim's network.
  • Attackers scan the Internet for open VPN or Terminal Servers and try to gain access using brute force attacks.

All these procedures have one thing in common: The attackers use additional attacking tools such as e.g. “Cobalt Strike” or “Metasploit” to gain the needed privileges for the infiltrating the company’s network. If successful, a ransomware (e.g. “Ryuk”, “LockerGoga”, “MegaCortex” etc.) will be deployed within the network and will completely encrypt all the data.

Because of the current threat level and due to the above-described new procedures, MELANI urgently warns all Swiss companies again and recommends to implement the following measures immediately:

  • Make regular backups of your data, e.g. on an external hard disk. Use the generation principle (daily, weekly, monthly / at least two generations). Make sure that you disconnect the hardware on which you store your backup as soon as the backup has finished. If not, you will risk that the crypto Trojan gains access to this data and will encrypt or delete the backup.
  • For cloud-based backup solutions, you should make sure that the provider has at least two generations analogue to the classic backup and that the backup is not accessible for a ransomware. It is recommended to apply for example a two-factor authentication for critical operations. Check the quality of your backups regularly and practice the roll out of a backup. This will help you to save time in case of an incident.
  • Operation systems and all software installed on the computers must consequently and immediately be updated (e.g. Adobe Acrobat Reader, Adobe Flash, Java etc). If available, it is best to use the automatic update function.Protect resources which are accessible from the internet (for example Terminal-Server, RAS, VPN-Access) with a second factor. Place the Terminal Servers behind a VPN portal.
  • Protect all resources which are available from the internet (especially terminal servers, RAS and VPN connections) with a second factor. Place terminal servers behind a VPN portal.
  • Block the reception of malacious e-mail attachments on your e-mail gateway, including MS Office documents containing macros. A list of file extentions which should be blocked is available here: https://www.govcert.ch/downloads/blocked-filetypes.txt
  • Check the logfiles of your antivirus software for suspicious entries.

Should you pay a ransom?

Refrain from paying a ransom because this will only strengthen the criminal infrastructure and thereby allow criminals to blackmail other victims. In addition, there is no guarantee that the key for decryption will be provided.

Further information on ransomware and the current attacks are available using those links:

GovCERT.ch ransomware blog:
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

Detailed information on ransomware:
https://www.melani.admin.ch/melani/en/home/themen/Ransomware.html

Information security checklist for SME‘s:
https://www.melani.admin.ch/melani/en/home/dokumentation/checklists-and-instructions/merkblatt-it-sicherheit-fuer-kmus.html

Swiss Ransomware Awareness Day (not available in English):
https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/ransomwareday.html

Emotet attacks against company networks (not available in English):
https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner-Emotet-greift-Unternehmensnetzwerke-an.html


 

Specialist staff
Last modification 05.01.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/news/news-archiv/update-ransomware-neue-vorgehensweise.html