Malware attacks, in particular ransomware attacks, can be devastating for organisations because computer systems are no longer available to use and, in some cases, data may never be recovered. If recovery is possible, it can take several weeks, but corporate reputation and brand value could take a lot longer to recover.
Organisations can recover more quickly by identifying critical assets and determine the impact to these if they were affected by a malware attack and plan for said attack, even if it seems unlikely. A response to ransom demands and the threat of your organisation’s data being published should be strategised as well as legal obligations identified regarding the reporting of incidents to regulators. More importantly, incident management plans should be exercised to help clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery.
Law enforcement does not encourage, endorse or condone the payment of ransom demands: there is no guarantee access to data or device(s) will be regained; the computer will still be infected; the payment will fund criminal groups; and the organisation is more likely to be targeted in future.
A spokesperson for the National Cyber Security Centre (NCSC) said: “Since there’s no way to completely protect your organisation against malware infection, you should adopt a ‘defence-in-depth’ approach. This means using layers of defence with several mitigations at each layer. You’ll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation.
“You should assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause and speed up your response.”
There are some actions that can be taken to help prepare organisations from potential malware and ransomware attacks. Making up-to-date backups of the most important files is the most effective way of recovering from a ransomware attack. Offline backups and multiple copies should also be created and kept separate (preferably offsite) from the network, or in a cloud service designed for this purpose.
“Ideally, backup accounts and solutions should be protected using privileged access workstations and hardware firewalls to enforce IP allow listing,” explains an NCSC spokesperson. “Multi-factor authentication (MFA) should be enabled (this will also help stop malware spreading across your organisation), and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged access management solutions remove the need for administrators to directly access high-value backup systems.”
The likelihood of malicious content reaching your devices can be reduced through a combination of filtering to only allow file types you would expect to receive, blocking websites that are known to be malicious, actively inspecting content, and using signatures to block known malicious code.
The ‘defence in depth’ approach assumes that malware will reach devices. Steps should therefore be taken to prevent malware from running. The measures required will vary for each device type, OS and version, but in general, device-level security features should be used.
In addition, attackers can force their code to execute by exploiting device vulnerabilities. This can be prevented by keeping devices well-configured and up to date.
As well as preventing and responding to ransomware, it is also important for organisations to conduct monitoring and detection on their networks.
“Organisations in the UK should also consider joining the cybersecurity information sharing partnership (CiSP),” the NCSC suggests, describing it as a safe portal to discuss and share information to help the community and improve the UK’s cyber resilience.
ATTACKS GROWING
According to research from industrial cybersecurity experts Dragos, ransomware attacks against industrial organisations are up 87% since last year.
Among the most significant findings in the ICS/OT Cybersecurity Year in Review 2022 report were those involving ransomware. Dragos tracked 605 ransomware attacks against industrial organisations in 2022. Dragos gave multiple reasons for the trend in its report, including political tensions such as Russia’s invasion of Ukraine, and “the continued growth of ransomware as a service (RaaS).”
The vendor also found 35% more ransomware groups had attacked ICS/OT (industrial control systems/operational technology) organisations in 2022 than 2021.
Dragos director of intelligence content Thomas Winston says: “Based on the information Dragos has, the apparent reason [for the increase] is the shutting down and then rebranding of ransomware groups, and the distribution of RaaS, which lowers the barrier to entry for would-be ransomware adversaries.”
The report provided multiple examples of attack campaigns affecting the industrial sector. Dragos said it identified several Conti victims in the automotive industry in 2022, as well as multiple LockBit variants affecting victims in sectors including construction, electric and manufacturing.
The report also stated that around 80% of the organisations Dragos engaged with last year had limited visibility into their OT environments; 50% identified problems with network segmentation; and 53% had undisclosed or uncontrolled external connections to the OT environment.
These three issues are compounded by an increase in identified vulnerabilities. Dragos investigated 27% more flaws in 2022 than 2021. In addition, 20% of investigated flaws resided deep within the OT environment, and 12.5% of advisories were ‘extremely critical.’
Dragos also identified issues with the way these vulnerabilities were reported. Of the 465 advisories Dragos analysed, 34% contained errors of some kind, while 14.9% of the 2,170 CVEs (common vulnerabilities and exposures) analysed had CVSS (common vulnerability scoring system) errors. Outside of the errors, 30% of advisories contained no patch whatsoever, and 75% contained no vendor mitigations.
“This advice is critical for network defenders if they are unable to apply any available patches or if no patch was provided,” the report reads. “Dragos provided mitigations for the 53% of advisories that contained no mitigation from either vendors or ICS-CERT (cyber emergency response team).”
However, the report noted that vendors and CERTs have improved at generating security advisories for ICS and OT flaws. Dragos said that although vendors aren’t fully providing mitigations themselves, “they are on the right path.”
BOX: ALREADY INFECTED?
If your organisation has already been infected with malware, these steps may help limit the impact:
1. Immediately disconnect the infected devices from all network connections, whether wired, wireless or mobile phone-based
2. In a very serious case, consider turning off Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet
3. Reset credentials including passwords (especially for administrator and other system accounts) – but verify that you are not locking yourself out of systems that are needed for recovery
4. Safely wipe the infected devices and reinstall the OS
5. Before restoring from a backup, verify that it is free from malware. Only restore from a backup if confident that the backup and the device are clean
6. Connect devices to a clean network to download, install and update the OS and all other software
7. Install, update, and run antivirus software
8. Reconnect to the network
9. Monitor network traffic and run antivirus scans to identify if any infection remains.