Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Information Assurance  >  The evolving risks from Ransomware
NextPrevious

The evolving risks from Ransomware

Articles, Information Assurance | 12 February, 2022 | 0

This week the NCSC issued a warning of the evolving risks posed by Ransomware, with increasingly sophisticated techniques being used to extort money from businesses around the world.

The National Cyber Security Centre (NCSC) along with the USA’s CISA and Australia’s ACSC have produced a joint cyber security advisory on the increased globalised threat of ransomware.

What is Ransomware?

Ransomware is a type of malware which uses extortion to obtain money from its victims. Ransomware locks the files and data on a computer system, usually by encrypting the files, and the criminals behind the attack demand a payment in return for unlocking the files.

How Ransomware is evolving

According to the advisory, ransomware threat actors demonstrated increasing technological sophistication through 2021.

The top three initial infection vectors used for ransomware in 2021 were:

  • Phishing emails
  • Remote Desktop Protocol (RDP) abuse through stolen or brute forcing credentials
  • Exploiting software vulnerabilities

There was a move to a more organised ransomware marketplace last year in what the report calls the ‘professionalisation’ of ransomware with the increased use of Ransomware-as-a-Service (RaaS).  The RaaS services evolved to be more than simply providing ready to use software tools, the NCSC reports that RaaS services now include ‘independent services’ to assist with the negotiation of payments, help for victims to make payments and even dispute arbitration and the provision of 24*7 helpdesks to expedite payment and system recovery once decryption keys have been provided.

After encrypting their victim’s network, threat actors are more often using ‘triple extortion’ threats in order to motivate their victims to pay: threatening to publicly release stolen information, disrupt the victim’s internet access and inform the victims shareholders and partners about the attack.

The increased adoption of cloud infrastructures has resulted in ransomware developers creating tools designed to attack cloud service providers, API platforms and cloud storage.  Attack vectors include exploiting vulnerabilities in cloud platforms and compromising on-premise networks and then using their trusted connections to access cloud infrastructures.

Managed Service Providers (MSP) are being increasingly targeted because the threat actors know that compromising one MSP will yield trusted access into the heart of all their client’s networks (think Kaseya for one example).  Similarly the software supply chain came under increasing attack, again because threat actors understand that compromising one supplier can result in their code being transported into the networks of all of that supplier’s customers. (Think Solarwinds for example).

Finally, ransomware actors are more frequently launching their attacks on weekends and public holidays in order to exploit lower staffing levels in the victim’s IT teams during these times.

 

How to defend your network against Ransomware

Strengthen your network protections to defend against the tactics and techniques used by ransomware operators:

Keep all operating systems and software up to date

Ransomware authors use known software vulnerabilities to gain access to their victims networks and to enable lateral movement within the network.  Establish a regular monthly patching cycle to ensure systems are kept up to date.  Do not forget to patch virtual machines and cloud systems as this is usually the customer’s responsibility.  The CISA maintains a useful list of known exploited software vulnerabilities which will help you to prioritise patching if you know your systems are not up to date.

Automated vulnerability scanning is recommended to identify systems that need patching, especially on larger networks with many devices.

Secure and monitor RDP and risky connections

Remote Desktop access and other similarly risky remote access services need particular attention both to keep them secure and to monitor them for abuse.

Prevent credential theft and re-use by requiring multi-factor authentication for RDP connections.

Ensure systems are securely configured, applying proven security baselines where they are available.  If RDP is not used then block it at the firewall to prevent ingress (on port 3389).

SMB file sharing (Server Message Block and Samba) is often used to propagate malware across a network – if you do not need it in your network, disable it on your servers.

Review the security posture of external networks you connect to – supplier and client systems for example. Ensure those network interconnects are placed on isolated LAN segments to protect your network from a breach in a connected network.

Raise Awareness through training

Technical controls will never successfully block all incoming phishing emails and spam, so use Security Awareness Training to help you staff spot fraudulent emails and phishing attempts.

Require MFA for all external services

Require multi-factor authentication for all services published to the internet. This includes webmail, VPNs and Office 365 environments (Sharepoint and Outlook webmail).

Set unique passwords

Ensure all accounts on your network have unique and strong passwords set.  The same password should not be reused across multiple accounts and passwords used by system admins should not be stored on the network where an attacker could find them – use a password manager that employs strong encryption to protect login information.

Protect your backups

Protect cloud storage by backing up to multiple locations that are protected by MFA for access and ensure the backups are encrypted.

Segment your network

Network segmentation can help prevent the spread of ransomware across your network.  This is especially important where your organisation has international operations and VPN links or interconnections with the networks of suppliers or customers.  Internal and external penetration tests are essential to ensure your network segmentation is actually working.

Use Intrusion Detection Systems

Automated tools that monitor network activity for indicators of ransomware activity can help detect a network breach quickly.

 

The full security advisory contains more details and advice that security managers can use to protect their networks from the evolving risks posed by ransomware.

Further information for UK organisations can be found on the NCSC Ransomware hub.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, ncsc, ransomware

Related Post

  • Log4Shell (still) actively exploited on VMware Systems

    By Mark Faithfull

    The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly knownRead more

  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

    By Mark Faithfull

    First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds,Read more

  • CISA Warn of 40 New Actively Exploited Cybersecurity Vulnerabilities This Month So Far

    By Mark Faithfull

    Last week saw the addition of 39 known exploited cybersecurity vulnerabilities to the CISA catalogue, bringing the total added in June so far to 40. The Cybersecurity and Infrastructure Security Agency (CISA), a branch ofRead more

  • 10 Common Security Weaknesses and How To Defend Against Them

    By Mark Faithfull

    The mistakes we make and how to fix them – a new report co-authored by the NCSC reveals the 10 most common security weaknesses exploited by hackers. A joint security alert from the National CyberRead more

  • Top 15 Most Exploited Vulnerabilities for 2021

    By Mark Faithfull

    The 15 most targeted security vulnerabilities of 2021 have just been published in a joint advisory from the NCSC.  These are the main ways hackers are attacking businesses around the world. Cybersecurity authorities across multipleRead more

NextPrevious

Recent Posts

  • ZuoRAT Malware Targets Home-Office Routers
  • Microsoft Patches Linux Cluster Bug
  • Log4Shell (still) actively exploited on VMware Systems
  • Vulnerability reported on QNAP NAS Devices
  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

Recent Comments

    Archives

    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam