Increased Vigilance Needed Against Ransomware Attacks

In late 2018 the U.S. District Court of New Jersey indicted two Iranian men for allegedly running a hacking scheme that hit local and state governments as well as transportation agencies and hospitals across the U.S. The scheme involved infecting corporate networks with SamSam malware, which encrypted data on computers in the networks, then blackmailing the institutions by requiring a ransom payment in return for the decryption keys.

According to the indictment, the ransomware attacks hit more than 200 victims, and attackers collected more than $6 million in payments. Victims also incurred additional losses exceeding $30 million as a result of the loss of access to their data.

Among the victims were the city of Newark, N.J., the Colorado Department of Transportation, Nebraska Orthopedic Hospital, the city of Atlanta, LabCorp of America, MedStar Health, and the port of San Diego.

The city of Atlanta was among the hardest hit. A March 2018 attack infected about 3,789 servers and workstations and caused extensive damage, preventing access to court records, disabling electronic bill payment, and forcing police to revert to filing reports with pen and paper. It also destroyed some two months’ worth of Atlanta police department video footage. The city is still recovering, and the latest estimates put the cost to taxpayers at $17 million.

The indictment noted that the hackers got access to the networks by exploiting known vulnerabilities in server software.

The details contained in the indictment show the need for increased vigilance and protective measures for both businesses and government institutions, said Assistant Attorney General Brian A. Benczkowski during a November 2018 press conference. Indeed, the hackers’ methods seem to be proliferating. Recently, the Federal Bureau of Investigation and the Department of Homeland Security issued a warning that the tools to conduct SamSam attacks were being sold on the darknet.

The agencies and other security experts have recommended a list of best practices to protect against attacks. Among them:

  • Keep both operating and application software patched and up-to-date.

  • Audit networks for systems that use RDP (Remote Desktop Protocol) port for remote communication and disable the service or install available patches.

  • Verify that cloud-based virtual machine instances with public IP addresses have no open RDP ports, especially port 3389, unless absolutely necessary. Systems with an open RDP port should be placed behind a firewall and use a virtual private network (VPN).

  • Make sure that logs capture RDP logins and review them regularly to detect intrusion attempts.

  • Where possible, disable RDP on critical devices.

  • Use strong passwords and institute account lockout policies to defend against brute force attacks.

  • Use two-factor authentication wherever possible.

  • Maintain good backups. Back up data and configuration files, not just application files.

  • Restrict users' ability (permissions) to install and run unwanted software applications.

  • Continually educate employees about good security habits.

  • Run frequent tests to gauge how many will still click on the attachment in a phishing email.

  • Scan for and remove suspicious email attachments.

Despite the fact that government, health care, and education sectors have disclosed their attacks, a recent report by a security firm estimates those disclosures represent less than half of all SamSam attacks. The private sector likely has experienced the most attacks, even though companies have not disclosed them, said the report. 

Filed under: cybersecurity, data breach

By continuing to browse and accepting this banner, you consent to the storing of first and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in Epiq’s marketing efforts. Read more on our cookie notice.