Thought leadership. threat analysis, news and alerts.
Hard Lessons from a Ransomware Attack
A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.
Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.
The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.
How the Mekinac Cyberattack Unfolded
The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.
The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.
“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.
Mekinac’s ransomware attackers are still unidentified and their location not determined to date.
What is a Ransomware Attack?
Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.
In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.
Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:
1. Email-Based Attack
In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.
The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.
2. Drive-By Attack
Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.
In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.
3. Unpatched Servers
The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.
Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”
Lessons from Ransomware Attacks
Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.”
In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:
Back Up Important Files
Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.
Keep All Software Up-To-Date
Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.
Implement Domain Whitelisting
Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.
Limit the Number of Users with Administrator Privileges
A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.
When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.
Steve E. Driz, I.S.P., ITCP