Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

10/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware Attacks Target Public & Government Orgs With More Frequency, Ferocity

For a while, ransomware attacks, and the actors behind them, targeted businesses and private enterprises. Now, since the start of 2018, it's increasingly a public affair.

Anupam Sahai, the vice president of product management at Cavirin, which makes compliance and risk management tools for hybrid clouds, noted in an email that ports are one of 16 different critical infrastructures listed by the US Department of Homeland Security.

An attack against a port could be a test run of a bigger attack that is being planned.

"A compromised port facility may also provide easier entry for nuclear, biological, or chemical agents to be used in future physical attacks," Sahai wrote.

Better prepared
What complicates ransomware attacks on public institutions, besides the underlying motive, is the whole notion of money -- specifically, that government institutions lack the cash to pay ransoms or have strict rules prohibiting such action.

Many of these agencies and organization also lack the cybersecurity skills to fight off, or at least recover from, a ransomware attack.

Port of Barcelona\r\n(Source: iStock)\r\n\r\n\r\n\r\n\r\n
Port of Barcelona
\r\n(Source: iStock)\r\n\r\n\r\n\r\n\r\n

Ovum's Turner notes that the NHS knew it had systems that needed patching, but the IT and security staffs could not find the time or resources to conduct all the proper maintenance of its IT infrastructure. He noted:

Add to that the fact that some ransomware attacks such as WannaCry exploit common, well-known and well-documented vulnerabilities that should have been patched months beforehand, but which IT departments in places such as the UK's National Health Service were unable to patch across their entire infrastructure because they couldn't find the right moment to take down vital assets to perform the update. This makes for a perfect storm of "operationally justifiable vulnerability" that ransomware attacks can exploit at their leisure.

Still, state and local governments, along with other public agencies, need to take the security steps that they can, which includes developing a multi-layer program that can stop malware and other intrusion from coming onto the network to start, said Darius Goodall, pirector of product marketing at Barracuda Networks, who has worked with Miami, Oklahoma City and others on cybersecurity prevention.

While prevention is the key, Goodall concedes that ransomware can still get through. In that case, government agencies need specific backup plans to get systems restored and to ensure that services continue for the public.

"If data backup is not in place, there are a few steps one can take. First, find out what type of ransomware it is, e.g. encryption, screen-locking, etc., from there you can see if you're still able to access files, especially from another location like a mobile device. If so, then the ransomware is likely fake," Goodall wrote in an email.

"If it's encryption or screen-locking, disconnect from your network and use anti-malware or antivirus software to clean the ransomware and use a data recovery tool to help find those deleted files that are often trashed once ransomware encrypts new copies," he added.

Goodall adds that he never recommends any cyber attack victim negotiate with threat actors, but he understands the temptation of doing so. Instead, as the clich goes, the best offense is a good defense.

"The real challenge many organizations face is implementing the security measures necessary to prevent your organization from ever finding itself in the position in the first place," Goodall wrote.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...
CVE-2021-34647
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...
CVE-2021-34648
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /n...
CVE-2021-40684
PUBLISHED: 2021-09-22
Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in...