On February 9, 2022 the United States, United Kingdom, and
Australia issued a joint Cybersecurity Advisory on the "Increased
Globalized Threat of Ransomware" against critical
infrastructure sectors ("Advisory"). The Advisory lists
trends in cyber-criminal activity from the last year and also
provides mitigation strategies and recommendations to reduce the
risk of compromise and the impact of ransomware incidents.
The Advisory Illustrates That Critical Infrastructure Is A
Global Target
Within the United States, the Advisory notes there have been
ransomware attacks against "14 of the 16 U.S. critical
infrastructure sectors," including the Defense Industrial
Base, Emergency Services, Food and Agriculture, Government
Facilities, and Information Technology Sectors. Australia reports
targeting of sectors including Healthcare and Medical, Financial
Services and Markets, Higher Education and Research, and Energy,
while the United Kingdom notes Education is one of the top sectors
targeted by ransomware actors.
While The Ransomware Model Remains Consistent, Criminals Are
Exploring Additional Extortion Opportunities
The Advisory indicates that phishing, Remote Desktop Protocols
("RDP"), and exploited vulnerabilities continue to be key
vectors for ransomware intrusion. It also notes that
"professional" ransomware actors became increasingly
common in 2021 and that ransomware threat actors may now use
independent services to negotiate payments, assist victims with
making payments, or even arbitrate payment disputes between
themselves and other cyber criminals.
While the Advisory notes there may be a shift away from
targeting "big game" organizations due to law enforcement
pressure, the UK observed targeting of organizations of all sizes
throughout the year. Importantly, there has been a notable increase
in the use of "triple extortion": threaten to (1)
publicly release stolen sensitive information; (2) disrupt the
victim's internet access, and/or (3) inform the victim's
partners, shareholders, or suppliers about the incident.
The Advisory Lists Common Ransomware Mitigation Steps
In a common governmental refrain, the Advisory discourages
payment of the ransom on the grounds that this confirms the
viability and financial attractiveness of the ransomware criminal
business model. The Advisory does provide helpful reminders of
mitigating steps that may help protect against these attacks. These
include:
- Patch and update operating systems and software in a timely
fashion. - Eliminate or minimize use of RDP and require multi-factor
authentication ("MFA") and white listing for any RDP that
is required. - Implement a user training program and conduct phishing
exercises. - Require strong and unique passwords for all accounts, and MFA
for as many services as possible. - Protect cloud storage by backing up to multiple locations,
requiring MFA for access, and encrypting data in the cloud. - Implement end-to-end encryption, detect and investigate
abnormal activity, document external remote connections, implement
time-based access for privileged accounts, maintain offline backups
of data and regularly test backup restoration, and ensure all
backup data is encrypted.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss