Ransomware: Readiness, Exercise, Deceive, Prestige - This Week in Security Oct 16 to Oct 22, 2022
Editor's introduction
Hello Everyone, This week, your editor is Koichi.
Today's This week in security, focus on Ransomware attack. First, a survey of readiness for a Ransomware attack, and then the Japanese FSA's ransomware attack exercise, Dutch police deceived a ransomware attack group, and MS warns of "Prestige" ransomware.
We in F5 SIRT invest lot of time understanding the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT
Readiness for Ransomware : "There is no recovery plan if a ransom attack happened", 60% of the Japanese companies answered the survey
One of the major accountancy firms, the Deloitte Tohmatsu Group has conducted a survey of Japanese companies' cyber risk preparedness.
As a result, while 34% of companies answered that they have a recovery plan in place to deal with the increasing number of ransomware attacks, more than 60% said they have no plan to recover from the cyber attack.
The survey was conducted from May to July 2022, targeting 476 companies. When asked about their countermeasures in the event of a cyber incident, 63% said they had an internal reporting line in place, and 56% said they had a response system (including officers in charge and chain of command) in place, more than half of the respondents.
About the readiness of ransomware attack, 34% answered that a backup and recovery plan in place and 25% answered that they have response training with an internal response team (like F5 SIRT), which is less than 30% of the total. 18% of respondents also 'have a contract with a cyber security specialist', which means no internal cyber security organizations.
The implementation status of preventive measures in anticipation of cyber-attacks was also low at 73% for 'in-house training' and 64% for 'formulating basic policies and regulations, but 28% for 'training in-house experts' and 25% for 'appointing a or other people in charge of information security.
Yusuke Nakajima, the partner at Deloitte Tohmatsu Group, summarized the survey result that "the introduction of cost-free communication routes and in-house training has progressed, but even major companies have yet to take the step of budget-consuming defense measures". 'To counter ransom attacks, it is necessary to be prepared to store spare data separately from the usual business systems.
Editor’s comment: "recovery plan" is direct translation from the Japanese, I think it includes all the incident response policies.
https://www.nikkei.com/article/DGXZQOUC0492Y0U2A001C2000000/
Readiness for Ransomware : FSA's cyber-attack exercise with 160 companies
Japanese Financial Services Agency (FSA) is the chief regulator of Japan's financial services industry. From 10/18 to 10/27(JST), they do a kind of penetration test/Stress test (they say it is a Cyber Attack exercise) against 160 bank and financial services firms, like securities firms, cashless payment providers, and crypto exchanges. Financial institutions that have introduced teleworking for their jobs are also invited to participate in the exercise online.
The exercise is to identify the impact of cyber threats/incidents and learn how to deal with them. The management process and decision-making process, Public Relations operations process are also tested.
The FSA's aim is to strengthen the financial company’s defense against incidents like customer information leaks, website cracking, and system shutdowns caused by cyber-attacks. Participating institutions will investigate the details of the attack and consider recovery measures, and check if they can do cooperation with the FSA and other external organizations smoothly.
At the end of the exercise, the FSA will evaluate the results of the exercise and advise improvement measures and practices which could be a standard process for the entire financial industry.
Editor’s comment: Japanese government also did a vulnerability scan to see if the major companies use default passwords for the admin users.
https://www3.nhk.or.jp/news/html/20221018/k10013862721000.html
Counter Attack to Ransomware : Dutch police deceived a cracker group to obtain the decryption key
ZDNet shares how the Dutch police had successfully deceived a ransomware attack group into handing over decryption keys, allowing victims to decrypt their data without paying a ransom.
The Dutch National Police (DNP), in cooperation with the country's cybersecurity company Responders.NU, obtained more than 150 decryption keys from the "Deadbolt", a ransomware attack group.
The decryption keys are now under the control of the DNP and save victims to retrieve their encrypted files and servers without paying the ransom.
According to DNP, the Deadbolt targets NAS devices, which is already sold more than 20,000 by QNAP Systems and ASUSTOR have been encrypted worldwide, at least 1,000 of which are in the Netherlands.
DNP told to Deadbolt that they were going to pay the ransom in Bitcoin and they did sent some Bitcoin, however, the transaction is “reversed” (Please see the Editor’s comment below.) after that the Deadbolt sent the decryption keys. The Bitcoin transaction to send an amount of Bitcoin to Deadbolt wasn't confirmed, and Deadbolt had already given the decryption keys to DNP.
Through this operation, the DNP obtained more than 150 decryption keys and nearly 90% of Deadbolt victims were able to get their files back without paying a ransom. The DNP is urging victims of ransomware attacks to come forward and seek help so that they can provide the decryption key.
DNP chief told they are able to obtain the keys for all the Dutch victims who had reported it and contact them in a night.
The Dutch Public Prosecutor's Office, the European Criminal Police Organization (Europol), and the French national police and gendarmerie also cooperated.
Editor’s comment: The article didn’t tell how they “reverse” the payment. I think it means that the transaction is broadcasted so that the Deadbolt can confirm it, but it was not included in the block, thus the transaction did not happen actually.
Warning of Ransomware: Microsoft warns 'Prestige' ransomware with distinctive behaviour
Microsoft announced on 14 October (14 October US time) that it had discovered a new ransomware campaign attacking transport and logistics organisations in Ukraine and Poland.
According to the Microsoft Threat Intelligence Centre (MSTIC), the attacker is identified as 'Prestige ranusomeware' in the ransom demand text. MSTIC has not confirmed that the attackers are exploiting specific software vulnerabilities, but says that both attacks use stolen 'Active Directory' administrator account credentials. This ransomware campaign is unusual in that it targets entire enterprises, which is not common in Ukraine, and we cannot find any connection to the other 94 ransomware groups that Microsoft is tracking.
https://www.zdnet.com/article/microsoft-warns-over-unusual-ransomware-attacks/
Published Oct 27, 2022
Version 1.0
No CommentsBe the first to comment