FBI ransomware warning extends to well, almost everyone.
If you were not a municipality or school district, you might have been feeling ok about the recent ransomware attacks. After all – it looked like criminals were just targeting cities and schools in the US, and if you were not in one of those categories, you might have felt it was business as usual. But now the FBI (IC3) has issued a critical alert on the ransomware threat to not only state and local government but also healthcare, industrial companies, and transportation – their first since 2016. The alert was issued following some recent high–profile attacks on manufacturing and healthcare, but might also be in response to concerns that the federal government is not doing enough to combat this threat.
The reason that the FBI has issued this warning is, in part, due to ransomware infrastructure vulnerabilities being very similar. The same issues that were a problem for municipalities and schools are writ large for healthcare and manufacturing. Businesses and hospitals not only arguably have larger pocketbooks, but they also may have data that is worth more. In many cases, ransomware is the secondary assault on victims – the first is stealing the data. If social security numbers are worth $1 – $8 on the dark web, credit card information is worth $110 and personal medical records can be worth as much as $1000 on the dark web.
And it’s not just in the US. Recently, a manufacturer in Denmark, Demant, was hit with an attack that will cost as much as 95 million dollars to recover from. And seven hospitals in Australia were crippled by ransomware that shut down financial and patient booking systems. There were three hospitals in Ontario, Canada that were hit by the “Ryuk” ransomware - and experts have warned that other Canadian hospitals may have also been affected.
The ransoms that are being asked for are in some cases, astronomical, especially when compared to ransoms that were requested not even 6 months ago. The ransom in the Baltimore case was 13 bitcoins or about $76,000 in May. That pales in comparison to the 5.3 million dollars that the New Bedford, MA was asked for in July.
So what is the FBI advising that organizations do to protect themselves? Here are some of the FBI recommendations and examples of how Barracuda’s solutions can help implement them:
- FBI – “Regularly back up data and verify its integrity.” The very first thing that the FBI advises is to back up your data. The FBI notes that backups are critical in ransomware and are the best way to recover your data. With the right backup, ransomware recovery can be a matter of hours as this Barracuda Backup case study shows.
- FBI - “Focus on awareness and training.” To prevent an attack, the FBI recommends that businesses of all sizes focus on security awareness and training. A team of users who are well versed in security-best practices can provide an additional line of defense in your fight against ransomware. Consider a solution like Barracuda PhishLine, which leverages simulation testing and video training to teach employees and staff to recognize and report ransomware threats like phishing, SMiShing (SMS/text), Vishing (Voicemail) and physical media (USB drives and similar.) There is also A.I. based dedicated spearfishing and cyber-fraud defense to prevent fraudulent emails from reaching end-users in the first place. As most ransomware attacks start with email, it makes sense to bulwark this protection as much as possible.
- FBI - “Employ best practices for RDP, including port control and multi-factor authentication.” The SamSam ransomware variant that hit Atlanta likely gained access through RDP. Barracuda CloudGen Firewall provides multi-factor authentication and deep packet inspection.
- FBI - “Configure access controls with the least privilege in mind.” If people don’t really need access, don’t give them access as the fewer people with access, the more secure you will be. Next-generation firewalls generally offer access control. Barracuda CloudGen Firewall offers access control as well as advanced security analytics so you can see exactly what is happening with your network activity, web activity and security.
- FBI - “Implement application allow-listing. Only allow systems to execute programs known and permitted by security policy. This can help prevent unknown or malicious applications from causing havoc in your infrastructure.” Barracuda WAF, and WAFaaS protect your infrastructure to an even greater extent with application learning where you can build positive security profiles for applications by sampling web traffic from trusted hosts. Once enabled, the positive security profiles allow administrators to enforce granular allow list rules on sensitive parts of the application. This greatly reduces the risk of attacks and helps prevent zero-day vulnerabilities.
- FBI - “Use virtualized environments to execute operating system environments or specific programs.” Barracuda Advanced Threat Protection offers sandboxing to make sure that suspicious files and attachments are detonated in an isolated environment before they are allowed to enter the network.
- FBI - “Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.” Firewalling and micro-segmentation can be used to implement these strategies. Barracuda CloudGen Firewall provides granular security controls that allow network administrators to deploy a zero-trust strategy throughout the company. Data and applications can be securely segmented based on the needs of the organization.
As the ransomware arms race escalates, attackers are growing more sophisticated in the targets that they chose and the methods they employ. The good news is that the tools and techniques available to counter those attacks are also ramped up. It is up to the organizations at risk to choose the right partners to help them successfully combat every attack possible.