On Friday, February 25, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare, urgent ransomware warning for the U.S. and its allies. The National Cyber Security Centre (NCSC) in the United Kingdom issued a similar advisory. Almost at the same time, ransomware group Conti, issued a warning for ‘those that conduct any cyberattacks against Russia.’ Conti is the ransomware group that is responsible for over 400 ransomware attacks against U.S. and international organizations, including a devastating attack against Ireland’s national health system that may end up costing that country over $110 million to clean up.
Also on Friday afternoon, the Anonymous collective launched an attack on the Russian Ministry of Defense, exposing data from that agency as well as attacking other Russian agencies. The Russians and Conti and other ransomware groups may use this as a pretext for a cyberattack on the U.S. and international targets, especially now that sanctions and other financial repercussions are on the table or in effect.
These attacks may take the form of ransomware, wiperware, DDoS, or may involve a combination of these threats. The best defense is to be able to ward off an attack before it happens, especially now as recovery resources will be strained.
How you can help protect your organization
Events are moving very fast now, and you need to protect your organization. What should you prioritize right now? In addition to making sure your IT staff and crisis management team are alerted and ready to respond, there are concrete steps that can help you protect your organization and be ready to recover if needed.
- Ensure that updates and patches are all up to date. Consider prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Enable requirements such as multi-factor authentication and least privilege access such as Zero-Trust Access.
- Web applications — including ones that are password protected — are an attractive target for attacks. Web application security, especially one deployed as a SaaS application, can be quickly implemented.
- Use network segmentation to prevent attacks from spreading laterally or attackers from finding additional sensitive data.
- Block phishing attacks before they happen. Most ransomware or other malware attacks start with phishing for the credentials that give attackers access to sensitive areas so they can place and detonate attacks.
- Alert users that this is a time that they should be extremely careful. Remind them of who to alert in case they see suspicious activity and give them the security awareness training they need to identify phishing and other threat types.
- Limit the damage of email attacks with incident response software that can stop the spread of dangerous emails and proactively identify security threats.
- Backup all data — including SaaS applications such as Microsoft 365 — and ensure you have a protected copy of the data to restore from. Turn on IP location and role-based access controls.