Professional Documents
Culture Documents
Ransomware Attack
Ransomware Attack
Attack
Topics covered previously
• On Dec. 1, the Israel National Cyber Directorate (INCD) and Capital Market
Authority announced that Shirbit Insurance, an Israeli insurance provider that serves
many government employees, was the victim of a vaguely described “data breach
event” that they’d started investigating on Nov. 30.
• Black Shadow, initially demanded 50 Bitcoin in exchange for not publishing the
company’s sensitive client information. But after Shirbit missed the first payment
deadline, that rate increased to 100 BTC and, later, 200 BTC.
• Because Shirbit’s representatives are refusing to play ball, the hackers have since
released not one but three large batches of information via their Telegram channel.
The Times of Israel reports that the attackers may have sold at least some of the stolen
data to an unknown third party.
Top 5 Ransomware Attacks
to Watch Out for in 2021
Maze Ransomware
• The Maze is the most infamous ransomware threat to enterprises all over the
world at the moment. It was previously known as “ChaCha ransomware” and was
discovered by Jerome Segura on May 29, 2019.
• The Maze ransomware encrypts all files and demands for the ransom to recover
the files.
• It threatens to release the information on the internet if the victim fails to pay the
demanded ransom.
• Some big giant companies suffering a Maze ransomware attacks are Cognizant,
Canon allegedly, Xerox, etc.
Revil Ransomware
• REvil is a file blocking virus and is considered
as a cyber threat that encrypts victim’s files
after infecting the system and sends a
request message. The message explains that
the victim is required to pay the requested
ransom in bitcoin. If the victim fails to pay
the ransom in time, the demand gets
doubled.
• This attack vector is also known for targeting
A-list celebrities and leaking their data on
the dark web.
• According to The Times, series of
screenshots including a legal document of
Madonna’s tour contract and dozens of
computer files of celebrities like Bruce
Springsteen, Bette Midler, and Barbra
Streisand were leaked.
Ryuk Ransomware
• Ryuk is one of the most active ransomware and the biggest players among other
ransomware. It is a type of crypto-ransomware that blocks access to a file, system, or
device by using encryption until the ransom is paid.
• It either uses TrickBot or other means like Remote Desktop Services to gain
unauthorized access to a system. It uses robust military algorithms such as RSA and
AES to encrypt files using a unique key for each executable.
• Ryuk ransomware mainly targets business giants and government agencies that can
pay huge ransom in return. A US-based Fortune 500 company, EMCOR, is one of the
victims of this particular attack that took down some of its IT systems.
Tycoon Ransomware
• Tycoon is a recently discovered ransomware strain that is written in
Java. This malware has been targeting several organizations in the
education and software industries.
• This malware is considered an unusual one as it is deployed in a
trojanized version of the Java Runtime Environment.
• Tycoon denies access to the administrator after it infects the system,
following an attack on the file servers and domain controller.
• It takes advantage of weak or compromised passwords and is a common
attack vector that exploits servers for malware.
NetWalker Ransomware
• NetWalker, also known as Mailto, is one of the newest variants of the ransomware
family. Various remote working individuals, enterprises, government agencies as
well as healthcare organizations have reported being attacked by NetWalker last
year.
• NetWalker ransomware compromises the network of its victim and encrypts all the
Windows devices that are connected to it.
• When executed, it uses an embedded configuration that includes ransom notes, file
names, and several configuration operations.
• According to security researchers, this ransomware spreads itself in two ways:
• Through a VBS script that is attached to Coronavirus phishing emails
• Executable files that spread through networks
Ransomware Prevention and
Protection
1. END POINT PROTECTION
2. Data Backup
Regularly backup data to an external hard-drive, using versioning control and the 3-2-1 rule
(create three backup copies on two different media with one backup stored in a separate
location). If possible, disconnect the hard-drive from the device to prevent encryption of the
backup data
3. Patch Management
Keep the device’s operating system and installed applications up-to-date, and
install security patches. Run vulnerability scans to identify known vulnerabilities
and remediate them quickly.
4. Application Whitelisting and Control
Establish device controls that allow you to limit applications installed on the device to a
centrally-controlled whitelist. Increase browser security settings, disable Adobe Flash and other
vulnerable browser plugins, and use web filtering to prevent users from visiting malicious sites.
5. Email Protection
Train employees to recognize social engineering emails, and conduct drills to test if employees
are able to identify and avoid phishing. Use spam protection and endpoint protection technology
to automatically block suspicious emails, and block malicious links if user does end up clicking
on them.
6. Network Defenses
Use a firewall or web application firewall (WAF), Intrusion Prevention / Intrusion Detection
Systems (IPS/IDS), and other controls to prevent ransomware from communicating with
Command & Control centers.