HIPAA Say What!?!
[05:34] We have discussed the need to remove access for staff who has been terminated many times. One thing we should all take into consideration these days is that employees don’t elect to leave, they pass away. This may not happen often but it can be a shock when it does happen and that keeps us all from following our normal processes. A recent story brought this up in a big way.
Dead System Admin’s Credentials Used for Ransomware Attack
A ransomware gang installed crypto-locking malware in about 100 vulnerable systems during one attack with the stolen credentials of a deceased administrator. This gang targets organizations with unpatched or poorly secured Citrix remote access technology. Nothing new there since we have mentioned vulnerable remote access is a major attack vector from some time. What caught the eye of researchers was the activity by the attackers was using admin credentials of the system administrator who had died three months before but the account remained active.
Once the attackers gained access to the compromised admin account, the gang spent a month stealing credentials for other accounts and exfiltrating hundreds of gigabytes of data before installing the ransomware encrypting everything.
The work took place mostly in the middle of the night by a deceased admin for roughly a month. They gained additional to the organization’s network allowing them to create new users and add them to the AD. All of that took place but no one noticed. In fact the article quoted the company:No alerts were set off so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups.
9 Smart Cyber Habits
[13:11] We’ve seen some good news about ransomware lately. The average payment reportedly is dropping to around 150k and a few gangs have been shut down by law enforcement. Apparently, another one claims it is closing up shop and sending out decryption codes to victims. All very good news in the ongoing battle.
Does that mean we can let our guard down even a tiny little bit? NO. Not. At. All. There is a reason ransomware is one of the top 5 threats in the 405d HICP guide. It comes and goes but it never goes away. It seems when it returns it is always worse than the last round.
That is why CISA is running a special awareness campaign that started in Feb and will run through May 3. The catchy title is Reduce the Risk of Ransomware. CISA has some sites loaded with information and resources for organizations and individuals. The campaign also includes nine “smart cyber habits” that we should all implement to avoid falling victim to ransomware. The whole idea of reducing the risk of ransomware is a good one. But, we need to spread the word and share the information they are publishing. Guess what! We want to help with this.
Of course, we have links to the ransomware resources published by CISA in our notes and encourage everyone to check them out. We will not be able to touch on everything in one episode so it is certainly worth it. They include everything from social media images to fact sheets and guides for managing ransomware protections.
SMART CYBER HABITS
[19:22] During this awareness campaign, CISA emphasizes nine key messages that promote smart cyber behaviors or actions that individuals and organizations should implement to help prevent and mitigate ransomware attacks.
- Keep Calm and Patch On – Patching is essential for preventive maintenance that keeps machines up-to-date, stable, safe, and secure against malware and other cyber threats.
- Backing Up Is Your Best Bet – It is critical to set up offline, encrypted backups of data and to regularly test your backups. The more you automate your backup system, the more frequently you can back up your data.
- Suspect Deceit? Hit Delete. – If an email looks suspicious, do not compromise your personal or professional information by responding or opening attachments. Delete junk email messages without opening them.
- Always Authenticate – Implement multi factor authentication (MFA) to prevent data breaches and cyber-attacks. This includes a strong password and at least one other method of authentication.
- Prepare and Practice Your Plan – Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
- Your Data Will Be Fine If It’s Stored Offline – Local backups, stored on hard drives or media, provide a sense of security in case any issues occur. Keep your backup media in a safe and physically remote environment.
- Secure Your Server Message Block (SMB) – SMB vulnerabilities allow their payloads to spread laterally through connected systems like a worm. CISA recommends all IT professionals disable their SMB protocols to prevent ransomware and other malware attacks.
- Paying Ransoms Doesn’t Pay Off – The U.S. government recommends against paying any ransom to cyber-crime organizations or malicious cyber actors. Paying a ransom only funds cybercriminals, and there is no guarantee that you will recover your data if you do pay.
- Ransomware Rebuild and Recovery Recommendations – Identify the systems and accounts involved in the initial data breach and conduct an examination of existing detection or prevention systems. Once the environment is fully cleaned and rebuilt, issue password resets for all affected systems and address any associated vulnerabilities and gaps in security or visibility.
Hot off the presses
[35:33] The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.
To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaign in January to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware.
CISA encourages users and administrators to review the NCIJTF Ransomware Factsheet and CISA’s Ransomware webpage for additional resources to combat ransomware attacks.
CISA Ransomware Guide
[37:26] In Sept 2020 they published a really nice guide specifically addressing ransomware that we haven’t even had time to discuss. There are two parts.
Part 1: Ransomware Prevention Best Practices
Part 2: Ransomware Response Checklist
Big fan of their motto or tagline: