Ransomware Attack

by | Feb 25, 2023 | Threats

Ransomware

Holiday Inn Ransomware Attack

One thing is for sure, you don’t want to be a victim of ransomware. Almost daily, there is another breach and ransomware was deployed as part of the hack. For instance, the Holiday Inn or IHG hack is another example of not being prepared for a ransomware attack. Apparently, a weak and already known hacked password “Qwerty1234” that is on the Have I Been Pwned website was hacked by the attackers.

Ransomware Damages

Ransomware attacks are not slowing down because it is a profitable business. According to Cybersecurity Ventures, ransomware damages were $20 billion in 2021 and are projected to be $42 billion by 2024. Typically attackers gain access to corporate networks via weak open ports or phishing emails. In 2020, hackers were attacking unsecured RDP exposed to the internet more than using phishing emails.

Ransomware Extortion

Ransomware attackers changed tactics in 2020, by using extortion. Once attackers gain access to a network or cloud environment, they will move laterally looking for high value data. This includes Personal Identifiable Information (PII) or sensitive company data. Essentially any data that the attacker can threaten the company saying they will sell it on the dark web if the ransom is not paid. As such, Ransomware gangs changed tactics because companies were improving their information security programs and were ensuring they have good offline backups.

Data exfiltration

Once a hacker breaches a network and locates the sensitive company data, they will exfiltrate it offsite to one of their own servers. After they have downloaded the company’s sensitive data, the attackers will launch the ransomware attack. 

Ransomware Protections

In order to protect from a ransomware attack, the following must be done:

  • Use MFA and strong passwords or pass phrases
  • Scheduled Offline Backups with copies stored offsite or in an segmented network enclave
  • Use Mobile Device Management (MDM) on all desktops and servers
    • CrowdStrike
    • SentinelOne
    • Windows Defender
  • Ensure external perimeter does not have weak ports open such as RDP or SMB
  • Perimeter critical and high patches must be applied within 30 days
  • Block port Ports 137-139, 445, & 3389 from external networks
  • Don’t use SMB 1.0, should be using SMB 3.0 >> WannaCry
  • If have SMB 3.0 in use, but have not disabled SMB 1.0, hackers could use SMB 1.0
  • Don’t use FTP or Telnet; Use TLS v1.2 or above and SSHv2 for remote access.

To learn more about how TrustedCISO can advise your company: Welcome to TrustedCISO.