Posts

Shields Up: Preparing for Cyberattacks During Ukraine Crisis

/0 Comments/in , , /by

SonicWall provides real-time protection against HermeticWiper malware and Conti ransomware expected during escalating conflict in Ukraine.

With the recent escalation of events in Ukraine and the resulting sanctions imposed by various Western administrations, there is a dramatically heightened risk of cyberattacks on organizations in the United States, Europe and elsewhere.

State-sponsored threat actors and other cybercriminals will be actively targeting the U.S. and other businesses in an attempt to interfere with their operations, steal or destroy data, and damage infrastructure.

Your organization needs to have a heightened sense of awareness and security during this crisis.

In January 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Alert (AA22-011A): Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA also began urging U.S. organizations to prepare for data-wiping malware attacks (more below).

At that time, the “Ukraine Cyber Police say they are investigating the use of Log4j vulnerabilities and stolen credentials as another means of access to the networks and servers,” according to Bleeping Computer.

On Feb. 18, CISA shared that the New Zealand National Cyber Security Centre (NCSC-NZ) released a General Security Advisory (GSA) on preparing for cyber threats relating to tensions between Russia and Ukraine.

CISA: Time to ‘Shield Up’

It is critical that you take preemptive measures in anticipation of a surge in cyberattacks targeting your business or organization. CISA has published ‘Shield Up,” which is helpful guidance for organizations of all sizes and their leaders. Some of the steps detailed by CISA include:

  • Reduce the likelihood of a damaging cyber intrusion.
  • Take steps to detect a potential intrusion quickly.
  • Ensure your organization is prepared to respond if an intrusion occurs.
  • Maximize your organization’s resilience to a destructive cyber incident.

Other important steps can make a big difference in deterring and/or detecting attacks, such as setting robust inbound policies on your network perimeter (e.g., preemptively blocking connections or sign-ins originating from Russia or other risky nations) and otherwise taking a highly cautious approach to all inbound traffic, even if it means trading off some performance for security.

SonicWall strongly urges that your organization be in touch with your internal and external cybersecurity professionals and resources to ensure that you are as prepared as you can be for the inevitable increase in cyberattacks.

SonicWall also stresses the importance of layered defenses, like IPS, email security, two-factor authentication and real-time sandboxing, such as Capture ATP with RTDMI. With a defense-in-depth strategy in place, your organization will be better prepared to detect the impact of a zero-day attack or other targeted threats.

SonicWall Protections Against Notable Cyberattacks

Zero-day attacks are becoming a common threat. While they may exploit previously unknown weaknesses, defenders have the advantage of being able to detect anomalous activity in real time, and contain and recover before destructive zero-days disrupt your business or organizations.

SonicWall actively protects organizations from cyberattack types known or feared to be used during the Ukraine-Russia conflict.

HeremticWiper Malware

SonicWall helps organizations proactively defend against emerging threats like HermeticWiper. For instance, SonicWall Capture ATP, with RTDMI, detected HeremticWiper as documented in our SonicAlert, “HermeticWiper Data-Wiping Malware Targeting Ukrainian Organizations.”

HeremticWiper Malware Signature Protection

  • GAV: HermeticWiper.A (Trojan)
  • GAV: HermeticWiper.A_1 (Trojan)

Conti Ransomware

The Conti ransomware gang publicly announced that they would attack any organization that launched a cyberattack against Russian infrastructure. As such, it’s important organizations have protection against Conti ransomware. Both SonicWall Capture ATP with RTDMI and active SonicWall firewall with current signatures are protected from Conti ransomware.

Conti Ransomware Signature Protection

  • GAV: Conti.RSM (Trojan)
  • GAV: Conti.RSM_2 (Trojan)
  • GAV: Conti.RSM_3 (Trojan)
  • GAV: Conti.RSM_4 (Trojan)
  • GAV: Conti.RSM_5 (Trojan)
  • GAV: Conti.RSM_6 (Trojan)

PartyTicket Ransomware

Believed to be deployed in conjunction with the aforementioned data-wiping HeremticWiper malware, SonicWall Capture Labs analyzed the PartyTicket ransomware in the SonicAlert, “A Look at PartyTicket Ransomware Targeting Ukrainian Systems.” The ransomware arrives as an executable Windows file, but overall appears to be unsophisticated ransomware created quickly to take advantage of the current climate.

SonicWall customers are protected from the PartyTicket ransomware variant via the below signature, as well as by real-time Capture ATP with RTDMI and Capture Client endpoint protection.

PartyTicket Ransomware Signature Protection

  • GAV: PartyTicket.RSM (Trojan)

For additional information, please visit sonicwall.com/support or the SonicWall Capture Labs Portal. You may also join discussions on the SonicWall Community.

Ransomware Negotiation: How Hackers Target SMBs

/0 Comments/in , /by

It was a Tuesday afternoon. Liz, a local attorney with 26 years of experience, had given up.

She was easily over 20 hours in to trying to free her computer, with all of her files, from a ransomware attack. She just spent a few thousand dollars on a local IT team to break the encryption and remove the malware. They ultimately couldn’t succeed, but charged $2,000 for their time anyway.

Law enforcement and a local FBI contact both shrugged their shoulders. They only offered sympathy instead of a commitment to investigate. With all of her client files locked, she did what roughly 5 percent of small businesses did this year: contact the hacker via the email address in the ransom note.

Shortly later, a message came through: “Hi, the price to decrypt your files is 1.5 bitcoin.”

With icy fingers, she proceeded to converse with the hacker, via a Russian-based email address, who was going by the name Alkash; possibly an Armenian slang term for “alcoholic.” She began to negotiate with him by acting as an elderly person with little money. She told him she had about $350. His reply was simply, “No.”

She didn’t give up. She replied, “I am supporting my kids and I have to use my computer to earn money. Why are you doing this? Don’t you have family?”

He didn’t bite. He replied, “You live in a rich country. I give you 3 days after which I delete the keys to your files.”

She didn’t flinch. She came back and told him to look at the news on how the government treats the poor and how rich people keep their money to themselves. She said her healthcare was being taken away and she was very sick.

“You own a server with open access,” he said. “Why would a poor sick woman own a server?”

This reveals how she was infected. A lot of us think we are too small to be a target, but in the end, all of us our IP and email addresses that will eventually be found. She had little in the way of security, only endpoint antivirus; an easy target.

She convinced the hacker that she could borrow money from a relative to make it $500. The attacker agreed and instructed her to send a few files that he would unlock as a guarantee he will unlock them all when she pays.

Two days after the initial exchange, Liz was able to buy the right amount of bitcoin from a problematic dealer in South America. She finally unlocked her files.

It was done. Her files were back. She sobbed.

It took around 50 hours to get to this point. Fifty hours of living in fear her client files were gone forever. Fifty hours of lost productivity. Fifty hours of being at the mercy of a thief.

Liz was able to return to work and eventually took time off to recuperate from the attack. Later, while on vacation, she received a call from someone who shared an office with her.

“Are you remotely accessing your computer from your vacation spot?” they said.

The answer was solid: “No!”

Someone, possibly Alkash, was accessing her computer and eventually stole her personal credit card information saved in her browser. She returned from her trip and went right back to work to remediate another breach of her system.

A call to the IT team, a security vendor and the FBI gave her another 20-hour headache, a stack of bills and quotes. Between both attacks, Liz estimated she lost around $50,000 in consultant fees and lost productivity alone.

Feeling like she was getting the run around, Liz called someone she knew at SonicWall. The team went to work to segment her office network and set her up with a firewall. It included the Advanced Gateway Security Suite, which comes with the SonicWall Capture Advanced Threat Protection cloud sandbox service,  to stop known and unknown malware attacks, as well as intrusion attacks, against her server.

So, how are things today?

“Great!” says Liz.

She doesn’t have to worry about follow-on attacks, ransomware attempts and deflating calls to the FBI.

Studies have shown that when a small business is hit with a critical cyber-attack, one in six have to stop business for more than 25 hours. Liz knows the truth to that.

Moreover, roughly 60 percent of small companies that experience a crippling cyber attack are run out of business. A fear that Liz mulled over for 50 hours in June 2017.

To better arm yourself against these forms of cyber attacks, please read our eBook, “How ransomware can hold your business hostage.”