UK rail network, Merseyrail has confirmed that it has been targeted by cyberattackers. The cybercriminals used its email system to notify employees and journalists about the ransomware, deemed to be Lockbit after finding an email from the 18th of April with the subject: “Lockbit ransomware attack and Data Theft”.
The situation is currently under investigation, but a few cybersecurity experts have offered their insights below:
<p>Over the past year, we have witnessed a stark increase in insider threats, with some reports indicating a near <a href=\"https://www.observeit.com/cost-of-insider-threats/\">50% increase since 2018</a>. In many cases, successful ransomware attacks result from external threat actors gaining access to insider credentials. When privileged insiders are compromised, they can serve as a launching point for these attacks. Hackers today are making information public, further increasing pressure to respond and pay up.</p> <p>To strengthen security posture and prevent such attacks, security teams must have complete visibility into their environments to quickly identify, respond and react to threats. Ransomware often has a long kill chain after the initial infection to when the actual payload is launched, this can be up to six months. Using behavioural analytics to identify and spot anomalous behaviour is a crucial way to ensure teams are catching these threats as early on as possible before an external threat actor can inflict harm. It is also imperative to ensure employees are well educated on the topic of security hygiene, to further prevent potential for insider compromise and reduce burden on security operations.</p>
<p>Ransomware attacks are among the fastest-growing cyber threats (one report projected that 2021 will see companies fall victim to an attack every 11 seconds). This is of particular concern for providers of crucial services such as Merseyrail, upon whom thousands of people rely for transportation into work.</p> <p> </p> <p>While the scale of this cyberattack has not yet been widely disclosed, if frontline services were to be affected, an attack such as this could have serious economic ramifications for both Merseyrail and the wider region. It is also concerning that the ransomware gang were able to access Merseyrail\’s email systems, and allegedly steal data in what would seem is an example of a worrying new trend of double extortion ransomware attacks.</p> <p> </p> <p>The first and most important thing to do when you\’ve been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and remove external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data.</p>
<p>Yet another critical infrastructure provider impacted by a ransomware attack. It’s not known at this point if rail industrial control systems have been infiltrated, but certain aspects of the IT infrastructure have been compromised.</p> <p>The department for transport has published guidance for rail operators to implement cyber resilience and reference the International standard IEC62443. In addition, critical infrastructure is subject to the UK transposition of the NIS regulation which is best implemented by the adoption of the NCSC CAF 3.0. Either way, there are some pretty uncomfortable questions that will be asked. What measures did you undertake to ensure your Risk Assessment was adequate? And, How do you validate your defenses are appropriate and proportionate? Both fundamental requirements for due diligent governance.</p>