It is reported that the Fourth District Court of Louisianahas been hit by ransomware and responsible hacking group Conti has claimed the attack and published the proof on the dark web. The court’s website remains offline. Below, a cybersecurity expert provides an insight into this ransomware attack.
This newest report of yet another ransomware attack on critical infrastructure in the US is neither surprising nor a reason to panic. The US criminal court is feeling some initial pain, but they will recover and in the future defend against these brazen attacks with a rapid detection and response process to detect the attack at its early stages and respond effectively before ransomware can impact the environment. Unfortunately, Cybereason has been seeing a wave of new cyber attacks against all levels of government. In fact, there have been more than 200 reported attacks on municipal and state governments over the course of the past 12 months.
Today, multi-stage ransomware attacks are rising significantly, with multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victim’s network to compromise as many endpoints as possible. This operational attack pattern attempts to impact as many victim assets as possible, representing a higher risk to organisations compared to ransomware attacks that impact the single machine they initially access.
Today, ransomware has become part of doing business. In most organisations discussions are taking place on whether to pay or not pay a ransom demand. The first question needing an answer is \’How much does it make sense to pay to restore a lost service or business capability in a short amount of time versus paying the ransom to recover more quickly? And what will be cheaper? Operators need to consider the fact that even if you pay the ransom it could take some time to recover business function. In most cases, there is honor amongst thieves and they will provide you with the decryption keys if you pay the ransom. But it could take days or weeks to be operational again as system clean could be needed, you might need to restore systems and run tests to make sure the network is operational.
This ransomware attack confirms a trend we have seen emerge recently, which is ransomware doubling up as a data breach. Rather than simply encrypting files, attackers have realised that they can increase their profits and the havoc caused by exfiltrating data first. High profile targets such as courts and government are a ripe target for this type of attack, as the information their databases host is particularly sensitive and therefore valuable to be sold on the dark web. Assuming the US Court will decide not to pay the ransom to disincentivize future attacks, their security posture will need to be rebuilt from the ground up. With how interconnected everything is and thanks to cloud services, you would be surprised by how much can be recovered from other sources. Organisations should look into mandating that IT teams follow industry-standard best practices and maintain backups. Off-site backups are key here. Whether it is to an S3 bucket on AWS that does versioning, a file server in a colocation center, or recorded to tapes and stored in a closet in another building, any organisation should have to have versioned, off-site backups. These should go in one direction only or be designed with the least privilege in mind.
This situation highlights how every organization possesses valuable data that threat actors can hold for ransom and paralyze operations. As some organizations use a hybrid model of on-prem and cloud servers, they need to deploy modern security solutions that protect assets connecting to cloud services, such as smartphones and tablets. Threat actors know that mobile devices aren’t usually sacred in the same way as computers. Mobile phishing has become one of the primary ways threat actors get into the corporate infrastructure. An advanced hacking group like the one behind Conti would likely use social engineering to convince a target employee to download a document or file to their device. Phishing attempts are getting more difficult to spot, especially on mobile devices where we can’t spot many of the red flags we’re trained to see on computers. Traditional security tools that only protect devices within the traditional enterprise perimeter will not cover the full spectrum of risk.
Malware delivered through phishing is getting more difficult to protect against. Your employees’ smartphones and tablets enable productivity from anywhere. Without proper security, those mobile devices can represent a significant gap in your overall security posture. A message containing malware can be accessed just as easily from a mobile device as it can from a computer. Mobile devices also have access to the corporate infrastructure. You need to treat mobile devices with the same priority as traditional endpoints in your organization’s security posture.
Nearly all industries, even historic ones that relied heavily on printed documentation have undergone a transformation and are heavily reliant on digital infrastructure. With more and more ransomware evolving to exfiltrate data in addition to deploying the ransomware, it becomes even more important for organisations to have robust security controls across layers that make it difficult for criminals to successfully infect systems. Recent trends show that phishing is one of the most popular avenues through which ransomware is deployed, so it\’s important that technical controls are complemented with timely and relevant security awareness training so that staff are best placed to identify and report any suspected phishing attacks.