Swiss info security body warns of ransomware attacks against businesses
Over the recent weeks, MELANI/GovCERT dealt with more than a dozen ransomware cases.
Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) today issued a warning regarding a high number of ransomware attacks against Swiss businesses over the past weeks.
In recent weeks, MELANI / GovCERT has dealt with more than a dozen ransomware cases in which unknown perpetrators encrypted the systems of Swiss SMEs and large companies and rendered them unusable. The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions.
A technical analysis of the incidents revealed that the IT security of the companies affected was often incomplete and the usual best practices (Information security checklist for SMEs) were not fully observed. Furthermore, warnings from the authorities were not heeded.
During the analysis of the incidents in recent weeks, certain weaknesses were identified as the gateway for cyberattacks, such as ignoring the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers). In some cases, remote connections to systems, so-called Remote Desktop Protocols (RDP), were protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
If systems have been encrypted by ransomware, MELANI advises against making a ransom payment. As a general rule, MELANI does not recommend paying because the money will support the hacker’s infrastructure. It should also be noted that even if a ransom is paid, there is no guarantee that the blackmailer will decrypt the data.
If a ransom payment is nevertheless being considered, it should be noted that although systems and data might be decrypted, the underlying infection from malware such as “Emotet” or “TrickBot” will remain active. As a result, the attackers still have full access to the affected company’s network and can, for example, reinstall ransomware or steal sensitive data from it.
MELANI is aware of cases in Switzerland and abroad where the same companies have been victims of ransomware several times within a very short period of time.
Let’s note that, about a week ago, the UK National Cyber Security Center issued an advisory regarding Trickbot. Trickbot is an established banking trojan used in cyber attacks against businesses and individuals. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). In some cases, Trickbot is used to infiltrate a network. Once inside it can be used to deploy other malware, including ransomware and post-exploitation toolkits.