Malware

Malware-Attacks – what you should know about them

Digitization has nowadays arrived in all areas of our lives; we use smartphones or smart devices in our private lives on a daily basis as well as business laptops and work computers. But also the electronic payment options in supermarkets or the public rail transport; or in short: our entire public life has been digitized. This penetration of all our living environments makes our everyday life more comfortable. At the same time, it also makes us vulnerable to cyber-attacks.

Therefore, it must be our goal from the very beginning to protect our technical infrastructure as well as possible from malware and other criminal acts.

Cybercrime in Germany

Germany

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) is responsible for IT security at the federal level. In its recently published situation report on IT security in Germany 2020, the BSI states: Cybercrime is directed against private individuals as well as companies and organizations or institutions. Such attacks are often aimed at tapping personal data and deriving financial benefit from the information gained.

User’s responsibility – the human factor as the greatest risk factor for your IT security

Risk

The maintenance of your hardware and software is up to you. Therefore you as the user must check your actions; Next to missed software updates, the interaction with malicious e-mails or websites is still THE security gap in your IT system. To successfully install a malicious program on a device, the (active) help of the user is often required. For example, by carelessly clicking on a link or e-mail attachment that initiates the installation. In the worst case, all this happens without you as the user noticing anything.

Two terms that we often encounter in cyberattacks are phishing and social engineering. So-called phishing e-mails are fraudulent e-mails that serve to induce the recipient to commit self-harming acts. To achieve this, the attackers use social engineering techniques. This means the use of psychological tricks, such as exploiting fears, compulsions, or emergencies to achieve either the direct issuing of passwords and access data or the installation of malware by clicks.

Unfortunately, such e-mails are getting better and better, and even trained users can no longer necessarily recognize them as such at first glance. The unknown, missing, rich relative from the most absurd parts of the world has been replaced by deceptively real-looking e.g. PayPal-emails, which try to “fish” out the passwords and credit card data of the users.

Even bad grammar and incorrect vocabulary are hardly found in modern and well-designed malware spam. And – particularly perfidious – according to the BSI, even an https link is no longer a guarantee for security – in about 60% of registered malware spam in 2019/20 https links are already in use. Although the security certificate is supposed to identify secure homepages, it can be licensed free of charge on the Internet. Regardless of whether the content is safe for the consumer.

You should know this kind of malware

Code

According to the BSI, last year (June 2019 – May 2020) an average of around 322,000 new malware variants were created every day. Malicious programs are all programs that are harmful in themselves or that can enable other programs to cause damage. One variant is created by the further development of existing malware. It is particularly dangerous in the beginning, as anti-virus programs may not yet be able to recognize it as a danger.

Ransomware

Ransomware is malware that prevents access to local data or a network. The aim is usually the extortion of ransom money to unlock the data. Another extortion method is the threat of successive publication of sensitive data on the Internet if payment is not made.

Ransomware is usually distributed via links or attachments in e-mails. To achieve an action by the user the distributors rely on advanced social engineering methods. And also exploit professional constraints in particular.

Also, ransom software deliberately exploits weaknesses in remote maintenance and VPN access to penetrate deeper into a company network. According to the BSI, the targets in the last investigation period were especially company networks of financially strong and medium-sized companies. These include, for example, special suppliers for the automotive industry, the financial and health sector, and the aviation industry.

The damage of such attacks – both financially and in terms of reputation – is enormous. Only very few companies are sufficiently protected against ransomware attacks. It is worthwhile to already develop and test preventive plans for possible ransomware attack scenarios.

Emotet – a multi-level malware of new quality

Emotet is a good but at the same time an extremely harmful example of the further development of existing malware. According to the BSI, this software has been reappearing more frequently since September 2019 and accounts for the majority of malware attacks. The malware combines various attack strategies and in its current form can read e-mail contents and generate further spam e-mails using the information gained.

This is particularly dangerous and not necessarily easy to detect even for sensitized users, as the spam e-mails generated in this way come from real and known accounts. Emotet uses advanced social engineering methods for initial and further infection via email. Once installed, the account data is used to further infect other mail accounts through the pyramid scheme. The spying of the mail account, also known as Outlook harvesting, enables the program to send deceptively realistic-looking reply e-mails from the victim to other accounts. And this is usually completely automated.

In addition to expanding the infection network, Emotet infects the system by downloading further malware. For the past year, the BSI has mainly reported about Trickbot, a software that can spy on and sabotage the system. Trickbot can penetrate the user’s Active Directory and read out all user data and administration rights in the Domain Control Center. Besides, Trickbot enables attackers to actively access the system, to create new administration rights. Or to create backdoors, with the help of which information can be forwarded to the attackers unrecognized even over a longer time.

In the last step, attackers use the information obtained to access the system manually using ransomware (usually Ryuk). Here, the same methods are used in a classic ransomware attack.

Prevent malware infections

Prevention

A first important step towards preventing such attacks is targeted employee training on phishing as well as social engineering. This makes sure, these issues have enough awareness in your company. At the same time, improved backup structures with more frequent and so-called offline backups (i.e. backups that cannot be deleted or changed from the network) are part of a preventive plan against cyber-, especially ransomware attacks. These ensure that you are quickly operational again in the worst case.

Besides, the reduction of externally accessible systems to a minimum as well as an appropriate internal segmentation of the networks represent a further security level. To prevent a deeper infection of your systems, you should also consider an increased requirement for password security with multifactor authentication (MFA). Especially for administrators and those who have remote access rights. You should also reduce their number if possible. Regular and prompt updates of all operating systems, server and application software also increase the basic security of the systems.

Ransomware attack on US hospitals

Ransomware attack on US hospitals

Since Thursday night, the FBI has been warning of increased cyberattacks on various American hospitals. The used malware Ryuk encrypts the data of the infected systems and thus complicates the further operation of the hospitals. The attack on system-relevant infrastructure such as these is combined with requests for ransom money to release the sensitive data as quickly as possible. The exact number of affected hospitals is not known, only that hospitals in the states of New York, Oregon and Minnesota are involved.

The data encryption has caused significant delays in the clinic process, as the affected clinics have had to reroute some of their patients, which has delayed the waiting times for necessary treatments. Clinics in Germany are also sometimes victims of such cyber-attacks, which can be life-threatening for patients in addition to the financial loss of the organization.

A major ransomware attack took place in the summer of 2019 on central systems of the DRK-Trägergesellschaft Süd-West. Affected were the affiliated hospitals in Rheinland-Pfalz and Saarland, whose provision of care was delayed. According to the media, this incident, fortunately, had no further consequences for patients. No ransom was paid, and the incident lasted from 13th to 26th July. Sodinokibi was identified as the software used, and a Mobile Incident Response Team (MIRT) was deployed to determine the cause of the attack and restore the patient to a working condition.

The BSI (Bundesamt für Sicherheit in der Informationstechnik) recommends the establishment of a functioning and practiced emergency management for such ransomware attacks. It was crucial for the success of the measure that, on the one hand, the crisis treatment in the hospital works and patient care is ensured by analogue data acquisition. It is relevant for IT to narrow down the problem, find the cause and select the necessary measures.

To prevent such attacks from the outset, it is also advisable to sufficiently sensitize employees to the subject of phishing and social engineering and to improve and tighten regulations on password security for remote access. Multifactor authentication for administrative actions is recommended.

#Ransomware #MFA #Cybersecurity #Ryuk #Phishing #SocialEngineering