Ransomware’s ability to encrypt entire volumes of data is a nightmare scenario for many infosec pros. Their only comfort may be the hope their backups are secure and data can be restored, with few side effects.
However, Ontario’s top cybercrime cop warns recent variants also include the ability to exfiltrate data.
“That’s scary,” Det. Sgt. Vern Crowley, head of the Ontario Provincial Police’s cybercrime investigations team, told infosec pros at the annual security conference of the Ontario division of the Municipal Information Systems Association.
MISA members work in the IT departments of villages, towns and cities.
In the last four weeks, Crowley said his unit has responded to an outburst of cyber attacks, including ransomware.
The most recent victim was the city of Woodstock, Ont.
Not only is ransomware now stealing corporate data, Crowley said versions like Ryuk also come with the Emotet and Trickbot credentials-stealing malware.
For those who don’t realize, Ryuk in effect works backwards: It first tries to encrypt backups on the network, then servers, and finally endpoints. It also covers its tracks, wiping out shadow volumes and security event logs.
This makes it more important than ever, Crowley said, to keep logs as long as possible for forensic purposes.
Roughly 80 per cent of ransomware is delivered through email phishing attacks, he said. However, recently his team has also seen criminals access networks through brute force attacks on open remote desktop protocol ports. RDP shouldn’t be open to the internet, Crowley warned.
He insisted two-factor authentication to protect logins is “an absolute must … It will go a long way to protecting your systems.”
Having off-line backups that can’t be infected is another vital defense, he added.
Crowley also urged organizations to report all cyber incidents to local police – after all, it’s a crime — and not simply by saying ‘We’ve been hit by a virus.’ For investigative and data collection purposes police need to know what happened and what systems were affected. (For example, it may impact the ability to pay employees.)
Crowley doesn’t like when organizations pay ransoms, because it only rewards criminals. However, he admitted that if a firm doesn’t have a clean backup and free decryption keys aren’t available from security vendors it will have its back to the wall.
One problem, he said, is that there are still companies and municipalities that don’t believe they’ll be hit – they think ‘I’m too small.’
However, in an interview Crowley shied away from blaming management. The problem, he said, is hackers are creating sophisticated malware and phishing attacks that some people fall for.
“You could have the strongest IT at the end of the day people are your weakest link.”