Ransomware is undergoing something of a revival. In 2018, detections of this type of malware fell, while other cyberthreats such as cryptojacking experienced major growth. However, in the first quarter of 2019, ransomware attacks against companies increased 195%.
The most extreme proof of this resurgence was a series of targeted ransomware attacks against local governments in the USA. Baltimore, Lake City, Cartersville, Lynn… This new trend of targeted ransomware also hit the business world: an attack on Norsk Hydro affected 22,000 endpoints in 40 countries.
A massive campaign in Texas
On the morning on August 16, a total of 22 local governments in Texas became victims of a coordinated ransomware attack. Although the Texan authorities didn’t reveal what ransomware the attackers used, they did announce that the 22 attacks came from the same source. The attackers demanded a $2.5 million ransom.
A spokesperson from the Texas State Department of Information Resources (DIR) said that, “The evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”
The team that responded to the attack includes the DIR, Texas A&M University System’s Security Operations Center, the Texas Department of Public Safety, and emergency and military responders. By August 23, all the affected entities had transitioned from response and assessment to remediation and recovery.
Now, the DIR is scheduling follow-up meetings with the affected governments to ensure efforts to rebuild these systems. The DIR explains that, to their knowledge, none of the affected entities has paid the ransom.
How did they manage to attack so many entities?
To carry out an attack of this scope against so many governmental entities, the attackers needed an advanced technique: island hopping. Island hopping involves cybercriminals infiltrating the networks of smaller companies—marketing or HR companies, for example—that are normally providers for the final target. They then use this access to gain entry to larger organizations.
In the case of Texas, island hopping was possible because the many of the affected municipalities share the same software and IT system provider. Gary Heinrich, mayor of one of the affected municipalities, explained that the attackers got in through this route, then used this access to attack the governments.
In general, smaller companies tend to have more vulnerable systems, which greatly facilitates the use of island hopping. Once on the system, the attackers use the trust that exists between companies to reach their real target.
While this technique is not new, it is becoming more and more common. According to some sources, 50% of cyberattacks carried out these days use island hopping. And it’s not just malware that cybercriminals use in this kind of attack. One very popular entry vector is IoT (Internet of things) devices, since they usually have less robust security measures.
The future of ransomware attacks?
Some cybersecurity researchers believe that coordinated attacks like we’ve seen in Texas could be the future of ransomware attacks. This is the first attack of this kind, where the incidents were coordinated, rather than the entities being attacked one by one. Attackers usually carry out massive scans of networks, looking for open RDP connections on vulnerable servers in order to carry out attacks randomly.
Nevertheless, in this case, it is clear that the attackers had one specific target in mind, and attacked it very deliberately.
Protect your company against island hopping
Three weeks after the incident, the DIR reported that over half of the affected organizations were back to normal operations. However, this means that there are still many entities that are unable to carry out their daily operations normally. To help prevent another incident, the DIR published a series of recommendations:
- Only allow authentication to remote access software from inside the provider’s network.
- Use two-factor authentication on remote administration tools.
- Block inbound network traffic from Tor Exit Nodes.
- Block outbound network traffic to Pastebin.
The final measure the DIR suggests is to use Endpoint Detection and Response (EDR) to detect PowerShell running unusual processes. Panda Adaptive Defense combines EPP and EDR technologies with a service to classify of 100% of running processes. This means that it is able to detect and process or anomalous behavior and stop it before it can cause any problems for your company.
Although ransomware has been around for years, and its popularity experiences peaks and troughs, it is an ever-present threat. What’s more, a case such as this proves that cybercriminals will always use cutting-edge techniques to carry out ransomware attacks. This is why you must never let your guard down when it comes to protecting your company against this cyberthreat.