Following a recent spate of ransomware attacks against critical infrastructure around the world, it has become clear that many organisations need to revamp their security protocols.
Many of the attacks, focused in areas such as energy and public services, have been attributed to Russian organised crime groups such as Vice Society and Ryuk. These groups are highly organised and appear intent on causing as much disruption as possible.
Vice Society alone has been active across the United States, Australia, and the European Union, targeting regions that have openly supported Ukraine since the war broke out. The group exploits vulnerabilities in computer systems to exfiltrate data or sell off important information to the highest bidder.
Healthcare, education, and transportation have been key targets for criminal groups. These public-sector organisations tend to have less sophisticated cyber defences in place compared with large corporations such as banks or big technology companies, making them vulnerable to such attacks.
Vice Society’s use of encryption makes it difficult for law enforcement and security professionals to analyse the stolen data and assess the extent of the attack. Having network detection and response capabilities matter now. Being able to decrypt at the network level can give users the visibility needed to stop the attack before it causes damage.
Some organisations reach the conclusion that paying a ransom is the most effective way to get critical data and system back online and fully functional as quickly as possible. In the area of healthcare in particular, speed of system recovery is critical and despite the Australian Cyber Security Centre advising victims against paying demanded ransoms, 2023 Global Cyber Confidence Index found that 82 per cent of companies hit with ransomware paid the ransomware demand at least once.
Vice Group’s apparent willingness to forego larger paydays and intentionally redirect attacks against critical infrastructure targets indicates the Russian government’s implicit involvement. These attacks could be seen as a form of asymmetric warfare in which a state-sponsored group is using organised crime as a tool to carry out attacks that cause maximum disruption and losses for victim countries.
Shrinking the attack surface
To prevent such attacks, organisations need to focus on reducing their security attack surface through effective security hygiene. They should also make use of multi-factor authentication (MFA), conduct regular security audits, and perform thorough employee training. This will help the
53% of Australian businesses which say some their critical devices are capable of being remotely accessed and controlled and are exposed to the public internet.
Insecure or outdated ports and protocols are often exploited in these types of cyberattacks, and so it is also critical to maintain proper patching and configuration. This is especially important in sectors such as education and government which underwent a rapid digital transformation as a result of the pandemic. The 2023 Global Cyber Confidence Index found that all Australian and New Zealand respondents today are running one or more insecure network protocols. Despite calls from leading technology vendors to retire SMBv1, which played a significant role in the explosion of WannaCry and NotPetya, 84% are still running it in their environments.
Companies also need to consider the trends and behaviours most often used by nation-state backed ransomware gangs. These can include targeted phishing campaigns that can trick users into opening attachments or clicking on malicious web links.
The consequences of these types of attacks are widespread and can have significant financial and reputational costs. They can also disrupt the day-to-day activities of many citizens, thereby strengthening the power of the Russian regime and demonstrating its ability to cause damage around the world.
As a result, companies need to be on constant high alert for backdoor cyberattacks, while governments at all levels need to take preventive measures to reduce their risk of becoming targets. Any lapses in monitoring or weaknesses in security infrastructure can result in dire consequences.
The bottom line is that visibility is critical as enterprises can’t trust what they can’t see, and many are unable to see everything across their networks. As a result, cybercriminals that manage to breach perimeter defences can remain in place and undetected for extended periods.
This means they are able to dismantle market reputations, financial records, and customer relationships that took years to build. This makes networks the central issue when it comes to security.
The recent wave of ransomware attacks has highlighted the need for companies to urgently review and update their security protocols, especially in vital areas such as healthcare, energy, and public services.
IT security teams also need to be mindful that cybercriminal groups are constantly changing their tactics and making use of ever more powerful malicious tools. For this reason, it is important that protective measures are continually reviewed and updated as required.
The threats posed by criminal gangs backed by nation-states are almost certain to continue to increase. It is therefore vital that organisations of all sizes remain constantly vigilant.