Homeland Security Warns That Weak Passwords Can Lead to Ransomware Attacks
It's been a while since ransomware operators started focusing more on businesses and organizations rather than individual users. It was a pretty big shift, and quite a few people were somewhat dumbfounded by it, but when you think about it, you'll see that there were a few good reasons for it.
For one, the more people learned about the importance of backups, the less successful the extortion attempts became. What's more, cryptojacking attacks proved not only much easier to pull off but more profitable as well, thanks to the soaring cryptocurrency prices.
In addition to all this, the crooks realized that in the corporate world, a ransomware attack could prove much more disruptive. Restoring from a backup is more complicated for a business than it is for an individual user, and a successful attack can actually force a company to shut its doors temporarily, which could be devastating. Both attackers and companies should be well aware of this by now, but it looks like plenty of organizations continue to convince themselves that it won't happen to them.
The Nefilim ransomware hits organizations in New Zealand
Last week, New Zealand's Computer Emergency Response Team (NZ-CERT) issued an advisory to warn organization about a ransomware campaign that was doing the rounds. NZ-CERT's experts had noticed increased activity from a ransomware family called Nefilim, and they were trying to warn companies about the dangers they're facing.
Nefilim is based on the Nemty ransomware, but the crooks have made several crucial modifications that make it much more suitable for attacking organizations. According to Trend Micro, unlike Nemty, Nefilim isn't offered as a service and is instead operated by a single group that organizes targeted attacks. According to NZ-CERT's advisory, once the hackers gain a foothold on a corporate network, they use a variety of tools to move laterally and steal data, which they later threaten to sell if the victim doesn't pay up. After that, the victim's files are encrypted with a combination of AES and RSA.
This is not why NZ-CERT issued its advisory, though. It did it because preventing the attack is not difficult at all.
DHS and NZ-CERT: Patch up your systems and strengthen your passwords at once
When the attacks are aimed at organizations rather than individual users, the crooks tend to avoid using the traditional spam email. In the corporate environment, the spam filters tend to be a bit more sophisticated, and some organizations conduct anti-phishing training programs that help employees understand the threat better.
The Nefilim campaign, like so many other ransomware attacks, relies on vulnerable networks, weak passwords, and lack of two-factor authentication. According to the advisory, the crooks are targeting organizations that use the Remote Desktop Protocol and Virtual Private Networks without securing them with proper authentication. Networks that haven't received the vital security patches are also on the hackers' menu, and although we're talking about relatively simple mistakes, the number of potential targets is so big, that the US Cybersecurity & Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, reiterated NZ-CERT's warnings.
If experience is anything to go by, however, these warnings will still not be enough to get sysadmins all around the world to properly set up their systems. This is far from the first attack that takes advantage of poor network configuration, and it probably won't be the last. Security experts have been alerting users and businesses about the dangers for a while now, but this clearly hasn't had much of an effect. The really unfortunate thing is that at this point, there's nothing to suggest that the situation will improve in the near future.