Запрошуємо на третій віртуальний форум CrowdStrike!
Перші поставки мережевого обладнання Aruba
GTB Technologies comprehensive DLP solution received a certificate from the State Service for Special Communications and Information Protection of Ukraine
How subtle attacks maximize hackers' profits and what defensive actions need to be taken immediately
iIT Distribution is the official distributor of Automox
A series of training workshops from CrowdStrike
CrowdStrike has become the leader in the Gartner Magic Quadrant 2021 for the second time among endpoint protection platforms!
Review of the new version of NetBrain Integrated Edition 10.0. Continuation
Review of the new version of NetBrain Integrated Edition 10.0
Infinidat is launching a partner accreditation program
iIT Distribution is the official distributor of Lookout
iIT Distribution expands its portfolio with networking solutions from Aruba Networks
IIT Distribution received the status of a Business Partner in the Hewlett Packard Enterprise affiliate program
Why should hosting providers pay attention to Infinidat data storage solution? Practical experience of use
The ZTNA model helps reduce the stress loading of employees from remote work
Сrowdstrike named leader in security Threat Detection, Response and Investigation of cyberincidents (MDMR)!
Falcon X від CrowdStrike визнаний лідер у звіті Forrester Wave: External Threat Intelligence Services за перший квартал 2021 року!
New Forrester study shows all the economic benefits of using the Falcon Complete!
iITD is the official partner of the International Grand Forum "BIT & BIS-2021"!
CrowdStrike has announced the acquisition of Humio's leading high-performance log management platform!
Intelligent IT Distribution at the international conference "Go Digital - 2021: acceleration and migration. Money goes online".
International Conference "Go Digital - 2021: acceleration and migration. Money goes online".
Crowdstrike's response to recent supply chain attacks
Intelligent IT Distribution takes part in the third annual international forum "Cybersecurity - protect business, protect the state"
IITD - partner of the forum "Cybersecurity - protect business, protect the country" 2020
iIT Distribution got the status of a distributor of Netbrain technologies solutions in the territory of Ukraine
Fal.Con 2020 by CrowdStrike
Compliance with cyberrisk insurance
Automatically block compartment accounts with Lepide Active Directory Self Service 20.1
Cossack Labs invites you to visit NONAMECON
Signing a distribution agreement with SAFE-T
International Conference "Online Banking - Time of Innovation!"
Global Cyber Threat Report 2020
Thursday, the 25-th of June, 2020. Do not miss!
PandaLabs Report: Understanding Threats 2020
Announcement: New version of ACRA Enterprise, which provides increased flexibility for high-loaded systems
Lepide Remote Worker Monitoring Pack is a simple in deployment and lightweight security platform, which offers immediate protection of business data during an unforeseen period of remote work.
Ensuring cybersecurity for remote users
Labyrinth Technologies offers to take advantage of a special offer - a license for 12 months at a price of 6 months
Crowdstrike: Remote work and IT security during the crisis - a reduced licensed program for 3-6 months
IIT Distribution received the status of distributor solutions RedSeal Networks in Ukraine
IIT DISTRIBUTION has received the status of a Lepide solutions distributor in Ukraine
iIT Distribution starts distribution of Crowdstrike solutions in Ukraine
On the 20-th of February in Kiev Annual Conference Ciso DX Day 2020 will be held
Demanding programs change their image. Do they pay ransom, how to protect themselves and what to do in case of ransomware attacks?
The main news since the beginning of last month have been allegations of criminal activity by hacker groups around the world in order to obtain funds for stolen and encrypted data. Therefore, the month of May was marked by a number of major cyberattacks, including the use of software ransomware.
Liverpool's subway has been hit by a Lockbit encryption attack, a Brazilian state's court system has been shut down due to malicious file encryption on computers on the system, and Babuk Locker hackers who attacked the Metropolitan District of Columbia have threatened to pay bribery reveal police informants.
The Conti attack seriously undermined Ireland's healthcare system and its affiliates insurance giant AXA were subjected to cyberattacks using a ransomware program, by which hackers stole 3 TB of confidential data from Asian units of AXA.
The target of all these attacks, unfortunately, are critical infrastructure, government and commercial social institutions that function as life support systems for our daily lives. Thus, attacks on such facilities can lead to far-reaching consequences from the activities of criminal groups.
LARGE CORPORATIONS CAN'T SUPPORT
Even the security of companies like Apple was attacked: the brand fell victim to extortionists. A group of cybercriminals, Sodinokoby, stole confidential information about the brand's future products (MacBook laptops and other devices) through the REvil blackmail program, hacking into Apple Quanta Computer (Apple's partner) systems. Hackers were waiting for a ransom from Quanta Computer of $ 50 million by April 27 and threatened to publish more than a dozen diagrams and drawings of components. It was also noted that the size of the ransom could be reduced from 50 million to 20 million, if it is paid by May 7. Later, REvil malware operators removed stolen Apple schemes from their data source site for unknown reasons. At the same time, stolen data from another large company was offered for purchase in the darknet this month.
Spanish Glovo food delivery service, who fell in love with Ukrainians, also felt the effects of a hacker attack during which, the data of tens of millions of users (160 GB of data with information about names, phone numbers, passwords) were put up for sale for $ 85,000.
Toyota suffered a double cyberattack in May: the first hit European operations of Daihatsu Diesel Company, a subsidiary of Toyota, and later Toyota Auto Parts Manufacturing Mississippi uncovered another attack using a ransomware program. Reports say some financial and customer data has been stolen and made public by attackers.
THREATS OF THE MODERN ECONOMY: ATTACK ON CRITICAL INFRASTRUCTURE
The largest ransomware attack during this period halted the largest US pipeline. On May 6, the operator of the Colonial Pipeline pipeline was subjected to a cyberattack by the DarkSide group, as a result of which the company was forced to suspend the transportation of fuel along the entire length of the 9,000 kilometer pipeline. DarkSide penetrated the Colonial Pipeline network and received almost 100 GB of data. After receiving the data, hackers blocked the data on some computers and servers, requesting a ransom. In case of non-payment, hackers threatened to leak data. The Colonial Pipeline website was unavailable, and the company itself admitted that it would resume transportation, which was suspended on May 7, only on May 15-16.
The scale of the attack on Colonial Pipeline was similar to the NotPetya incidents and the attack on Solar Winds.
DO I NEED TO PAY A REDEMPTION?
There is a stunning reality of extortion programs: 92% of organizations do not receive all their data, even if they have paid a ransom. Nevertheless, 32% of companies in 2021 are still willing to pay for it, hoping for a full recovery of their information. Due to this willingness of companies to comply with any conditions of criminal groups, only in the first three months of 2021 the amount of ransom increased significantly and now averages $ 220,000, while in the last three months of 2020 this figure was at $ 154,000. even after paying such crazy money, a third of organizations have not been able to recover more than half of their encrypted data.
It is also worth noting that the concept of blackmail program attack is evolving day by day, and now such attacks include payment requirements even without data encryption. Attackers demand payment in exchange for preventing leaks of stolen information on the Internet. But even after paying the extortionists in this case, the company has no guarantees and can not remain protected from the publication or sale of this data. Because does it make sense to rely on the honesty of fraudsters?
Threats from extortionist programs almost always have valuable consequences for business, including disruptions and theft of confidential data. So is it worth taking such a valuable risk?
IT IS TIME TO MOVE
Readiness for extortion programs has become so mandatory for all organizations that even executives and directors recognize it as part of their responsibility for the operation of the business. The company's team CrowdStrike - the developer of cybersecurity systems, which protects thousands of Amazon-sized companies from hackers, regularly assists organizations in both training and preventive protection, and in responding to attacks by extortionist programs. The company announces some of the practices it recommends in such a turbulent time from attacks.
1. Increasing the resilience to threats of applications with Internet access
It is not recommended to connect RDP directly to the Internet. Attackers use one-factor authentication and unregistered Internet applications. Hackers regularly target systems through Remote Desktop Protocol (RDP), which is available from the Internet.
It is recommended that you use a VPN with multifactor authentication and make sure that any CVEs associated with the VPN platform and the underlying authentication application have priority for fix. This principle should apply to all remote methods and Active Directory (AD) and Citrix Gateway.
2. Introduction and improvement of e-mail security
The victim organization is caught through a phishing letter - this is the most common tactic. Typically, these phishing emails contain a malicious link or URL that delivers data to the recipient's work platform.
Users should also have a documented process to report any emails they are unsure of. In addition, organizations should consider restricting users' access to personal email accounts.
3. Endpoint protection
During the lifecycle of an attack, which ends with the deployment of a ransomware, attackers often use a number of methods to exploit endpoints. These operating methods range from the use of bad AD configurations to the use of public exploits against unprotected systems or applications.
That is why we have to:
- Provide full coverage of all endpoints in your network for endpoint security products and for the endpoint detection and protection platform (EDR).
- Develop a vulnerability and patch management program.
- Follow Active Directory security guidelines: avoid easy passwords with weak authentication methods; avoid having regular users with a domain with local administrator privileges and local administrator accounts with the same passwords for the entire enterprise; restrict data exchange between workstations; avoid sharing privileged credentials.
4. Offline backup
The only reliable way to save data during a ransomware attack is backups that are protected from those programs. When developing a stand-alone backup infrastructure, protected from extortionate programs, keep in mind that:
- Standalone backups as well as indexes (which describe what data is contained) must be completely separated from the rest of the infrastructure.
- Access to such networks must be controlled through strict access control lists (ACLs), and all authentications must be performed using multifactor authentication (MFA).
- Administrators who have access to both stand-alone and network infrastructure should avoid re-using account passwords.
- Cloud storage services with strict ACLs and rules can also serve as a stand-alone backup infrastructure.
- Emergencies, such as a blackmail attack, should be the only case where a stand-alone infrastructure is allowed to connect to an existing network.
5. Restricting access to virtualization management infrastructure
New attacks use the ability to directly attack virtualized infrastructure. This approach allows you to use a hypervisor that deploys and stores virtual machines (VMDKs). As a result, endpoint security products installed on virtualized machines do not see malicious actions that target the hypervisor.
Many ESXi (VMware hypervisor) systems do not have a Secure Shell (SSH) protocol by default and are usually managed through vCenter. If SSH is disabled, previously stolen administrator credentials are used to enable SSH on all ESXi systems, so:
- Restrict access to ESXi hosts to a small number of systems and make sure that these systems have proper endpoint monitoring.
- Make sure SSH access is disabled, or make sure it is MFA protected.
- Make sure that passwords are unique and secure for each ESXi host, as well as for the web client.
6. Implementation of the identification and access management program (IAM)
MAKE THE FIRST STEPS NOW
Any organization can fall victim to malicious extortion campaigns with seven-figure ransom demands, but much can be done to stop criminals. The damage that companies can suffer from one such attack can be ten times higher than the cost of its prevention and modern protection. Moreover, it is necessary to take into account the fact that every malicious action on the organization leads not only to material losses, but also damages the business reputation, brand and position of the company. Avoid such risks helps iIT Distribution.
iIT Distribution specializes in advanced information security solutions. We not only provide software and hardware, but also provide a full range of support and consulting services. We offer initial examination and assessment of the state of your information security of the enterprise, which is carried out by highly qualified specialists, selection of equipment and software and implementation of comprehensive cybersecurity solutions in the existing infrastructure, so you can be sure of your protection!
Try to contact with us through the feedback form on the website and get advice from professionals!