Increase in ransomware attacks targeting public and private entities in Trinidad and Tobago

The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) has observed a significant increase in ransomware attacks targeting local organizations. Ransomware is a type of malware that prevents users from accessing their system or files and demands a ransom payment in order to regain access. Threat actors have also threaten to publish or sell the victim’s sensitive data if they refuse to pay however paying the ransom does not guarantee that an organization will regain access to their data.

TT-CSIRT is urging all entities (public and private) to adopt a heighten state of awareness and be guided by the following:

Attack Vectors

Ransomware attacks can be initiated through multiple attack vectors. The most prominent ones that TT-CSIRT has seen used against local entities are:

• Exploiting system vulnerabilities (particularly outdated firewall devices and exposed remote desktop protocol)
• Phishing emails with infected attachments or links
• Compromising user credentials

When ransomware is deployed and installed by the threat actors, it will then seek to encrypt documents and files within the computer and other connected systems on the network. Once the ransomware has completed file encryption, it creates and displays a ransom note containing instructions on how the victim can pay the ransom. Again, payment of the ransom does not guarantee that an organization will regain access to their data.

Countermeasures

• Keep systems and applications up-to-date; especially firewall appliances and anti-virus software
• Perform regular backups. Store these backups offline (i.e. on a device that cannot be accessed from the network)
• Enable strong spam filtering and scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users
• Authenticate inbound emails (with SPF, DMARC and DKIM) to prevent email spoofing.
• Conduct security awareness training with employees
• Implement network segmentation and data categorization to minimize exposure of mission-critical and sensitive data
• Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
• Use the “application allow” feature to allow only approved applications/programs to run on a network
• Securing system administrations tools that attackers could abuse
• Disabling third-party or outdated components that could be used as entry points
• Disable the loading of macros in your Office programs
• Disable Remote Desktop whenever possible and never expose it directly to the internet
• Implement multi-factor authentication wherever possible
• Block web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)
• Develop an incident response plan and a business continuity plan in the event that a ransomware attack takes place

If you become infected, isolate the affected system(s) immediately by removing the infected system from all networks, and disable all potential networking capabilities. Ensure all shared and networked drives are disconnected whether wired or wireless. Infected systems will have to be analyzed by your security team or your security provider to determine whether the encrypted data is recoverable.

Should your institution fall victim to a ransomware attack or any other type of cyber-attack, please contact TT-CSIRT immediately for assistance.