Ransomware Attacks Targeting Critical Infrastructure and Hospitals Amid COVID-19 Global Pandemic
TT-CSIRT’s international partners have detected attempts to compromise and execute ransomware against key organizations and infrastructure required to assist in the global response to COVID-19.
Attack Vectors
Ransomware attacks can be initiated through multiple attack vectors. The prominent ones are:
– Compromising system user credentials
– Malicious emails with infected attachments
– Exploiting a system vulnerability or previous malware infection.
.
Once a system is compromised, a ransomware may self-initiate or allow malicious attackers to access the system. The actors can then issue a series of commands, which will attempt to modify user accounts, change passwords, log users out of systems and allow the attackers to detect vulnerabilities and targets for the deployment of ransomware.
.
When the ransomware is deployed and installed by the attackers, it will then seek to encrypt or delete all documents and files within the computer and connected systems. It may also enumerate the infected systems Wi-Fi and Ethernet network adapters to disable them and disconnect the system from any outside connection.
.
Following the deployment of the ransomware, there will be minimal opportunity for victims to recover their files and restore their systems regardless of the payment.
Recommended Countermeasures
TT-CSIRT encourages the relevant institutions to adopt a heighten state of awareness during this time and be guided by the following recommendations:
– Performing regular online and offline secure backing up of files
– Keeping systems and applications updated, including anti-virus platforms
– Securing email gateways to thwart threats via spam
– Avoiding opening suspicious emails and clicking on links in unrecognized emails and attachments
– Securing system administrations tools that attackers could abuse
– Implementing network segmentation and data categorization to minimize further exposure of mission-critical and sensitive data
– Disabling third-party or outdated components that could be used as entry points.
Should your institution fall victim to a ransomware attack or any other type of cyber attack, please contact TT-CSIRT immediately.