BSI warns against targeted ransomware attacks
The German Federal Office for Information Security (BSI) has increasingly registered network compromises at companies that end with the manual and targeted execution of an encryption Trojan (ransomware).
With their approach, the attackers use broad-based spam campaigns such as Emotet first gain access to individual company networks and then manually explore the network and systems of those affected. In the process, the attackers try to manipulate or delete any backups and then selectively deploy coordinated ransomware on the computer systems of promising targets, as the BSI emphasizes in its letter. In some cases, this would result in significant disruptions to operations. According to the BSI, this elaborate approach allows attackers to demand significantly higher ransom from companies than was the case with previous untargeted ransomware campaigns. In addition to individual companies, IT service providers are also increasingly affected, with the attackers then using their networks to gain access to their customers. The BSI has issued a cyber security warning with technical details and recommendations for action via CERT-Bund and the Alliance for Cyber Security.
Taking even small IT security incidents seriously
"We are currently witnessing the mass proliferation of sophisticated attack methods by organized crime, which until a few months ago were the preserve of intelligence actors. Companies should take even small IT security incidents seriously and deal with them consistently, as they may well be preparatory attacks. Only if we understand information security as a prerequisite for digitization will we be able to benefit from it in the long term. The BSI can support companies in this, for example, within the framework of the Alliance for Cyber Security," says BSI President Arne Schönbohm.
Threat Situation
The described procedure can currently be observed with several different ransomware variants. In recent months, for example, the BSI has been able to analyze large-scale malware campaigns in which malicious attachments or links to fake websites in mass-mailed spam emails served as the main entry vector. After a successful infection, further malware (e.g., "Trickbot") was often reloaded to spread across the network, capture access data, and exploit the network or systems. After a successful ransomware infection, sometimes very high Bitcoin demands were made. According to the BSI, the demands were repeatedly not made in a lump sum, but individual payments were negotiated.
Access gained via remote maintenance tools
In Germany in particular, this approach has been increasingly observed with the GandCrab ransomware. In the known cases, the attackers first gained access to the network via remote maintenance tools (e.g., RDP, RescueAssist, LogMeIn), installed a backdoor on various systems in the victims' network, spied on potential additional victims, and finally executed the ransomware. Corresponding warnings have already been issued by the state criminal investigation departments.
Any incidents that occur in Switzerland can be reported to the Reporting and Analysis Centre for Information Assurance (RIA). MELANI be communicated.
