Cyberattack in Liege: how to protect against Ryuk ransomware?

Cyberattack in Liege: how to protect against Ryuk ransomware?
Charlotte Bourguignon

security on computer screen

With the constant increase in the value of data and the indispensable nature of IT tools, hackers are multiplying cyber-attacks on organisations of all kinds. Among the different types of attacks, ransomware is becoming increasingly popular; once your system has been compromised, the hackers lock down your system and demand a ransom for the decryption keys. Following the example of the city of Liege, which saw a large part of its services blocked a few weeks ago, many cities and municipalities have recently fallen victim to Ryuk-type ransomware.

Reputation damage, unavailability of services, financial impact, the consequences are heavy. But how to prevent these attacks? How to detect them? And how to react? This article gives you the keys to improve the security of your organisation.

How to prevent ransomware attacks?

Ransomware attacks often abuse common vulnerabilities in an organization or its systems. By applying these 4 points you can establish a solid first layer of defense against ransomware. Do note that no security control is flawless. Always layer different controls over one another to minimize your risk level.

First, make sure your organization has strong authentication processes. By properly controlling accounts and access to them, you can already limit the risk of a cyber-attack by a significant degree. This control includes a regular access policy to ensure that people do not retain access beyond what is necessary.

Secondly, implement proper detection tools in your network. These tools allow you to identify anomalies that warrant further investigation. For example, if only one employee is connected to the network, the transfer of several terabytes of data could be indicative of suspicious activity on the network. If you see this type of anomaly, you should immediately close the doors to this type of data flow.

Third, always plan backups on the 3-2-1 strategy. For your backup to be useful, you must respect the 3 elements.

  • You must have at least 3 copies of the data
  • These copies must be kept on at least 2 different media (on a cloud, on a hard disk, etc.)
  • One of these copies must be on 1 different site from the organization’s site so that it is not attached to that network in any way.

Fourth, patch everything accordingly and update your systems. Many ransomware strains use deprecated systems as ‘launch platforms’ on your network. Make sure to establish a process for patch management that works for your organization.

How to detect Ryuk ransomware threats?

Ryuk ransomware is one of the first ransomware families to actively identify and encrypt drives and systems connected to the network. The ransomware usually lurks undetected for weeks before deploying. A few weeks before the attack, hackers install malicious software, commonly known as malware, on your system to know and understand its architecture. In this phase of preparation for the attack, there is still time to prevent potential damage to your organisation. It is therefore essential to put in place an efficient malware detection system.

The detection of malware requires both human and technical resources. Technical means of monitoring the network and anti-virus software on the one hand, and human means capable of using the monitoring technology to take further action if needed. The detection of these threats can be compared to the work of a doctor. For example, the cardiologist needs heart rate monitoring equipment, but without the appropriate reaction from the doctor, the monitoring equipment will not be of any use. By monitoring the ‘beat’ of your network, you may detect suspicious activity before it can deploy.

How to react in case of an attack?

Start by containing the threat. Isolate affected systems immediately and do not manipulate them beyond what is required to contain the immediate threat. Consider notifying appropriate authorities (if relevant) and gather as much information about the threat. Information is key to making the right decisions.

After containment, assessment and recovery is next. In this phase the goal is to identify the types and sensitivity of compromised data, analyze all egress and ingress traffic, shut down possible attack vectors and roll out backups if the decision is made to restore systems.

Finally, long term remediation is important to avoid similar incidents in the future. Make sure to take a closer look at the network and compromised systems. Always use incidents as learning moments to find vulnerabilities in your network and systems. You do not want to leave backdoors behind for attackers to use after the cleanup.

Implement appropriate security measures to counter any future attacks on your systems, such as red team exercises, awareness training, incident response planning and backup strategies. These are only a handful of examples that will have a positive impact on the security posture of an organization.

How can CRANIUM help your organisation?

During a security scan CRANIUM can map out the risks of a company, draw up an improvement plan and support the customers in the implementation of these points for improvement. But the customer can also count on CRANIUM for continuous monitoring and follow-up.