Most of us are sick of seeing ransomware in the news. Ransomware continues to plague our world and cause major issues for companies of every size and shape and for companies in every industry. Every time I read about or investigate these attacks, I ask “why?”! Why did the company not prepare themselves?
A Forbes article written by Bob Zukis in June of this year, points out that “Ransomware is a rapidly growing cyber threat, and attacks overall were up 25% in Q1.” https://www.forbes.com/sites/bobzukis/2020/06/18/ransomware-has-a-new-and-very-valuable-hostage-in-sight/#6a5c9461170f
Bob Zukis adds; “The average ransomware payment is up 33% from Q4 of 2019 to $111,605. But the real cost is the impact on business, such as lost revenue or employee productivity or the impact to public services. The average business downtime due to a ransomware attack is 15 days.”
This morning, I came across an article that discusses the Lazarus (Hidden Cobra, MATA, ZINC) ransomware that appears to have been written by the North Koreans. While this ransomware is primarily being used in non-US countries, I believe that it is common sense that the virus will be seen in US Companies. Japanese CERT personnel have been able to analyze Lazarus and have identified some key features of the malware and the Command and Control communication between an infected system and the criminal Command and Control systems. https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
The article states,
“The communication is performed in the mostly same format as mentioned earlier. It is confirmed that the module offers multiple functions including the following: (See Appendix C for details.)
- Operation on files (create a list, delete, copy, modify time created)
- Operation on processes (create a list, execute, kill)
- Upload/download files
- Create and upload a ZIP file of arbitrary directory
- Execute arbitrary shell command
- Obtain disk information
- Modify system time”
The bottom line is that this ransomware can be used to do anything the criminals program it to do; including searching databases, network and local shares, and anything not properly locked down for information and then exfiltrate the information. Since the malware can also delete files, all log files can be destroyed, and it could become extremely difficult to investigate.
This is a very timely article; last night I spoke to Jeff Longo from Fortinet and heard that Fortinet is hearing from many people; asking for assistance in preventing these attacks. Jeff explained their sandboxing tools and several other tools to mitigate the risks. In May of 2019, I wrote an article called, “Ransomware Attacks Are Out to Get You!!” https://www.cyberselfdefense.com/ransomware-attacks-are-out-to-get-you/
You have the information you need to significantly reduce your risk; why would you risk falling victim?
Please reach out if you have questions, comments, or concerns.