Are You OK UK?

 In ITC's Threat of the Week

Now it would be very easy to fall into the trap of thinking that we were going to start spouting on about politics, or even worse religion, but oh no we have decided to give the editing team a well-deserved break, and despite the absolute richness of the material available, we are talking about something different.

 We are talking about preparedness for ransomware, specifically the RYUK derivative of this despicable form of dirty malware.

Earlier this year the diligent, hard-working people at the UK’s National Cyber Security Centre (NCSC) released an advisory about the RYUK ransomware, which was in turn announced by the USA Department Of Homeland Security.

The RYUK ransomware has been around for some time. It was covered in depth by Check Point back in August 2018, who suggested it might be the work of the North Korean APT Lazarus Group or someone who has got their mitts on the code of the HERMES ransomware on account of the internal mechanisms being very similar.

Several things which make RYUK very worrying are that it appears to be under continuous development and is currently being used to attack government and national infrastructure, currently targeted in the USA, but almost certainly on its way North, South, East and West.

As we have said time and time again (along with pretty much every other security outfit), the following are amongst the best practice steps:

  • Make sure you have a current backup of all your data
  • Remove administrative privileges where they are not needed including local admin
  • Make sure your systems are patched
  • Ensure your anti-virus is up to date and ACTIVE
  • Review access control to network shared data

Above all we recommend that you never pay, ever, and if you follow the steps above, you will be in good shape, as was the City of New Bedford in Massachusetts when they recovered from a targeted RYUK outbreak.

The City of Bedford Massachusetts were in part lucky. Targeted attacks of this type are often launched on public holidays, the theory being that the IT monitoring and management might be less than 100 percent, and so when this attack was launched on the 4th of July, many of its machines were switched off – this is probably food for thought.

Eagle eyed, underpaid and overworked IT types noticed unusual activity on July 5 (annoying that isn’t it? Apparently a mechanism to save money on printer ink back in the day), despite presumably being a tad jaded, segmented the network, disconnected stuff and recovered everything from – you guessed it, backups. Kudos to them, great work. Awesome, as they would say over there.

If any of you are old enough to remember Teletext and more specifically Teletext holidays, you might be very surprised that not only does it still exist, but it has had 200,000 customer phone call recordings accessible by Joe Public on a misconfigured Amazon S3 bucket. To recap, Amazon S3 buckets are secure by design and initial deployment but it seems they are incredibly easy to misconfigure by using the wrong magic runes (think *.* rather than .*).

We would urge all of you cloud consumers, and that will probably be all of you, to really keep an eye on your administrative user situation and data access configuration before your grandfather’s phone call to a travel agent about the rubbish time he had on holiday (with you) is leaked online, or worse.

ITC has just the people, processes and services to support you in securing your cloud platforms or preparing to identify and deal with a ransomware attack without ruining your business. If you would like to know more, contact us at: [email protected] or call 020 7517 3900.

Finally for all you geeks with not much to do for the weekend, we are getting our heads around this Internet of Ting Tings security document which looks a lot more thorough than the work of Wile E. Coyote. Have a great weekend.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900