06/19/2017 Nation-states in the ransomware business
Issue
Nation states are now confirmed to be using ransomware campaigns to fund state coffers. British National Cyber Security Center (NCSC) reported this week that the WannaCry ransomware attack was launched from North Korea. This follows the United States National Security Agency (NSA) assessment with the same conclusion. Security experts believe that the attack was launched by the Lazurus Group tied to the government in Pyongyang.
Impact
This revelation further emphasizes the need for full backup, recovery and continuity plans to be tested and refreshed. While most of our customers have a robust patching, backup and recovery processes in place, we see from news reports the impact WannaCry had on critical production networks. Many organizations have lost their data, or access to critical systems while being locked out during a ransomware attack. E.G. British National Health Service systems were crippled during the WannaCry attack
Recommendations
InGuardians recommends reviewing, testing and validating your patching, and backup/recovery processes. Incident response capabilities should be tested as well, guided by an internal Red Team exercise designed to emulate the ransomware attack threat model. InGuardians does not recommend paying for the return of your data. See link below for new regulations that might impact the practice of paying your way out of ransomware.
Articles related to this issue:
- http://www.bbc.com/news/technology-40287390
- https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
NIST Incident Response:
Bitcoin regulations to prevent infosec companies from helping organizations pay ransom: