Following the reported high-profile ransomware attack on a national government agency, Kaspersky is recommending some tips for individuals and companies alike on what to do when they’re notified that their data has been exposed.
According to experts, ransomware attacks target organizations every 11 seconds, causing $20 billion in damages globally. This year, a central hospital in Illinois, Chicago in the United States announced its closure partly after suffering from a ransomware attack two years ago.
“As always, leaked information in the hands of cyber criminals allows them to impersonate or deploy social engineering scams. With exposed data, hackers can get to you whether online or offline —-they can send you messages, they know where you live, they can steal your identity and make unlawful financial transactions pretending to be you or hold on to your data to sell it for further financial gain,” says Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.
The recently targeted agency, which is the state insurer, has more than 104 million Filipinos as members, including those who live outside the country as overseas workers. It means that the agency may have and process various types of personally identifiable information (PII), which can be potentially used to identify, contact, or locate a specific person. The agency also keeps the medical information submitted by its members for claims verifications and payments.
In general, ransomware attacks may end up with the stolen data being put up for sale on the dark web. “Prices on personal and corporate data on the darknet may vary. For example, the average cost for access to a big company’s systems lies between $2000 and $4000, which is relatively inexpensive compared to the potential damage it could cause targeted businesses. When it comes to personal data, a few years ago our researchers reported that the going rate on the dark web for personal details is $10 each, selfies (photos) with documents fetch for as high as $40 to $60 each and medical records are sold and bought for as much as $30 each. It’s crucial that we protect our data because transactions in the dark platform show that it’s not only valuable to us but also to those with malicious intentions,” adds Yeo.
While the incident is still under investigation, Kaspersky is strongly recommending for concerned Filipinos to take the following eight (8) steps immediately:
- As soon as you realize your data may be compromised, inform the people in your life of what happened so they can avoid possible scams using your identity, and help you report to authorities.
- Check if your email account has been exposed at https://haveibeenpwned.com or https://monitor.firefox.com/ type in the email address associated with you and you will find out if that address was included in any of the leaked databases that these services are aware of.
- Change the passwords on all your accounts. If there are security questions and answers or PIN codes attached to your account, you should change these too. And use strong passwords. One of our experts shares how to create one here.
- Secure your computer and other devices with an antivirus and anti-malware software. If your device is installed with Kaspersky Premium, you can use its Data Leak Checker feature that monitors the internet and the dark web to let you know if your personal data is compromised.
- In order to protect financial data a safe option could be to store all related data in safe and encrypted storage. Modern security solutions like Kaspersky Premium have such storages as Secret Vault. It converts users’ sensitive data into an unreadable format and protects it with a password. Don’t respond directly to requests from a company to give them personal data after a data breach. It could be a social engineering attack. Take the time to read the news, check the company’s website or even phone their customer service line to check if the requests are legitimate.
- Sign up for two-factor authentication (2FA) wherever it is available. It’s an extra level of security for your online accounts that requires you to enter an additional piece of identity information.
- Monitor your accounts for signs of any new activity. If you see transactions that you don’t recognize, address them immediately.
For organizations whose information have been encrypted for ransom, quick and decisive actions are vital. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap.
We can summarize the recovery process in four (4) steps:
- Step 1: Locate and isolate. Determine the extent of the intrusion. Start by looking for infected computers and network segments and immediately isolate them from the rest of the network to limit contamination. If your company doesn’t have many computers, start with antivirus, endpoint detection and response (EDR), and firewall logs. For very limited implementations, physically walk from machine to machine and check them. If we’re talking about lots of computers, analyze the events and logs in the security information and event management (SIEM) system. After isolating infected machines from the network, create disk images of them and leave the machines alone until the investigation is over.
- Step 2: Analyze and act. First, see to the security of the rest of the network. Then start the threat-hunting process—analyze the ransomware, figure out how it got in and what groups usually use it. Ransomware doesn’t simply appear; a dropper, Remote Access Trojan (RAT), Trojan loader, or something of that nature installed it.
- For any cybersecurity breach or attack, you need to perform an incident investigation and response to determine the root cause of an incident and ensure a similar incident will not happen again. If your internal team does not have the skills and experience, engage a qualified 3rd party such as Kaspersky Incident Response Services to provide comprehensive digital forensics and incident response service.
- Step 3: Clean up and restore. Turn your attention to the computers that are out of commission. From those that are no longer needed for investigation, format the drives and restore data from the most recent clean backup. If you have no backup copy, decrypt whatever’s on the drives. Start at Kaspersky’s No Ransom website, where a decryptor may already exist for the ransomware you encountered. If it doesn’t, contact your cybersecurity provider for help. In any event, don’t delete the encrypted files. New decryptors appear from time to time and there might be one tomorrow.
Regardless of the particulars, don’t pay up. You’d be sponsoring criminal activity and the chances of getting your data decrypted is not high. Apart from blocking your data, ransomware attackers may have stolen it for blackmail purposes. Paying greedy cybercriminals encourages them to ask for more. In general, consider any stolen data public knowledge and be prepared to deal with the leak. Sooner or later, you will have to talk about the incident with employees, shareholders, government agencies and quite possibly journalists. Openness and honesty are important and will be appreciated.
- Step 4: Take preventive measures. A major cyber incident always equals big trouble and prevention is the best cure. Prepare in advance for what go wrong:
-
- Install reliable protection on all network endpoints (including smartphones)
- Segment the network and furnish it with well-configured firewalls. Better still, use a next-gen firewall (NGFW) or a similar product that automatically receives data about new threats
- Look beyond antivirus to powerful threat-hunting tools
- Deploy a SIEM system if you’re a large company for immediate alerts
- Train employees in cybersecurity awareness with regular interactive sessions
- Deploy Managed Detection and Response service to proactively monitor and detect cyber-threats or cyber-attacks that automated prevention and detection tools may have missed
- Deploy Threat Intelligence to understand the adversaries or cyber-criminals who are targeting your organization, business reputation and assets thus providing better cyber-threat mitigation measures
- Use Digital Footprint Intelligence services to help security analysts explore an adversary’s view of their company resources and promptly discover the potential attack vectors available to them. This also helps raise awareness about existing threats from cybercriminals in order to adjust your defenses accordingly or take counter and elimination measures timely.
As you step through the recovery process, remember to document all of your actions for transparency in the eyes of both employees and the wider world. Preserve any evidence you can of the ransomware for later efforts to locate any other malicious tools targeting your system. That means saving logs and other traces of malware that may come in handy during later investigation.
Our doors at Kaspersky are always open to share our expertise to any organization, be it public or private, to these kinds of challenges.