New era of ransomware puts public sector on alert

Costa Rica has recently suffered a months-long cyber attack. Organised by the same group that impacted Australian institutions at the end of last year, this attack ushered in a new era of ransomware.

For months, the Central American nation has been on the frontlines of unprecedented ransomware attacks that have impacted just about every aspect of life. Essential services have been crippled, teachers have been unable to collect their pay cheques, doctors have been prevented from tracking the spread of COVID-19, all while international trade has ground to a halt.

It’s tempting to think this is trouble in a faraway land. But the chaos is not an isolated incident. Instead, it is the culmination of a recent rise in ransomware attacks across the globe. Not too long ago, in Nov–Dec 2021, there were multiple instances of Australian organisations impacted by attacks from the same cybercriminals, Conti. According to the Australian Cyber Security Centre (ACSC), in addition to ransom requests and data encryption with subsequent impact on organisations’ ability to operate, victims also had Personally Identifiable Information (PII) data stolen and published by the threat actors.

And this is just an example. The ACSC observed continued ransomware attacks targeting Australian critical infrastructure entities, including in the healthcare and medical, financial services and markets, higher education and research, and energy sectors. Since 2019, there has been a significant increase in cybercrimes against Australian institutions that have provided vital services to our population. These happened across multiple government spheres, including, to name a few: the Australian Parliament House Data Breach (February 2019), Service NSW Data Breach (April 2020), Tasmanian Ambulance Data Breach (January 2021), Northern Territory Government Data Breach (February 2021), Western Australian Parliament Data Breach (March 2021) and Melbourne Heart Group (February 2019).

The simple truth is that cyber attacks can and do happen; no organisation is exempt. The most recent Check Point Research report shows the second quarter of 2022 saw an all-time peak in global cyber attacks. Closer to home, Australian organisations experienced 941 attacks each in Q2 2022, representing an extraordinary 97% increase compared to the previous year.

While the country is rolling out enhanced regulations related to cybersecurity levels via the Critical Infrastructure Act for essential services, it’s important to remain vigilant. Still, with threat levels increasing, what can the government and private sector learn from these attacks, and how can they avoid ending up in cybercriminals’ crosshairs themselves?

Beware of vulnerability windows

Ransomware attacks are rarely the acts of individuals sitting at their computers and randomly deciding when to strike. Instead, threat actors such as cybercriminals, extortionists, nation-state actors, hacktivists etc, plan them meticulously. They can spend weeks, if not months, planning and carrying out reconnaissance to understand their targets and monetise their malicious activities as much as possible.

As a result, ransomware attacks are often executed during times of instability or uncertainty. We’ve experienced that with the handover of power from one government to another or coinciding with world events such as the start of the war in Ukraine and the onset of COVID-19. These major events act as distractions that make it easier for threat actors to mask their attacks against systems and embed themselves deep into the victims’ environment.

These distractions don’t even need to be massive geopolitical events like wars or pandemics. For government organisations and businesses operating in critical infrastructure sectors, crippling essential services can grind whole economies to a halt.

Change in any form brings with it risk. Indeed, in previous years, we’ve seen ransomware attacks targeted to coincide with national holidays, Christmas and even long weekends. The attackers aim to catch their targets off guard when people’s attention might be elsewhere.

We call these “vulnerability windows”, and to effectively protect themselves, organisations, whether they’re governments or businesses, need to monitor their risk proactively and deploy resources accordingly.

Practice good cyber hygiene

People might view ransomware attacks and think that they result from a massive security breach or organisations not having stringent enough controls. Still, this kind of event is more often than not simply due to poor cyber hygiene.

The concept works exactly the same way as personal hygiene, in that people who maintain their health by taking preventative measures are less likely to get sick, while those who don’t, put themselves at a greater risk.

When it comes to organisations, poor cyber hygiene creates chinks in security architecture that attackers can exploit. That’s why practising good cyber hygiene is crucial. Simple steps like using strong passwords, multi-factor authentication, updating software regularly, securing backups and cybersecurity awareness training all go a long way to keeping your organisation safe from cyber attacks.

Watch out for insider threat

Recently we’ve seen a growing number of attempts by groups like Lapsus and Conti to actively recruit individuals from within governments and businesses to sell remote access credentials. There are advertisements all over the internet with groups overtly asking for this kind of access and offering good money.

It’s not just money that can motivate insider threats; sometimes, the intent can be malicious. Perhaps an individual doesn’t agree with the politics and policies of the organisation they work for. Or they’re leaving, so they take access with them or leave back doors open for attackers to get in after they’re gone.

Whatever their motivation may be, a Zero Trust approach and monitoring are vitally important to reducing the risk of insider threats. Fortunately, the behavioural analytical heuristics that are now set within security programs are specifically designed to spot unusual activity. Used in conjunction with good cyber hygiene, organisations can help to protect themselves from attacks wherever they originate from.

How can governments combat the rise of ransomware?

The problem is that we’re not doing enough to ensure that private or public sector organisations are protected from the rise of ransomware. Indeed, while governments have worked to implement stringent measures in areas like data privacy, the same can’t be said for ransomware and destructive malware such as wipers.

Many Australian companies, especially those operating with essential services, have completed the Cyber Incident Reporting component required as part of the Critical Infrastructure Act. This is great news for the Australian population. However, even organisations with the most effective risk and incident response programs should conduct a threat scenario-based risk assessment and reaffirm the business approach to openness, access, protection and compliance.

So, where there should be strong compliance or mandates in place to ensure that organisations are adequately protected, there are instead guidelines and best practices that businesses can choose to follow. It’s a crazy situation. After all, in other areas of life, like driving a car, for example, you need to reach a certain level of qualification or capability before you’re given a licence. But you don’t need any specific qualification or certification to be given the task of securing a business. And until ransomware is treated as seriously as other areas, organisations across the world will be at risk.

Don’t get complacent

Cybersecurity can’t just be another tick box exercise, and governments must act to set standards and enforce compliance to ensure that organisations are adequately protected.

It’s time we started to adopt a risk management framework that ensures organisations are as protected from ransomware as they are from other threats facing their operations. We’ve got to become more proactive, conducting regular exercises, threat assessments and gap analysis to ensure that we are more resilient to cyber attacks. Because the biggest lesson we can take away from the plight of Costa Rica is that ransomware attacks can and do happen to anyone.

Image credit: iStock.com/Just_Super