{"id":3180,"date":"2018-11-12T01:06:59","date_gmt":"2018-11-12T01:06:59","guid":{"rendered":"http:\/\/genesissystem.com\/new\/?p=3180"},"modified":"2018-11-12T01:06:59","modified_gmt":"2018-11-12T01:06:59","slug":"dealing-with-ransomware-and-remote-access-hacking","status":"publish","type":"post","link":"https:\/\/genesissystem.com\/new\/dealing-with-ransomware-and-remote-access-hacking\/","title":{"rendered":"Dealing with ransomware and remote access hacking"},"content":{"rendered":"

Dealing with ransomware and remote access hacking
\n<\/strong>
\nNetSafe has received reports from New Zealand SMEs affected by a particularly effective form of ransomware called Anti-Child Porn Spam Protection.<\/p>\n

This form of malware is targeted at Windows servers and takes a system and any data stored on it hostage in an attempt to extort money.<\/p>\n

Companies affected by the malware have found their systems locked out with all business and customer data encrypted by a hacker and a demand for payment of up to several thousand dollars to unlock the files affected.<\/p>\n

The ransomware also suggests the systems have been spamming or contain child pornography and unless the ransom is paid a report will be made to the FBI.<\/p>\n

How are companies affected?<\/strong>
\nNZ-Police-ransomware-screenshot<\/p>\n

A screenshot shows an example ransomware lockout featuring the NZ Police logo<\/p>\n

Instead of using drive-by download websites to exploit browser vulnerabilities, it would appear these latest ransomware infections are manually installed by a remote attacker using a tool named DUBrute against vulnerable Remote Desktop Protocol (RDP) connections on port 3389.<\/p>\n

The tool undertakes dictionary attacks against common user accounts including admin, Administrator, backup, console, Guest, sales, user and many more.<\/p>\n

If access is gained the attacker can disable anti-virus software and executes malware on the system that displays a ransom notice, locks genuine users out, deletes backups and encrypts any data found.<\/p>\n

There have been recent media reports of companies in Australia paying the ransom to gain access back to their data.
\nHow can I defend against this ransomware?<\/p>\n

Backup Everything
\n It is essential that companies make regular routine backups with data stored offsite as there is currently no known way to decrypt the files affected by the malware
\n Use Strong Passwords
\n Make sure you have a proper password policy in place for all user accounts with remote access \u2013 review all system accounts and delete any that are no longer required
\n Consider disabling remote access
\n If you do not need remote access then consider disabling Remote Desktop or Terminal Services, close port 3389 or use IP based restrictions or a VPN.
\n Update Everything
\n Check the Microsoft Security Bulletins and ensure your systems are fully patched against known RDP vulnerabilities
\n Alert others to prevent more attacks
\n Please forward this email to colleagues, friends and family who could be impacted by a ransomware infection at their company<\/p>\n

What do I do if my company is infected?<\/strong><\/p>\n

Report the computer system attack
\n Make a report to NetSafe\u2019s ORB website - we have been communicating with the National Cyber Security Centre about recent incidents
\n Be prepared to wipe systems and restore from backups
\n IT staff we have spoken with have spent several days dealing with the fallout from these infections
\n Do not pay the ransom
\n Some companies affected have been forced to pay to have their data unlocked by the hacker \u2013 NetSafe would encourage you to not to follow this path<\/p>\n

More help and advice:<\/strong><\/p>\n

New ransomware called Anti-Child Porn Spam Protection
\n The Bleeping Computer forum thread with comments from the alledged ransomware creator on how the encryption cannot be broken
\n Hackers ransom $3000 from NT business
\n SC Magazine report from last week on an Australian business forced to pay a $3000 ransom to hackers who had encrypted its financial records.
\n The ACCDFISA malware family \u2013 Ransomware targeting Windows servers
\n A very detailed technical look at how systems are affected by the ransomware.
\n Close port 3389 (Remote Desktop) on your firewalls NOW
\n An American blog on how two small companies lost data to the ransomware and advice on locking out failed password attempts.
\n Microsoft Security Bulletins
\n Search security bulletins for your company systems and ensure you remain fully patched.
\n NetSafe Security Central
\n Cyber security advice for New Zealand SMEs
\n Report cyber incidents to the Orb website
\n Attacks on computer systems can be reported at www.theorb.org.nz and we will work with NCSC to respond
\n Watch Paul Ducklin from Sophos
\n His YouTube video discusses another form of ransomware called Reveton that can be cleaned from computers:<\/p>\n