State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

The Ransomware Threat is Evolving

NJCCIC Alert

Original Release Date: 5/1/2020

Summary

Over the last several months, the NJCCIC has reported that multiple ransomware threat actors have threatened to expose data stolen from ransomware victims if payment is not made. This trend is continuing and, according to Microsoft, some ransomware threat actors are exfiltrating data even if they do not plan to use it as leverage for payment. Additionally, Microsoft’s Threat Protection Intelligence Team found that threat actors are compromising networks for several months before deploying ransomware, extending their reach within the network and waiting for the most opportune time in order to maximize their potential profits. Recent cases reported to the NJCCIC are consistent with Microsoft's findings in regards to persistence and data exfiltration. Furthermore, Microsoft found that some threat actors maintain control over network systems in order to launch future attacks. Many ransomware attacks begin with the exploitation of vulnerable internet-facing network devices and devices with weak authentication requirements, such as Remote Desktop Protocol (RDP) servers. As the NJCCIC discussed last week, there are roughly 30,000 internet-facing endpoints in NJ with RDP enabled – all possible vectors to launch a ransomware attack. Despite this difficult time, healthcare and other critical services, as well as small and medium size businesses (SMBs), are still targeted by ransomware. In some cases, the victims have had to make the difficult decision to either pay the criminals or accept the data loss, significantly impacting their operations.

Recommendations

The NJCCIC advises users and administrators to follow the recommendations provided by Microsoft and ensure all internet-facing systems, such as RDP servers and Virtual Desktop endpoints, require multi-factor authentication; search networks for malicious PowerShell, Mimikatz, and Cobalt Strike activity; search for suspicious access to Local Security Authority Subsystem Service (LSASS) and registry or security event log modifications; ensure all systems are patched, including Citrix ADC, Pulse Secure VPN, Microsoft SharePoint, Microsoft Exchange, and Zoho ManageEngine; and establish a comprehensive data backup plan that includes keeping multiple, tested backups off the network and in a separate and secure location. Microsoft provides additional details on recent ransomware attacks in their blog post. The NJCCIC provides ransomware risk mitigation strategies in our mitigation guide.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.