Arm against ransomware attacks

How long were you waiting in line at a gas station after the Colonial Pipeline got hacked? An illegal, premeditated ransomware attack caused widespread panic. Ransomware attacks are popping up all over the globe as indicated by many recent reports, targeting everything imaginable including universities like NC State. The threat is very real, and everyone in the campus community needs to serve as a strong link in the chain to protect the Pack.

Ransomware is not new, even though it may seem like it is; in 2021, worldwide ransomware attacks have increased already by more than 100% since 2020. What is new is how public and widespread the effects are and the great extent to which cybercriminals are leveraging ransomware financially.  

After malware infects a targeted organization, cybercriminals hold that organization’s data for ransom. Pay the criminals millions of dollars in ransom or deal with the consequences — permanent loss of data; private data gone public to ruin reputations; research data stolen and lucrative contracts canceled; a regional gasoline shortage from Texas to New Jersey; a sudden threat to the availability of beef, pork, and chicken; and extorted healthcare facilities and their patients. Unfortunately, the list keeps growing. 

In case you think of cybercriminals as hackers in their moms’ basements surrounded by video games and empty soda cans, the world has changed drastically since those days. The world is at cyberwar including hackers and military armies designing high-priced ransomware attacks to cripple foreign foes. For a current list of cybercrime sources, see Significant Cyber Incidents.

What can I do to help the Pack right now?

First, be armed against ransomware and cybercriminals by being aware of the vulnerabilities they typically attack:

  • Unsuspecting email users: When you see email messages (or email plugins such as Constant Contact) containing attachments or links, think before you click. Cybercriminals use email to lure us into opening attachments or following links that install ransomware and other damaging code on our devices. This form of attack is called phishing. Don’t accept the lures. Falling victim to phishing attacks exposes not only your personal data but also the university’s data. So, be on guard and never let your guard down.
  • Weak passwords: Cybercriminals use sophisticated software to guess weak passwords at sub-second speeds. Once they guess your password and get into the university’s data accounts, the entire Pack can be crippled by whatever form of ransomware cybercriminals can imagine. NC State has a password-strength meter to help you create strong passwords that help keep ransomware at bay. And never share your password with anyone, no exceptions!
  • Procrastinated updates: Your endpoints (e.g., desktops, laptops, smartphones, and so on) receive update notifications. These updates often contain cybersecurity patches to help guard against ransomware and other cyberattacks. Do not procrastinate!  If you can make it a rule to stop what you’re doing and install the updates immediately, you’ll be a strong link in the chain. If, however, you procrastinate, the probability of getting attacked increases with each passing minute, and once it happens to one person, it can spread through the entire university data network very quickly. That’s how ransomware gets its foot in the door.

Next, familiarize yourself with our recent article on how to take action against ransomware attacks.

What can NC State IT personnel do?

In alignment with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the OIT Security and Compliance (OIT S&C) team employs many of their risk-mitigating recommendations and more to protect the Pack from ransomware and other forms of cybercrime. All NC State IT groups are encouraged to employ them as well.  

OIT S&C also recommends the Ransomware Best Practices from the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC):

  • Push security patches fast and frequently.
  • Have a process for identifying/changing compromised credentials.
  • Require multi-factor authentication.

For detailed recommendations, all NC State IT personnel are strongly encouraged to read the “Mitigations” section of CISA Alert AA21-131A, DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks. Here are some highlights:

  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and allowlists.
  • Limit access to resources over networks, especially by restricting remote desktop protocol. 
  • Set antivirus and antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. 
  • Implement unauthorized execution prevention by: 
    • Disabling macro scripts from Microsoft Office files transmitted via email. 
    • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. 
    • Monitor and block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). 
    • Deploy signatures to detect and block inbound connections from Cobalt Strike servers and other post-exploitation tools.

Finally, to learn more about recent ransomware attacks and how to prevent them, see: