And something else. They were all carrying ransomware in their payload.
With downtime and losses often calculated by the minute, manufacturers infected with ransomware would be highly motivated to pay a ransom in order to get their production floor back up and running.
And this wasn't your average ransomware. This new ransomware had undergone significant enhancements. Recent variants of the Locky ransomware that we saw, for example, had traded custom encryption algorithms for much more solid and robust Windows APIs and RSA encryption. This seems to have clearly been an attempt to thwart organizations that try to decrypt their files without paying the ransom.
Another ransomware variant we have been tracking is DMA Locker. Once it infects an organization, DMA Locker uses remote command-and-control servers to generate unique encryption keys. Because these encryption keys are generated off-site, reverse engineering the encryption is not currently possible. Which also means that if DMA Locker isn't entirely removed from an infected network, repeat flare-ups by the exact same ransomware can generate additional ransom demands.
There are a number of things organizations can do to protect themselves. These include:
- Control network access
- Deploy email security with sandbox filtering
- Maintain and patch software and operating systems
- Segment your network to limit the effect of a breach
- Eliminate or isolate vulnerable legacy devices and code
- Perform regular system backups and store backups offsite
- Reduce your attack surface by eliminating unnecessary devices and software, especially cloud-based applications that have not been vetted and approved by your IT team
- Install security clients on endpoint devices and keep them updated
- Enact regular staff training on how to detect and avoid common email and web-based attacks
- Extend visibility across your entire distributed network
- Assume you will be a victim of an attack and have a plan
That last one is critical. If you knew that you were going to be compromised, what would you do differently than you are doing right now? That's always an important question to ask for business continuity.
Sign up for CIO Asia eNewsletters.