Cybercrime has hit the news again as a result of the recent Norsk Hydro attack by the ransomware LockerGoga and we can already see its massive impact. Unfortunately, we’ve read too many headlines like this one before. Even the name of the affected company resembles other famous breaches that brought ransomware to the forefront of public knowledge (and fear). As you probably guessed, I am referring to the MAERSK attack by NotPetya.
Going further back in time to the WannaCry ransomware attack, then security managers said that this massive ransomware attack exposed significant weaknesses in global IT systems. We knew that we’re likely to see more attacks leveraging similar techniques, causing even greater damage in the future. While the WannaCry and NotPetya attacks were similar, they are not exactly the same as this recent one, LockerGoga. Most probably it was not a self-propagating malware, meaning that the attacker had to be more dedicated and “work harder” to infiltrate the Norsk Hydro network to compromise the ActiveDirectory and spread from there.
Even though this latest attack differs from NotPetya, the variant of this LockerGoga malware has been known for several months. It had already been used in a few attacks, one example was against Altran Technologies, an engineering consultancy company based in France, affecting some of its operations in several countries. Unfortunately, the key lesson did not come across strong enough: Once the threat was known, preventive action could (and should) have been taken against the threat before it infiltrated Norsk Hydro’s system.
Why am I comparing these three attacks: LockerGoga, NotPetya, and WannaCry? What do all three of these attacks have in common? Besides the use of ransomware, the impacted companies reverted to manual operations, and were “lucky” enough to have a backup, which is not always the case.
Although having a strong backup plan is great, there’s no reason to suffice with backup. It’s a better strategy to have strong controls from the start to prevent such large- scale attacks. To prevent and protect against known and unknown large-scale ransomware attacks, security managers must implement five essential tactics:
A security policy – This is the basic control needed in any cybersecurity deployment. With it, you will perform backups, examine your gateways and attack vectors, as well as build protection mechanisms. In all the above cases, it’s obvious that it was less than complete (at least on the implementation side).
Network segmentation – To keep organizations safe, it is crucial to segment networks. Some plants making aluminum products were impacted by the Norsk Hydro breach, although Hydro's main aluminum production sites were "running as normal", according to reports. By simply segmenting the network, plants shutting down was a problem that could have been avoided.
Endpoint security – As the facts from the Norsk Hydro breach become known, it has come to light that the malware was never identified. That is a mind-blowing fact that highlights the importance of endpoint security, not to mention underlines the avoidable problems created by not having endpoint security on all endpoints.
Network security and visibility – The ability to see everything, regardless of endpoint types and security deployment, is crucial in understanding the full scope of an unveiling incident. For example, we know with high probability that the ransomware was loaded from email and that it was designed to evade endpoint security and sandboxes, demonstrating that network visibility would have identified the breach.
Backup – As previously mentioned, following the detection of the attacks at Norsk Hydro breach, Maersk and Altran Technologies, all three companies reverted to manual operations but also successfully returned to full operation from the recent backup. Although those attacks were very serious, all of the chatter around these specific incidents would have looked quite different without this backup option.