The Catalonia Cybersecurity Agency has identified in recent weeks an increase in ransomware incidents targeting municipalities across the territory. This type of attack aims to block the entity's systems through the encryption of their information, requesting a ransom for its restoration or for the recovery of data. This ransom is usually for a high amount and is requested in cryptocurrencies (usually bitcoin).
The most recent “modus operandi” to carry out these attacks is to carry out manual intrusions into the city council's computer systems. They generally take advantage of exposed internet access and remote work systems (teleworking), such as VPNs, RDP, or Citrix, using previously stolen credentials or exploiting vulnerabilities in these same technologies. Once on the internal network, if necessary, they steal privileged users using malicious software, to spread the definitive ransomware from the domain controller itself or the virtualization servers.
For these reasons, the main recommendations that should be applied are the following:
- Recommendeduse of multi-factor authentication (MFA) to publicly exposed systems and applications, in order to reduce the possibility of attackers initially accessing the network through the use of previously compromised credentials.
- Increase staff cybersecurity awareness makes it difficult for attackers to get into the network of organizations. Actors have less ability to deploy ransomware if they cannot enter the network.
- It is also it is essential to keep all systems and applications up to date, especially those publicly exposed (VPN services, telecommuting-related machine operating systems, etc.).
Despite the application of the aforementioned preventive measures, no network is 100% secure. When cybercriminals have managed to enter the network, there is a whole series of good practices that make it difficult for them to move sideways and climb privileges. The goal of the attackers is to control as many systems as possible and the most common way to get it is through a domain administrator account or through the domain controller itself.
- Only ICT administration staff should haveaccess to administrator accounts. Thus, the number of administration accounts must be kept as small as possible, applying the least privilege principle, reducing the possibility of an attacker obtaining a privileged account.
- Additionally, ICT administration staff they should not log in with administrator accounts to other users' or commonly used computers and workstations. Any computer in the organization could be compromised and the attacker could extract the credentials used in it (eg by using Mimikatz) and gain access to an administrator account.
- A strategy of network segmentation it is another good practice that would hinder lateral movement.
Finally, and as a golden rule in the face of ransomware threats, it is of the utmost importance to have a good backup strategy deployed.
- The impact of a successful ransomware attack is greatly reduced whena còpia recently isolated security network (air-gapped) or in an “offsite” location. In this scenario, instead of the total loss of information or the high economic cost of paying the ransom, this is likely to be reduced to the temporary unavailability of the service while the infection is managed and the data is recovered.
The Cybersecurity Agency of Catalonia, thanks to CATALONIA-CERT, has high response capacity that allows it to act in a coordinated manner, in time and form to minimize the impact of cybersecurity incidents that occur throughout the territory. In the event of an incident, please contact us by phone at 900 112 444 or by e-mail at the e-mail address cert@ciberseguretat.cat.
This past year, the Cybersecurity Agency of Catalonia has defined a specific cybersecurity service for the local administration, which aims to offer new capabilities for protection and response to cybersecurity threats and incidents and thus prevent attacks such as which are the subject of this press release. This service is expected to be operational in the early second quarter of 2021, however the following mailbox has been created seguridad.aall@ciberseguretat.cat to resolve any doubts or issues in this regard.
