Australia warns of ransomware campaign targeting Australian organisations
CERT Australia, the national Computer Emergency Response Team, has confirmed an increase in the volume of ransomware targeting Australian organisations.
Ransomware is a type of malware (malicious software) that typically locks a victim's computers, often also encrypting data on the system. A display screen usually follows that demands payment to unlock or decrypt the data.
Examples often include a fake warning claiming that the victim's computer has been associated with criminal activity. For example, the extortionist may claim to be from the fake Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA) and that paying a fine immediately will unlock the computer and avoid further criminal proceedings.
This is an attempt to extort money. As with any extortion, you are advised not to pay.
The attackers are known to commonly use Microsoft Remote Desktop Protocol (RDP) as an entry point to your network, possibly using authentication credentials obtained by key loggers, or accessing systems with weak credentials.
Cyber crime involves the unauthorised access to or impairment of computer systems. If you suspect you have been the victim of cyber crime, report it to your local law enforcement agency.
CERT Australia suggests that stakeholders consider the following specific mitigations to protect against this cyber security risk.
Make regular backups of all your important files, and importantly store copies of your backups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.
Ensure your systems are fully updated. This includes servers that are accessed remotely, in particular those running RDP services, as well as computers that are used to access them.
Limit remote access to your systems directly from the Internet.
Enforce strong passphrase/password policies on your RDP server to reduce the risk from brute force attempts at cracking passwords.
Implement account lockout policies (account locks if too many false attempts are made) on your RDP server to reduce the risk from brute forcing attempts.
Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.
Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.
For the complete CERT Australia guide on ransomware, visit: https://www.cert.gov.au/advisories
CERT Australia offers additional information on mitigation for similar security risks, refer to the documents 'Strategies to mitigate targeted electronic intrusions' and 'Defence in Depth Principles' and 'Resilient Backups' publication, available at: https://www.cert.gov.au/advisories
Microsoft advice on securing Small Business Server 2003: http://technet.microsoft.com/en-us/library/cc700836.aspx
Stay Smart Online offers useful advice for small businesses: http://www.staysmartonline.gov.au/small_and_medium_business
Thank you to those subscribers who have provided feedback to our Alerts, Advisories and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
information has been prepared by Enex TestLab for the Department
of Broadband, Communications and the Digital Economy (‘the Department’). It was
accurate and up to date at the time of publishing.
information is general information only and is intended for use by private
individuals and small to medium sized businesses. If you are concerned about a
specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this
advisory accept no liability for any damage, loss or expense incurred as a
result of the provision of this information, whether by way of negligence or
Nothing in this information (including the
listing of a person or organisation or links to other web sites) should be
taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this
information do not reflect the views of the Commonwealth, or indicate its
commitment to a particular course of action. The Commonwealth also cannot
verify the accuracy of any third party material included in this information.
Host of subscription service
Commonwealth has engaged Ladoo Pty Ltd to
host the Stay Smart Online Alert Service. All URL links should show the domain send.ladoo.com.au at hover
over. URL links related to the administration of the service ('View online', 'Update your profile preferences' and 'unsubscribe')
should direct you to web pages hosted by Ladoo Pty Ltd.