South Australia new target of ransomware attackers
Two businesses in South Australia have become the latest targets of ransomware attacks, following several incidents affecting Queensland medical practices in the last month.
South Australia Police issued an alert about the attacks this morning, saying the attackers are known to use the remote desktop protocol (RDP) as an entry point.
The attacks in SA are similar to the cases in Queensland, where up to five medical practices are thought to have been targeted. One of those – the Miami Family Medical Centre on the Gold Coast – has gone public about the attack.
It is not known if the businesses were general practices as they did not wish to be named, but SA Police said the force had consulted with other law enforcement agencies across Australia, which have indicated that they are also experiencing an increase in ransomware attacks.
“Authorities believe the criminals may gain access by using authentication credentials obtained by key loggers – a covert software program which tracks the keys struck on a keyboard – or by accessing systems with weak passwords,” SA Police said.
“Once a system has been accessed and compromised, the criminal behind the malware will demand payment to unlock or decrypt the data – thereby “kidnapping” the information and demanding payment to free it. These payments are often sought via a wire transfer, premium-rate text messages, or through an online payment voucher service.”
Police said the businesses were medium-sized and the attacks had caused considerable disruption and loss of income.
eHealth security consultant Alberto Tinazzi said that while it was possible the hackers were accessing networks through RDP, they can also bypass a firewall using encapsulation, a technique which allows them to disguise their malicious traffic as if it was regular web browsing traffic.
Mr Tinazzi said TeamViewer, LogMeIn and other remote support products use a similar technique in that they encapsulate any sort of traffic as if it was requested by the user. Most basic firewalls are set up by default to trust and therefore let through any traffic requested by the user, such as web browsing, downloading files or emails.
“It is very difficult to detect and stop this sort of activity, unless you have a ‘smart firewall’ with built-in intrusion detection capable of detecting that this is not regular web traffic,” he said.
“The typical $100 firewall that you buy from consumer electronics retailers is not going to be able to do that. Most people do not understand the difference between business-grade equipment and consumer-grade equipment – if you want something smart, you are looking at $1000 or more.”
In order to use the encapsulation technique, however, an attacker has to trick the user into downloading a malicious script or application that initialises the connection from within the trusted network as if it was a regular connection requested by the user. Mr Tinazzi said this can be easily done by luring the user to visit a website where the malicious code or script is concealed. The user may activate the script by simply moving the mouse over a picture, for instance.
“Also it is quite common in small to medium businesses to allow users to log in to computers as local administrators,” he said. “That means having full control of the computer. A virus is a piece of software and in order to be activated it must be executed and installed, and if you are an administrator you can execute and install them without even knowing it.”
As a general rule, users should never be logged in with administrative rights unless they are required to carry out administrative tasks, he said. As soon as the user has finished performing administrative tasks they should log out and log back in as a standard user.
“However, people get frustrated as they perceive this as a waste of time. They want to install software as required without logging out and logging back in as the administrator.
“Windows Vista and 7 came with a clever built-in protection, User Account Control (UAC), which aims to prevent or at least warn the user when an application wants to make changes to the computer. This feature is often disabled because deemed as annoying by users or because incompatible with some software.”
Mr Tinazzi believes that the new federal regulation on mandatory data breach notification may force businesses to reassess their approach to data security. “It is important for business owners to understand their responsibilities in protecting third-party personal information,” he said.
SA Police recommend that organisations consider taking the following measures to protect against this type of cyber security vulnerability.
- Ensure that all computer systems and programs are fully patched and updated
- Limit remote access to your systems directly from the internet
- Monitor remote access to your systems directly from the internet
- Enforce strong passphrase/password policies on your RDP services to reduce the risk from brute force attempts at cracking passwords
- Implement account lockout policies to reduce the risk from brute forcing attempts
- Where remote access is necessary, use secure methods such as a virtual private network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require the access
- Use up-to-date anti-virus software, and consider using different vendors for gateway and desktop systems.
“Police would also remind people that ransomware attacks are an attempt to extort money," SA Police said. "As with any extortion, you are advised not to pay.”
The RACGP has also urged general practices to boost their security, recommending that they implement the college's Computer and Information Security Standards (CISS) and accompanying workbook.
The CISS provides a record of the 12 basic computer and information securities that should be undertaken across all general practices.
The workbook, when completed by practice staff, forms part of the general practice’s policies and procedures manual. It is currently being reviewed in light of new legislation and legislative instruments to support the PCEHR and will be released by June 2013.
RACGP president Liz Marles said practices are advised that the current edition of the CISS (2011) is still best-practice and the gold standard in guidance for general practices to be confident in information and security protection.
Posted in Australian eHealth