Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) has issued an urgent security notice addressing Swiss-based companies that have recently suffered cyber-attacks.
The federal agency, created with the mission to protect critical infrastructures, urges these firms, and others like them, to think twice before paying the ransom.
According to the advisory, published yesterday, MELANI has dealt with more than a dozen ransomware infections at large companies across Switzerland. Many of the systems were rendered unusable, as attackers demanded ransoms ranging from tens of thousands to millions of Swiss francs.
Warnings from the authorities were not heeded
Technical analysis of each incident revealed generally lax IT security policies and processes among victims.
“IT security of the companies affected was often incomplete and the usual best practices (Information security checklist for SMEs) were not fully observed,” the document reads. “Furthermore, warnings from the authorities were not heeded.”
MELANI proceeds to outline some of the most common weaknesses encountered during analysis, including:
- No antivirus solution deployed
- Remote Desktop Protocol (RDP) protected with a weak password; input was only set to the default (standard port 3389); no VPN or IP filter to restrict access
- Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies
- Backups were not kept offline and secluded from the main network
- No network segregation
- Lax patch management
- Excessive user rights (e.g. a backup user who has domain admin rights or a system administrator who has the same rights when browsing the internet as when managing the systems)
As long as companies pay ransom, “attackers will never stop blackmailing”
The document provides recommendations on how to address each headcount. MELANI also urges companies in Switzerland to refrain from paying ransom.
“If systems have been encrypted by ransomware, MELANI advises against making a ransom payment,” it says. “As a general rule, MELANI does not recommend paying because the money will support the hacker's infrastructure. It should also be noted that even if a ransom is paid, there is no guarantee that the blackmailer will decrypt the data.”
“As long as there are still companies that make ransom payments, attackers will never stop blackmailing,” MELANI stresses.
If a ransomware payment is considered, MELANI advises to make sure systems are fully cleansed of the infection before putting them back into operation.
In many of the reported cases, hackers used the infamous banking trojans "Emotet" and "TrickBot" to deploy ransomware in the targeted infrastructures. The two pieces of malware are notoriously persistent and can continue to deal damage even after systems have been apparently cleaned of malware.