North Korea Ransomware Hits News Media

By:  |  Category: Blog Thursday, January 3rd, 2019  |  No Comments

If you turned on the news this last weekend you saw the cyber carnage. A major newspaper publishing company was hit with a server outage that disrupted the distribution of multiple US newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun.

According to Knowb4, an unnamed source stated the publishing company discovered files with a .RYK extension, leading security experts to believe this is a targeted ransomware attack specific to the Ryuk ransomware strain.

“This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency,” according to Stu Sjouwerman, CEO of KnowBe4.

Ryuk is a ransomware generally used for extremely targeted attacks with encryption schemes specifically focused on crucial assets. These aren’t attacks sent to thousands of people hoping to hit a few, these are manual attacks with one target in mind.

The attackers charge huge ransoms. Currently it’s very difficult to keep a state sponsored cyber crime gang off your network if they go after you. A robust backup plan and strong defense is your best plan for protection.

KnowBe4 recommends these steps:

  1. Security Awareness Training: Make sure your employees never click the link, fall for the scam, open the attachment, etc. that allowed any ransomware to run in the first place!
  2. Backup With a Vengeance! –Any data that’s worth protecting (which includes specific critical endpoints) should be backed up regularly and the restore function tested frequently to make sure you actually have that backup.
  3. Scan your network–identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
  4. Strong RDP Settings:Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
  5. Automate the Process: An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
  6. 2-factor authentication: For all remote log-ins make sure to use 2-factor authentication.

If you need assistance with your cyber defense give EnhancedTECH a call at 714-970-9330 or contact us at [email protected]

Leave a Comment
Read previous post:
kid's credit
Protecting Your Kid’s Identity

It's a sad day when the identity of a wealthy 70 year-old is less valuable than a newborn, but in...