Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) today warned of ongoing ransomware attacks targeting the systems of Swiss small, medium-sized, and large companies.

According to the alert issued in collaboration with the Swiss Government Computer Emergency Response Team (GovCERT), the attackers have asked for ransoms ranging from thousands of Swiss Francs to millions — 1 million CHF is just over $1 million.

Over a dozen of such ransomware attacks that resulted in systems being encrypted and rendered unusable have been reported in recent weeks.

“The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions,” the alert says.

Swiss ransomware victims ignored warnings, had poor security

As MELANI and GovCERT discovered while investigating these ransomware incidents, recommended best practices such as MELANI’s information security checklist for SMEs were not implemented by the victims and previous warnings of such attacks were not taken into consideration.

The Swiss Government-funded cybersecurity body advises businesses not to pay ransoms to avoid becoming involuntary sponsors for the hackers’ ongoing campaigns.

Also, by paying them, businesses don’t have any guarantee that their data will be recoverable using decryption tools provided by the attackers.

It is important that the companies concerned contact the cantonal police immediately, file a complaint and discuss the further procedure with them. As long as there are still companies that make ransom payments, attackers will never stop blackmailing. – MELANI

MELANI also warned both SMEs and large companies that they are still at risk even after paying the ransoms and restoring their systems and data seeing that “the underlying infection from malware such as ‘Emotet’ or ‘TrickBot’ will remain active.”

“As a result, the attackers still have full access to the affected company’s network and can, for example, reinstall ransomware or steal sensitive data from it.”

MELANI said that there are examples of companies from Switzerland and other countries that were ransomed multiple times within short periods of time.

While analyzing the recently reported ransomware incidents, the Swiss cybersecurity body identified a number of weaknesses that allowed attackers to successfully breach the companies’ defenses (all of them can be mitigated by MELANI’s recommendations):

• Virus protection and warning messages: Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers).
• Remote access protection: Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
• Notifications from authorities: Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies.
• Offline backups and updates: Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted.
• Patch and lifecycle management: Companies often do not have a clean patch and life cycle management. As a result, operating systems or software were in use that were either outdated or no longer supported.
• No segmentation: The networks were not divided (segmented), e.g. an infection on a computer in the HR department allowed the attacker a direct attack path to the production department.
• Excessive user rights: Users were often given excessive rights, e.g. a backup user who has domain admin rights or a system administrator who has the same rights when browsing the internet as when managing the systems.

Stream of ransomware warnings

Last year, in November, a confidential report issued by the Dutch National Cyber Security Centre (NCSC) said that at least 1,800 companies from around the globe and with operations in various industry sectors were affected by ransomware attacks.

The three file-encrypting malware strains responsible for the infections — LockerGoga, MegaCortex, and Ryuk — relied on the same infrastructure and were previously spotted in attacks that targeted corporate networks and enterprises such as Norsk Hydro and Prosegur.

The Federal Bureau of Investigation (FBI) also warned private sector partners last month about Maze Ransomware operators focusing their attacks on US companies. 

This warning came less than a week after the FBI warned private industry recipients about LockerGoga and MegaCortex ransomware infecting corporate systems from the U.S. and abroad in a flash alert marked as TLP:Amber.

“Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands,” the FBI announced at the time.

“The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga.”

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all critical U.S. infrastructure sectors of a recent ransomware attack that hit a natural gas compression facility and took down pipeline operations for two days.