Security Advice After the Malware Attack on the City of Durham

In today's digital world, it is not if malware will attack your network, but when. Case in point: the Durham City and County government malware attacked during the weekend of March 6, 2020. The city and county network was infiltrated by Ryuk ransomware. It is important to understand how to prevent malware attacks.

What happened when Durham City was attacked? They shut down some of their systems while investigating and trying to contain the attack. The city's malware protection system alerted IT of the problem in time to contain most of the damage. The city came to believe the cyber attacker was Ryuk.

FREE Guide: Everything You Need to Know About Network Security

Ryuk is a type of ransomware that used a phishing attack from an infected malicious email to deliver the ransomware to the Durham City and County systems. This latest attack was an escalation of recent attacks on North Carolina entities.

In a notice that the City published on Sunday, March 8, 2020, Durham says its emergency systems are up and running again. No data appears to have been stolen, and it seems that cyber hackers have not demanded a ransom. WRAL reported that "the origin of the attack is unknown and being investigated by the City."

WRAL also reported that the North Carolina State Bureau of Investigations found that the malware used in the attack was of Russian origin and spreads through malicious email attachments and across network servers.

Ryuk's debut was August 2018 when it attacked at least three companies. Those attacks yielded the attacking cybercriminals a total of $640,000 in ransom. Ryuk can identify and encrypt a victim's network and resources and delete shadow copies on the network's endpoints. This means that Ryuk can disable the Windows Restore feature and make it so the company cannot return to normal following a malware attack unless there are external backups.

Some experts believe that Ryuk is the brainchild of a Russian hacker, and the malware gets into a network through an infected email attachment. Ryuk also shares code similarities with a North Korean Advanced Persistent Threat (APT), the Lazarus Group. 

Once Ryuk gains access to a network, it spreads as the network users/system share files. Ryuk often attacks networks that have already been compromised first by Emotet or by the TrickBot trojan, (which steals information through phishing scams.) Emotet and TrickBot are Challenging to remove once they infect a system and can lay dormant until Ryuk selects its next target.

What kind of victim does Ryuk attack? Ryuk has been known to attack hospitals, governments, businesses, and schools. Ryuk targets and then encrypts critical network assets while it deletes backups and disables network security. 

The most likely Ryuk victims are companies with the following deficiencies; 

• no working backups
• no incident response teams
• no way to detect or prevent malware behavior.

What can a business do to prepare for Ryuk and other malware? Here are eight tips that will help prevent malware attacks like Ryuk:

• Have external working, secure, and reliable network backups.
• Apply software updates and patches immediately. 
• Test for network vulnerabilities and fix problems that show up.
• Update asset inventory regularly and update legacy systems with the latest technology.
• Monitor traffic in real-time.
• Identify persons who form the incident response team for the company. That will most likely be the IT department or a third-party managed service provider (MSP). 
• Train, train, and then train employees again. All employees-from the top down-must understand that they are an essential player on the cybersecurity team. They must learn to recognize phishing scams and scrupulously avoid opening malicious emails. Train employees not to open emails from entities they do not recognize emails with suspicious attachments (they often containing infected Microsoft documents). Malware like Ryuk count on the careless and the uninformed to provide them access to a network where the malware can exploit network vulnerabilities. 
• Adjust Microsoft Office settings to render harmless malicious software.
• Make sure Active Directory is secure by securing the Remote Desktop Protocol (RDP) through Microsoft.
• Treat weaker trojans like Emotat and TrickBot seriously. Malicious malware often uses them to infect networks with ransomware.

Total Computer Solutions provides businesses with the Cyber Security Awareness Training they need to keep employees educated, aware, and proactive about cyber attacks. For more information, please contact us today.