Learning from the ransomware attack on Tietoevry’s data centre
Reports of a ransomware attack on one of the data centres operated by IT services company Tietoevry surfaced on 20th January this year. Allegedly undertaken by a ransomware gang known as Akira, the attack caused outages for several companies, universities, colleges, government agencies and municipalities across Sweden.
It’s just the latest example of the impact that ransomware attacks can have on government agencies, particularly those using third party software such as the Primula managed payroll and HR system affected by this current event.
According to the USA’s Cybersecurity and Infrastructure Security Agency (CISA), ransomware is “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
It’s big business and a growing threat. Research with cybersecurity leaders of worldwide organisations published by Statista found that 66% of organisations worldwide were victims of a ransomware attack between March 2022 and March 2023.
The motivation behind ransomware attacks
While Tietoevry works to investigate and mitigate the situation in partnership with the appropriate local authorities and its clients, it says that it currently “cannot say how long the restoration process as a whole will take – considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks.”
Many, most or even all of the organisations affected by this latest attack were arguably only collateral damage to an attack that aimed to have as large an impact as possible. In these kind of attacks, the attacking party may be more interested in having as many targets as possible than in any particular affected organization.
The end goal is to ensure that sufficiently many victims pay the ransom fee, so that the attacker can at least redeem the cost for developing and deploying the attack. This explains why, for the attacker, it makes economic sense to hit or exploit commonly-used, off-the-shelf equipment such as the Cisco VPN in this case.
Organisations that use alternative, high-assurance products instead not only enjoy the high assurance as such, but also do not run the risk of becoming collateral damage to sweeping attacks that target common commercial products.
Making an action plan
So why do ransomware attacks happen, and what can organisations do to protect themselves? In general, the motivation behind ransomware attacks is to illegally extort financial gains, but they can also be employed by state actors to disguise their espionage and/or destructive cyber-attacks.
Unfortunately, there is no silver bullet to address the ransomware threat as a whole, but the key is to construct multiple layers of defence to reduce the risk of being compromised.
Akira ransomware attacks were reportedly able to breach Cisco VPN accounts without multi factor authentication (MFA). This speaks to the need to have stringent user authentication controls with MFA using a combination of passwords and biometric measures.
A mitigation strategy for ransomware attacks is, paradoxically, to employ strong file encryption capabilities, along with MFA. Individual files should be encrypted and only decrypted with MFA when in use. This way even if a storage device is breached and files are exfiltrated, the attackers would not be able to operationalise the information they gained from this activity.
Another countermeasure is to employ Endpoint Detection and Response (EDR) capabilities to detect anomalies in activities and be able to respond accordingly.
The Akira ransomware threat actors seek to delete backups as well making restoration work extremely difficult. Hence it is important that organisations make multiple copies of their backups and even store one copy of their backups offline.
Organisations should leverage threat intelligence to hunt for relevant Indicators of Compromise (IOC) to ensure their network and systems are free from this particular threat.
Understanding the risks of cloud migration
As more and more organisations migrate to cloud providers, there is a growing incentive for threat actors to focus on the cloud, as demonstrated by Akira ransomware. Users, especially security sensitive ones, may want to reconsider their cloud strategy and opt to have an on-premise strategy instead.
The number and complexity of ransomware attacks is showing no signs of slowing down. The growing adoption of software defined technology, the internet of things, the blending of technology and operational systems and cyber warfare will only accelerate the emergence of areas with potential vulnerabilities to attacks.
At Asperiq we fully recognize that encryption is the foundational building block of a solid cyber defence and very often it represents the Last Line of Defence against sophisticated cyber-attacks. Contact us to find out more about how we can help you to build a safe encryption infrastructure: contact@asperiq.com.
