Do we need to talk about this, gov?
This week, RansomHub claimed two recent ransomware attacks on US government entities the City of Tarrant and Sault Ste. Marie Tribe of Chippewa Indians. Neither claim came as much of a surprise, however, as both had recently confirmed attacks–and of the ransomware variety.
In the case of the Sault Tribe, the encryption of systems led to widespread disruption across a number of its enterprises, including Kewadin casinos, health centers, and government buildings. Meanwhile, the City of Tarrant’s attack originated in its police department and it stated that there would be no negotiating with the hackers.
The City of McKinney was added to INC’s leak site this week. Although the city had issued a data breach notification earlier this month after it found it was “the victim of an unknown third party gaining unauthorized access to the City network environment on October 31, 2024” there has been no confirmation on the type of attack.
17,751 people had their health data impacted in the event.
The City of Noblesville also started issuing data breach notifications to 1,841 people following a “cybersecurity incident” in October 2024. This was claimed by Interlock at the time.
Kudos to Tarrant and the Sault Tribe for their transparency and prompt alert of these attacks!
This week’s award for let’s-call-it-anything-but-ransomware goes to…
Lee Enterprises, Inc. Congratulations, your SEC filing this week jumped on the bandwagon of describing a ransomware attack in any which way possible, without using that unspeakable word, “ransomware.”
In its statement on Tuesday, February 18, it said: “Preliminary investigations indicate that threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files.” This is the first insight provided into the type of attack which took place on February 3.
Many organizations don’t want to talk about having suffered a ransomware attack for fear it’ll make them a future target, which is understandable. But if it looks like a duck and quacks like a duck, shall we just call it a duck, rather than a two-legged animal with a beak that makes a quacking noise and likes it if you feed it some stale bread at your local pond?
Two server hardening techniques for defeating ransomware attacks
Call it a "cyber attack", an "unlawful access that lead to encryption and exfiltration of files," or whatever else helps your execs sleep at night, ransomware is a serious threat that's costing companies millions of dollars. Severs are a common entry point for ransomware attacks, which is why we heavily recommend server hardening.
There's a laundry list of ways you can protect company servers against attack, but there are two techniques that are highly effective, but often overlooked:
- File System Integrity Monitoring (FSIM): This technique is particularly good as an early warning sign against ransomware. FSIM can alert your net admins to suspicious file changes or modifications. If ransomware starts encrypting files, the monitoring system can quickly flag unauthorized alterations, helping your team respond faster before all hell breaks loose. Additionally, it can help with post-attack recovery by providing a baseline of system file integrity.
- Disabling unnecessary services and ports: This is somewhat of a rookie mistake, but leaving active services running and active ports open is pretty much an open door for ransomware gangs. Ransomware often enters a network through vulnerabilities in unpatched services or exposed ports. Regularly audit and disable unnecessary services and close those ports you aren't using. Doing so will reduce points of entry and, you guessed it, harden your servers.
You could do this one yourself, but we're fans of automation over here (mostly because we're lazy). Calcom's server hardening suite is pretty awesome for this, but if you have the time and skills, taking the hands-on approach can be a fun learning experience.
Until next week. Let’s keep that zero-day count hardened at zero!